Purpose limitation is one of the data processing principles under GDPR Article 5(1)(b). It states that personal data may only be collected for specified, explicit, and legitimate purposes and must not be further processed in a manner incompatible with those purposes. In an ISMS, purpose limitation is relevant because many security measures (logging, monitoring) generate personal data. This data may only be used for its documented security purpose. The records of processing activities document the purpose of each processing operation.