Processing itself is started by the go-ahead from the controller to the resources to start executing the issued instructions. From this point on, the processing of actual personal data starts to take place. Namely, it is executed by the designated resources who follow the controller’s instructions.

The processing itself terminates when no more personal data are being processed. Considering that according to Art. 4(2) GDPR the storage of personal data constitutes processing, termination of processing itself goes beyond just telling resources to stop executing the issued instructions. It also requires additional instructions to ascertain that personal data is not being stored any longer. We call this dismantling of the processing operations. Dismantling encompasses erasure and destruction of personal data, both of which still constitute processing according to Art. 4(2).

Art. 25(1) requires controllers to implement also appropriate technical and organizational measures during the processing itself. In analogy to the determination of means, the structure found for the processing itself will be used to guide the discussion of measures.