What Activities Count as Processing Under the GDPR?

by Jennifer L. Legal writer.
What Activities Count as Processing Under the GDPR?

If you collect, store, share, or transmit someone's personal data in any way, chances are you're "processing" it under the EU's General Data Protection Regulation (GDPR). This is significant because all processing activities fall under the GDPR's scope.

In other words, if you process any personal data at all, even if it's just one or two pieces of information, you're bound to comply with the regulation.

Simply put, since many businesses collect even small amounts of personal data from EU residents, it's best to assume you should comply with the GDPR. So, let's check out how the rules apply to you by looking at examples of GDPR processing activities.


Personal Data

Before we move on to look at some examples of personal data processing, let's be absolutely clear on what personal data actually is.

Personal data is any information, from names to IP addresses, that you can use to identify an individual living person. You can see more examples of personal data in Article 4(1) of the GDPR, but this is certainly not an exhaustive list:

EUR-Lex GDPR: Article 4 Definitions - Personal Data

Here's a good rule of thumb: if you think it's personal data, assume that it is and safeguard it properly. That way, you're always complying with the regulation.

Now we've clarified what information we're talking about, let's take a closer look at "processing" under the GDPR.

How the GDPR Defines Processing

To put it simply, "processing" is pretty much anything you can do with someone's personal data.

You'll see what we mean if you look at Article 4(2), where there's a long list of activities that count as data processing.

The use of the phrase "such as" means that, again, this isn't an exhaustive list of possible processing activities. They're all just examples to help you understand what might be construed as processing.

What's more, automated processing is included. So, activities like profiling fall under the GDPR's scope:

EUR-Lex GDPR: Article 4 Definitions - Processing

And from Article 4(5), it's clear that processing also includes pseudonymisation. So even if you can't identify someone from the data anymore, you still need to process the data to make this possible:

EUR-Lex GDPR: Article 4 Definitions - Pseudonymisation

Before we look at processing activities in more detail, let's be clear on the principles you must follow if you plan on collecting personal data at all.

The GDPR Principles

The GDPR sets out its principles for personal data collection in Article 5. In summary, you must:

  • Always process data fairly, lawfully and transparently
  • Only collect personal data for a set purpose
  • Make sure you only collect as much personal information from someone as you actually need
  • Make it easy for someone to correct the data you hold on them
  • Delete data once you don't need it anymore
  • Keep the data confidential and secure at all times
  • Take responsibility for your company's personal data handling processes

So if you plan on engaging in any data processing activities under the GDPR, you must only do so in line with these principles.

Need a Privacy Policy? Our Privacy Policy Generator will help you create a custom policy that you can use on your website and mobile app. Just follow these few easy steps:

  1. Click on "Start creating your Privacy Policy" on our website.
  2. Select the platforms where your Privacy Policy will be used and go to the next step.
  3. PrivacyPolicies.com: Privacy Policy Generator - Select platforms - Step 1

  4. Add information about your business: your website and/or app.
  5. PrivacyPolicies.com: Privacy Policy Generator - Add your business info - Step 2

  6. Select the country:
  7. PrivacyPolicies.com: Privacy Policy Generator - Add your business info - Step 2

  8. Answer the questions from our wizard relating to what type of information you collect from your users.
  9. PrivacyPolicies.com: Privacy Policy Generator - Answer questions from our wizard - Step 3

  10. Enter your email address where you'd like your Privacy Policy sent and click "Generate".

    PrivacyPolicies.com: Privacy Policy Generator - Enter your email address - Step 4

    And you're done! Now you can copy or link to your hosted Privacy Policy.

To help you understand how this all works and how it relates to your business, let's work through the various types of processing activities, starting with data collection.

Data Collection

Data collection means exactly what you think it means: gathering personal data. There are two ways you can do this:

  • Collecting it from the individual (or "data subject," as they're called under the GDPR)
  • Obtaining it from a third party i.e. a retailer, financial institution or marketing company

Here are some examples to make this more clear:

  • A customer inputs their credit card details into your system to complete a purchase
  • Someone gives you their email address to enter a competition, or join a mailing list
  • A marketing company shares analytics data with you

So, how do you ensure you're collecting personal data in line with the Article 5 principles? You must do two things: get permission before you collect the data, and ensure you're only collecting as much as you need.

Let's break this down.

Declaration of Data Collection

Publish a Privacy Policy on your website so people know:

  • You collect data
  • Why you need it
  • How you plan on using it

Remember, it's all about transparency. If you're collecting data, you need to tell people about it first. So, before you collect data, draw someone's attention to this Policy.

For example, if someone wants to sign up for a MyProtein account, they're expected to read the Privacy Policy first:

MyProtein Create Account form with Privacy Policy link highlighted

Data Minimisation

This is pretty simple. Don't collect more data than you need to fulfill a set purpose. For example, you don't need someone's Social Security Number to sell them clothes online.

Here are some tips to keep in mind:

  • If you use cookies to collect computer-based data like IP addresses, make sure you declare this before you collect this data.
  • Ask yourself if you really need a piece of data. If the answer is no, don't collect it.

Personal Data Recording

The "recording" activity is, admittedly, a little confusing. There's no clear guidance on what the GDPR means by "recording," which means it's interpreted pretty broadly. Here are some examples of what "recording" seems to mean under the GDPR:

  • Recording minutes from a meeting with a client
  • Keeping a record of correspondence with someone e.g. an email chain
  • Recording a telephone call with a customer, even if it's just for monitoring and training purposes

In other words, if you record something that you can use to identify another person, it's personal data, and it's a processing activity under the regulation.

Before we move on, there are two things to note here.

First, Recital 42 of the GDPR states that you need proof of consent if you're relying on consent to process data.

