1. Principles of Processing Personal Data in GDPR
The entire General Data Protection Regulation (GDPR) revolves around the protection of personal data, how personal data can be used and so forth. We will go over what 'Processing' contains in GDPR.
Within the GDPR, Article 5 describes the principles of Data processing.
'lawfulness, fairness and transparency'
processed lawfully, fairly and in a transparent manner
collected for specified, explicit and legitimate purposes
adequate, relevant and limited to what is necessary
accurate and, where necessary, kept up-to-date
kept in a form which permits identification of Data Subjects
for no longer than is necessary for the purpose
|‘integrity and confidentiality’|
processed in a manner that ensures appropriate security
|‘accountability'||the controller shall be responsible|
2. Lawfulness of processing in GDPR
As stated in Article 6 of the GDPR, processing shall be lawful only if and to the extent that at least one of the following applies:
- The Data Subject has given consent
- Processing is necessary for the performance of a contract or in order to take steps upon request of the Data Subject prior to entering into a contract
- Processing is necessary for compliance with a legal obligation
- Processing is necessary in order to protect the vital interests
- Processing is necessary for the performance of a task carried out in the public interest
- Processing is necessary for the purposes of the legitimate interests pursued by the controller.
Comment: Processing which does not require identification
“If the purposes for which a controller processes Personal Data do not or do no longer require the identification of a Data Subject by the controller, the controller shall not be obliged to … comply with this Regulation.”
In other words, if Personal Data is not linked (anymore) to an individual (Data Subject),GDPR does not apply.
Anonymized or aggregated data are 2 techniques to de-connect Data Subject and Personal Data.
3. Domains and processes in GDPR
The most important domains within GDPR to evaluate and review are:
Marketing & Sales
Info Requests on website
Contact info & comments of prospects
|Contact info and comments of customers|
work planning and timesheets
Administration, Finance & IT
|Customer contact info|
Customer payment history
|Customer contact info|
User contact info
user usage info
Test profile data
4. Nature of processing in GDPR
Different types of Personal Data processing can be distinguished in GDPR:
|Storage||Retrieval||Consultation||Disclosure by transfer|
5. Purpose of processing in GDPR
Personal Data processing in GDPR can have different purposes:
- Payroll (ensuring that wages are calculated and paid correctly
- Reimbursement of costs
- Recruitment and selection
- Staff administration
- Management of personnel and intermediaries (performance appraisals,follow-up, training and career)
- Work planning
- Time registration
- Pension plan
- Employee monitoring
- Site security
- Access control
- Video surveillance
- Occupational risk prevention
- Automated decision-making
- Client accounting
- Fiscal and administrative management
- Provision of financial solvency and creditworthiness services
- Economic-financial services
- Direct marketing
- Advertising and commercial research
- Electronic communication services
- Provision of electronic certification services
- Cultural, sports and social activities management
- Statistical, historical or scientific purposes
- Dispute management
- IT services (e.g., PaaS, SaaS, IaaS) (e.g. hosting of a website, off-line data processing, cloud services, or similar)
- Compliance with local legislation (e.g. fraud detection,...)
Want to learn more?
You can find information on the implementation guidelines of the GDPR, like security measures, preparations, operations and much more by clicking on the button below.
You can also download our full implementation guide 'A free quick-start guideline for your GDPR implementation' as a PDF document.