The present section analyses the letter of the law with the objective of finding a structured and systematic approach to discuss the measures that controllers are mandated to implement by Art. 25 GDPR. The resulting systematics and structure are then used in section on measures which constitutes the most concrete guidance for practitioners.
To foster clear understanding of the text, the following breakout box defines two often used terms.
|Definition: processing activity
The term processing activity is here used in the sense of Art. 30 GDPR records of processing activities and 4(16)(b) GDPR. In both cases, a processing activity is the basic stand-alone unit of undertaking by a controller that involves the processing of personal data. A processing activity undergoes a life cycle that includes conception, design, implementation, operation, and dismantling.
Definition processing operation
The term processing operation refers to only the operational phase of a processing activity where a processing system is operated to actually process personal data. It entails the execution of processing operations as they are defined in Art. 4(2) GDPR. Other aspects of processing activities, such as conception and design, fail to execute such processing operations and are therefore not deemed part of the processing operations.