toggle accessibility mode
personal data processing

Personal Data Processing Under the GDPR

By John DiGiacomo

In May 2018, the European Union’s General Data Protection Regulation (GDPR) went into effect. To read the regulation in its entirety, visit click here. The GDPR standardized personal data protection requirements across the 28 EU countries. Although the regulation is broad, advocates for GDPR applaud its consumer-friendly approach to personal data collection and storage.

What are the Governing Principles of GDPR?

GDPR provides a number of general principles relating to processing personal data, namely that it should be:

  • Collected and processed lawfully, fairly, and in a transparent manner;
  • Collected for a specific and legitimate purpose, as well as limited to what is necessary for the collection purpose
  • Kept only as long as necessary for the initial purpose;
  • Processed securely and protected against unlawful processing.

What are Personal Data and Personal Data Processing?

Article 4 of GDPR defines personal data as any information relating to an identified or identifiable natural person, who can be identified by reference to identifiers such as a name, ID number, location data, an online ID, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

Examples of personal data include:

  • Real names and online usernames;
  • Mailing, work, email, and IP addresses;
  • Photographs; and
  • Genetic and biometric data, including DNA

Article 9 prohibits the processing of data regarding racial or ethnic origin, political opinions, religious beliefs, or trade union membership except in certain specific situations and provides further limitations related to the use of genetic, biometric, and general health data.

Personal data processing refers to personal data that is collected, recorded, organized, structured, stored, adapted or altered, retrieved, consulted, used, disclosed by transmission, disseminated or otherwise made available, aligned or combined, restricted, or erased or destroyed. GDPR applies to processing of personal data through automated, partially automated, as well as non-automated means if it is part of a structured filing system.

Examples of personal data processing include:

  • Staff management and payroll administration;
  • Sending promotional emails to an email listserv;
  • Shredding documents containing medical records or bank records; and
  • Posting a picture of someone online.

The business or person who determines the means and purposes of personal data processing is known as the controller of the data. The controller is responsible for adhering to the GDPR and can be penalized for failing to meet the regulation’s requirements.

What are GDPR’s Requirements for Personal Data Processing?

The GDPR permits processing personal data when a user consents to the processing, or when it is necessary to process data.

Consent to Process Personal Data

In order for an individual to consent to a controller processing personal data, the controller must fully inform them about what they are consenting to. Best practices to obtain consent include making the request prominent and separate from terms and conditions of a site.

Consent must also be positively given – users must have an opportunity to affirmatively agree that the controller may process their data. Users must be able to revoke consent in the future, and consent should not be a precondition of the controller providing a service to the user.

People who are 16 years old or older are capable of consenting on their own. Children under 16 must have a parent or guardian consent on their behalf.

Necessary Personal Data Processing

GDPR also list five times when it is necessary for controllers to process data without explicit consent:

  • Contracts: If a controller has a contractual obligation to the data subject, and data processing is necessary to complete contractual obligations, the controller may process the data. Additionally, the controller may process data if doing so is a necessary prerequisite for entering into a contract.
  • Controller’s legal obligation: If the controller has an obligation to report data to a regulatory body, or is under a court order to provide information, they are under a legal obligation to provide it, regardless of consent.
  • Vital interests: If personal data disclosure is required to save someone’s life, the controller is obligated to do so. This situation will almost always involve health data.
  • Public task: This category of necessary processing relates to tasks carried out by an official government agency, on behalf of an official agency, or a task that is carried out in the public interest. This will often relate to government agencies, but government contractors or private water companies may also operate under this umbrella.
  • Legitimate interests pursued by the controller: This category is very broad. It requires the controller to pursue a legitimate interest, that the processing be necessary for the purpose, and that the controller’s legitimate interest does not outweigh the individual’s fundamental rights or freedoms.

Praise and Criticism for GDPR’s Data Processing Requirements

GDPR has drawn praise from tech leaders, including Apple CEO Tim Cook, who recently expressed support for a similar regulation in the US. Cook listed four areas of the GDPR he believed should be legislated in America:

  • The right to have personal data collection be minimized (Article 5(1)(c));
  • The right for users to know what data is collected on them (Article 15);
  • The right to access that data (Article 13); and
  • The right for data to be kept securely (Article 5(1)(f).

Critics of the regulation believe that it can be too burdensome for businesses to comply with or that limitations will stymie growth of artificial intelligence systems, which rely on individuals’ personal data to grow. Others argue that large companies like Facebook and Google who currently offer free services in exchange for the ability to collect and utilize user data may limit free options due to new limitations on data processing.

What are the Penalties for Failure to Comply With GDPR?

Failure to comply with GDPR’s data processing requirements can lead to a number of different penalties, including warnings, bans on data processing, audits, orders to restrict or delete data, and monetary fines up to €20 million or 4% of a company’s worldwide net sales. You should take compliance with GDPR very seriously.

Our internet privacy attorneys have significant experience helping our clients stay compliant with data privacy and protection laws. If you have questions regarding compliance with GDPR, contact Revision Legal’s internet lawyers with the contact form on this page, or call us at 855-473-8474.


Put Revision Legal on your side