But it is you who defines what these limits are. You must also inform the data subjects of what you are doing. This information must be provided in a transparent manner. Transparent does not mean open, since you can hide relevant information by providing too much information. This is normally what happens in legal agreement texts. Under the GDPR, long complicated texts such as those do not constitute transparent information. Instead, transparency means the text must be informative, easy to understand, clear, and concise. It must use plain language, and special consideration must be made if the processing activity involves children. It must be relevant to the audience (the receivers), not the sender, which is typically the case with legal documents.
Once you've defined your boundaries and informed the data subjects, you can commence processing. You are then not allowed to go outside of the boundaries you've set up and informed the data subjects about, without informing the data subjects about that fact. And you are only allowed to perform the new processing activity on data collected after the time you informed the subjects. You are not allowed to execute it on old data retroactively.