Data processing
Home » The GDPR » Main Concepts » Data processing

Iñigo de Miguel Beriain (UPV/EHU)

This part of the Guidelines was reviewed by Daniel Jove Villares, Universidade Da Coruna, Spain.

This part of The Guidelines has been reviewed and validated by Marko Sijan, Senior Advisor Specialist (HR DPA).



According to article 4(2) of the GDPR, processing “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”.

Therefore, the concept of processing is broad. It covers a wide range of operations performed on personal data, including by manual or automated means, if it is part of a structured filing system, that is, a structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis (art. 4(6)).

Clearly, the list included in article 4(2) is non-exhaustive, meaning that other operations with personal data that work well with the general definition should also be considered processing under the GDPR. Some examples of processing include: staff management and payroll administration; access to/consultation of a contacts database containing personal data; sending promotional emails; shredding documents containing personal data; posting/putting a photo of a person on a website; storing IP addresses or MAC addresses; video recording (CCTV), etc. [1]

Processing as a key concept in the GDPR

Processing is an essential element in terms of data protection rights. What the GDPR really regulates is not the data itself, but the processing of personal data. This use of data triggers the application of data protection regulations. Indeed, article 1(1) of the GDPR states that “This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.”

The circumstances of the processing define the essential regulatory elements: the need (or not) to find a reason to process the data, if it is of a special category; the appropriate basis of legitimacy; whether it is a one-to-one treatment or processing on a large scale; the specific level of risk; the safeguards to be implemented; and so on. Each processing will be, in short, a separate, independent event, with its own characteristics and scale. Hence, it is always necessary to think that data protection regulations apply to each of them.

1EU Commission, What constitutes data processing, at:

Skip to content