There's no clear guidance on how you record consent, but basically, you should record:

  • The data subject's name or identifier, such as an email address
  • The date and time you obtained consent (a timestamp is best, but other records may suffice)
  • What they consented to i.e. what data capture form they used
  • How they consented e.g. if it's by telephone call, keep a copy of the call script
  • When they withdrew consent, if applicable (again, use a timestamp where possible)

Second, all records must be stored securely, even if it's just confirmation of consent. We'll see how this works below.

Storing Personal Data

Once you've captured personal data and recorded the relevant consent, you need to store it all somewhere. It's crucial that you store it safely to comply with your confidentiality and security obligations under the GDPR.

First, here are some examples of storing someone's personal data:

  • Keeping emails from customers in your inbox or junk mail
  • Recording someone's name and address on a spreadsheet
  • Scanning customer invoices onto your computer, or keeping the paper documents around the office
  • Dictating notes from a meeting with customers, clients or employees

While the GDPR doesn't set out exactly how you should store such data, we can find some suggestions in Article 32. Essentially, you should:

  • Encrypt data: Encryption "scrambles" personal data so that no one can read it without a password or access key, or
  • Use pseudonymisation: This means storing data in such a way that you can't identify anyone from a single piece of information

EUR-Lex GDPR: Article 32 - Security of Processing - Section 1

So, for example, if you want to store consent records, you might encrypt these. You're only obliged to implement security measures that are reasonable for the size and complexity of your business, though.

Finally, it's a good idea to include a short clause on data storage in your Privacy Policy.

Here's an example of such a clause from Disney:

Disney Plus Privacy Policy: Data Security, Integrity and Retention clause

There's no need to include too many details. You only need to highlight that you use safeguards to protect personal data.

Organizing Personal Data

The more personal data you capture and store, the harder it is to keep it all organized. However, "organizing" or "structuring" personal data are processing activities, so it's important you do it properly. The reason is twofold.

First, if someone asks to see their data, you should be able to produce it quickly. This is in line with the data portability principle, and it's talked about a little in Recital 68.

The better organized the data, the easier it is to transmit.

Second, if you're ever audited by a Data Protection Authority (DPA), they'll penalise you for not taking good care of data in your possession. But what does it mean to organize personal data? It's pretty self-explanatory, but here are some examples:

  • File data away somewhere, even if it's on the cloud
  • Create customer records
  • Collate information on a spreadsheet, mailing list or database

It's a good idea to audit your procedures. Make sure you know:

  • Where information comes from e.g. emails, web capture forms
  • What categories of data you process
  • Where you store the data e.g. cloud, servers, hard drives
  • What data leaves your company e.g. if you share it with marketing companies

Depending on the size of your company and the sensitivity of the data you're organizing, it might be best to ask a specialist IT provider for help. This is definitely a good idea if you're in a regulated industry like healthcare or finance, where you're handling really sensitive data on a regular basis.

Personal Data Disclosure

There are two ways you can transmit or disclose personal information under the GDPR:

  • Internal transmission e.g. sharing customer details with another member of staff
  • External transmission e.g. disclosing the data to marketing companies

Both forms of transmission count as processing, and they require slightly different safeguards.

Internal communications

If you're sharing data around the organization, you still need to protect it properly. That's because:

  • Every system is vulnerable to malicious external threats, and
  • You still need to shield data from unauthorized personnel

So, you can secure internal communications by:

  • Encrypting data, such as spreadsheets or invoices, before you send them
  • Using strong passwords
  • Segmenting a secured private network from your wider public network, so there's a safe space to share files

External data sharing

It's common for companies to share data with external service providers like marketing agencies. But before you transmit data outside the company, there's one thing you need: a Data Processing Agreement (DPA).

DPAs regulate the relationship between you (the "data controller") and the third party (the "data processor"). For example, the processor can't do anything with the data that's not specified in the contract, and they must comply with the GDPR at all times.

You shouldn't sign a DPA with any company unless you're satisfied they have safeguards in place to comply with the GDPR.

Amending Personal Data

The personal data you store should be accurate, which means people have the right to amend their information. This is set out in Article 16:

EUR-Lex GDPR: Article 16 - Right to Rectification

It's okay for you to amend data, too. For example, maybe you spot an error in the client's address details and you need to fix it. Just make sure you keep a record of any amendments so you're complying with your recording duties.

Finally, make sure you tell people about the right to amend data. Informing people of their data rights is central to the GDPR, and you must bear this in mind whenever you process any data.

Personal Data Destruction or Erasure

Yes, even destroying or removing data is technically a processing activity. Here's when it might apply:

  • Someone withdraws consent to marketing
  • You don't need the data anymore

It's clearly set out in Article 17, and it's known colloquially as the "right to be forgotten:"

Note that it's not an absolute right, meaning you can keep the data if you need to comply with another legal obligation.

Set up regular reviews of the data you store and delete it if you don't need it anymore.

Remember, Article 5 specifically mentions storage limitation, so scheduled data reviews are an easy way to comply with your requirements.

Conclusion

If there's one thing we know about the GDPR, it's this: it's designed to regulate data processing activities and protect individuals from oversharing their personal data. That's why there's such a broad definition of "processing" in the regulation. It covers virtually everything you can do with personal data, unless you collected it solely for domestic use.

If you process personal data, you must abide by the GDPR's seven principles for data processing. Most importantly, you should act transparently and lawfully at all times, and minimize the data you capture where possible.

Processing activities include:

  • Collecting
  • Recording
  • Storing
  • Organizing
  • Disclosing
  • Amending
  • Erasing

Essentially, if you think it's a processing activity under the GDPR, follow the rules. That way, you don't need to worry about non-compliance.

Last updated on 26 July 2021

Article categories

Jennifer L.

Legal writer.