Processing of personal data

Personal data processing means: anything that an organisation can do with personal data, from collecting to destroying. Processing is therefore a very broad concept.

On this page

Processing according to the GDPR

According to the privacy law General Data Protection Regulation (GDPR), the following acts fall in any case under personal data processing: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, and destruction.

Examples of processing

Examples of personal data processing are:

  • posting a photo of someone on a website;
  • storing images of security cameras;
  • collecting email addresses for sending a newsletter;
  • keeping membership records by an association;
  • collecting IP or MAC addresses;
  • retrieving a named file of a person;
  • erasing (personnel) files after the retention period has expired;
  • consulting a file containing (special categories of) personal data;
  • removing an electronic medical file.

No personal data processing

Provision of information does not always have to be a processing. Does an organisation, for example, request general information from another organisation? Without personal data being mentioned by the first organisation in the process? And does the other organisation not provide personal data either? Then it does not have to concern processing. And the GDPR does not apply.

Controller, processor, data subject

Several parties may be involved in the processing of personal data. Firstly, the organisation that processes the personal data. This party is called the 'controller' in the GDPR. Or the 'processor', if the organisation processes data for a client. The person whose data are processed by the organisation is called the 'data subject'. This is therefore the person whom the data are about.

Controller

The controller is an organisation or a person that determines the purpose of and the means for the use of personal data. The controller can do this alone or together with others. It means that the controller ultimately decides whether an organisation processes personal data, and if so:

  • which processing it concerns;
  • which personal data are processed by the organisation in the process;
  • for which purpose the organisation does this;
  • in which manner the organisation does this.

Processor

Organisations often engage other organisations to process personal data for them. For example, by outsourcing the accounts. Or by using a cloud service that stores personal data. Such organisation acts under the responsibility of the client and is called a processor then. For more information, see: Roles of controller and processor.

Processing on a large scale

In the GDPR, the term 'large scale' can be found. Large-scale processing operations may come with certain obligations. 

Those obligations apply if you:

  • Track individuals on a large scale. And this is a core activity of your organisation. OR:
  • Process special categories of personal data of individuals on a large scale. And this is a core activity of your organisation.

In both situations, you are obliged to appoint a Data Protection Officer (DPO) and carry out a data protection impact assessment (DPIA).

But how do you know if you are processing data on a large scale? The GDPR does not contain an exact explanation of the concept ‘large scale’. There are, however, criteria and examples that can help you, as an organisation, get started if you want to find out whether or not you are processing data on a large scale. 

Criteria for processing data on a large scale

Do you want to determine if, according to the law, your organisation is processing (special categories of) personal data on a large scale? Then take a look at these criteria:

  • the number of data subjects;
  • the amount of data that you process;
  • the duration of the data processing;
  • the geographic scope of the processing.

Examples of processing on a large scale

These are some examples of processing operations that are regarded by the European data protection authorities as data processing on a large scale: 

  • A hospital that processes patient data as part of the usual activities.
  • A transport company that processes travel information of people who travel by public transport in a specific city. For example: by tracking them through travel tickets.
  • A processor that specialises in market research and, on the instructions of an international fast food chain, processes the current location data of customers for statistical purposes.
  • An insurance company or a bank that processes customer data as part of the usual activities.
  • A search engine that processes personal data for displaying advertisements based on surfing behaviour.
  • A telephone or Internet provider that processes data about the telephone and/or Internet behaviour of customers. Such as contents, traffic, and location.

Example of a processing that is not large scale

The data protection authorities do not regard processing operations of special categories of personal data by individual physicians or lawyers ('one-man bands') as large scale.