The second principle of the GDPR, requiring organisations to only process personal data for the specific purpose for which it was collected.