Data Protection Academy » Data Protection Wiki » Data processing
Data processing
Data processing in the sense of the General Data Protection Regulation affects almost every organisation and regulates the way in which data is collected, recorded or generally processed by means of data protection regulations. Accordingly, it is essential that companies deal with this topic and are informed about the legal regulations.
Content on the topic of data processing:
What is data processing?
The General Data Protection Regulation understands the data processing in Article 4 para. 2 any operation or set of operations which is performed with or without the aid of automated means, in relation to personal data. such as collection, recording, organisation, arrangement, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;".
What are data processing principles under the GDPR?
The principles of data processing are set out in Article 5 GDPR and can be summarised under the following keywords.
- Lawfulness, processing in good faith, transparency
- Earmarking
- Data minimisation
- Correctness
- Memory limitation
- Integrity and confidentiality
- Accountability
Processing as a key term in data protection
The term "(data) processing" should be familiar to everyone at the latest since the entry into force of the General Data Protection Regulation in 2018. Processing" is defined in the Article 4 (2) DSGVO and is mentioned in many other articles. Processing is so crucial in data protection that templates and legal consequences are also attached to it.
When is data processing permissible?
Article 6 para. 1 DSGVO regulates the permissibility or lawfulness of data processing by specifying certain conditions for compliance. Of the conditions described, at least one must be fulfilled for the processing to be lawful.
- The data subject has given his/her consent to the processing of data concerning him/her. personal data. given for one or more specific purposes;
- the processing is necessary for the performance of a contract to which the data subject is party or for the implementation of pre-contractual measures taken at the data subject's request;
- processing is necessary for compliance with a legal obligation to which the controller is subject;
- the processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- processing is necessary for the purposes of the legitimate interests of the controller or of a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. (Does not apply to processing carried out by public authorities in the performance of their tasks).
Which legal position is the right one?
The general legal basis for dealing with personal data. forms Article 6 para. 1 DSGVO. For the non-public sector, point (f) is particularly relevant. In contrast, the GDPR refers to national law for the public sector in paragraph 3. This paragraph has the character of a directive, whereby national legislators are required to regulate the requirements it calls for in a binding manner.
"This legal basis may contain specific provisions adapting the application of the rules of this Regulation, including provisions on the general conditions governing the lawfulness of processing by the controller, the types of data processed, the individuals concerned, the entities to which and the purposes for which the personal data may be disclosed, the purpose limitation, the storage period and the processing operations and procedures that may be applied, including measures to ensure lawful and fair processing, such as those for other specific processing situations in accordance with Chapter IX."
Numerous opening clauses in the GDPR also allow member states to adopt national regulations themselves in many areas in order to ensure the protection of rights and freedoms with regard to the processing of personal data.
Consent as a legal basis
The GDPR defines consent as "any freely given specific, informed and unambiguous indication of wishes in the form of a statement or other unambiguous affirmative act by which the data subject signifies his or her agreement to the processing of data relating to him or her". personal data. agrees." (Article 4 (11) DSGVO ). Conditions for consent are also set out in the General Data Protection Regulation and are available in Article 7 and Article 8 in the German Data Protection Act. If consent is chosen as the legal basis, it is important to note that data subjects must have the possibility to refuse consent or to revoke consent that has already been given. This results in considerable uncertainty with regard to the continuation of data processing.
Consequently, consent as a legal basis is only the right solution in a few constellations. Processing for which consent as a basis of legitimacy is appropriate is the processing of special categories of personal data, of data that involve a strong personality intrusion or whose contractual agreements would circumvent a legal prohibition.
Contract as legal basis
A contractual agreement is preferable to consent by data subjects. Especially when
- the processing operations are necessary for the service offered by the company and requested by the data subject
- the processing operations as such constitute a consideration for the provision of a service (e.g. processing of data for marketing purposes in return for a download).
- processing operations are part of the core of the employment relationship.
- Employees must tolerate the processing of their data, without which it would not be possible to process the employment relationship. Should employees refuse data processing, this may result in the termination of the employment relationship. The actual justification takes place by means of the employee's employment relationship.
Weighing of interests as a legal basis
If a contract with the data subject cannot sufficiently legitimise processing, it is possible to base it on a legitimate interest of the company. This forms the legal basis in consideration of the legitimate interest of the data subject. This form of legal basis should be used above all in the following cases
- Processing operations that are required on the basis of an economic risk assessment
- Processing that is economically necessary due to the specific employment relationship
- Processing that is decisive for the economic success of the company
Forms of data processing
Electronic data processing
Electronic data processing is the term used to describe the EDP in a company. In terms of data protection law, electronic data processing plays a decisive role, as it opens up a material scope of application in accordance with the GDPR. From Article 2 (1) DSGVO results in a definition as wholly or partly automated processing of personal data as well as for non-automated processing of personal data stored or to be stored in a file system. Accordingly, data can be collected in analogue form such as files, as well as in digitalised (automated) form.
Order processing as a special form
If data is processed on behalf of another company, it is necessary to conclude a separate contract between the controller and the processor. This is referred to as a processing contract (AV contract for short) and is necessary, for example, if payroll accounting is carried out externally or a call centre is used.
You can find more information on this in the article GDPR compliant data processing agreement.
Data processing in corporate groups
Concerns regarding the exchange within the group are personal data not privileged. This means that an exchange of data between companies belonging to a group requires a legal basis in the same way as an exchange with an external company. Recital 48 can be helpful in this case, by means of which a legitimate interest can be given to transfer customer and employee data within a group of companies for internal administrative purposes.
- Internal control system - 10 September 2024
- TISAX requirements: Prepare certification step by step - 8 January 2024
- Audit management: Implementing audits more efficiently - 26 October 2023
This might interest you too:
Click here to insert your own text