This thesis offers a focused and timely examination of how the GDPR’s principle of purpose limitation applies to the rapidly evolving world of connected cars. It investigates how personal data collected for specific vehicle functions is often repurposed in ways that may not align with legal or user expectations. By combining doctrinal legal analysis with regulatory guidance, the study identifies both compliance challenges and practical solutions. Key issues such as vague purpose specification, function creep, and opaque third-party data sharing are addressed. The thesis provides actionable recommendations for industry stakeholders to ensure GDPR compliance obligations through clearer purpose definition and privacy-by-design strategies. Overall, it contributes meaningfully to the legal discourse on data protection in intelligent transportation systems.