Principles of processing Data in GDPR

18/04/2018
Insights

1. Principles of Processing Personal Data in GDPR

The entire General Data Protection Regulation (GDPR) revolves around the protection of personal data, how personal data can be used and so forth. We will go over what 'Processing' contains in GDPR.

Within the GDPR, Article 5 describes the principles of Data processing. 

'lawfulness, fairness and transparency'

processed lawfully, fairly and in a transparent manner

'purpose limitation' 

collected for specified, explicit and legitimate purposes

'data minimization

adequate, relevant and limited to what is necessary

‘accuracy'

 accurate and, where necessary, kept up-to-date

‘storage limitation'

kept in a form which permits identification of Data Subjects 

for no longer than is necessary for the purpose

‘integrity and confidentiality’

processed in a manner that ensures appropriate security

‘accountability' the controller shall be responsible

2. Lawfulness of processing in GDPR

As stated in Article 6 of the GDPR, processing shall be lawful only if and to the extent that at least one of the following applies:

  • The Data Subject has given consent
  • Processing is necessary for the performance of a contract or in order to take steps upon request of the Data Subject prior to entering into a contract
  • Processing is necessary for compliance with a legal obligation
  • Processing is necessary in order to protect the vital interests
  • Processing is necessary for the performance of a task carried out in the public interest
  • Processing is necessary for the purposes of the legitimate interests pursued by the controller.

Comment: Processing which does not require identification

“If the purposes for which a controller processes Personal Data do not or do no longer require the identification of a Data Subject by the controller, the controller shall not be obliged to … comply with this Regulation.”

In other words, if Personal Data is not linked (anymore) to an individual (Data Subject),GDPR does not apply.
Anonymized or aggregated data are 2 techniques to de-connect Data Subject and Personal Data.

 

3. Domains and processes in GDPR

The most important domains within GDPR to evaluate and review are:

 HR 

Payroll
Employee management
Recruitment

Marketing & Sales

Newsletter
Info Requests on website
Contact info & comments of prospects

Customer Services

Contact info and comments of customers
work planning and timesheets

Administration, Finance & IT

Customer contact info
Customer payment history
Network logs

Cloud Services

Customer contact info
User contact info
user usage info
Network logs

Scientific Resaerch

Test data
Test profile data

Etc

...

4. Nature of processing in GDPR

Different types of Personal Data processing can be distinguished in GDPR:

CollectionRecordingStructuring

Modification

StorageRetrievalConsultationDisclosure by transfer
DisseminationInterconnectionComparisonRestriction
ErasureDestructionCommunication...

5. Purpose of processing in GDPR

Personal Data processing in GDPR can have different purposes:

  • Payroll (ensuring that wages are calculated and paid correctly
  • Reimbursement of costs
  • Recruitment and selection
  • Staff administration
  • Management of personnel and intermediaries (performance appraisals,follow-up, training and career)
  • Work planning
  • Time registration
  • Insurances
  • Pension plan
  • Education
  • Employee monitoring
  • Site security
  • Access control
  • Video surveillance
  • Occupational risk prevention
  • Profiling
  • Automated decision-making
  • Client accounting
  • Fiscal and administrative management
  • Provision of financial solvency and creditworthiness services
  • Economic-financial services
  • Direct marketing
  • E-commerce
  • Advertising and commercial research
  • Electronic communication services
  • Provision of electronic certification services
  • Cultural, sports and social activities management
  • Statistical, historical or scientific purposes
  • Dispute management
  • IT services (e.g., PaaS, SaaS, IaaS) (e.g. hosting of a website, off-line data processing, cloud services, or similar)
  • Compliance with local legislation (e.g. fraud detection,...)
  • ...

 

Want to learn more?

You can find information on the implementation guidelines of the GDPR, like security measures, preparations, operations and much more by clicking on the button below.
You can also download our full implementation guide 'A free quick-start guideline for your GDPR implementation' as a PDF document.


GDPR implementation guidelines

 

Share this insight