Processing operations in the GDPR
Home » The GDPR » Main Concepts » Data Protection by Design and by Default (DPbDD) » Analysis of Article 25. Data protection by design » Processing operations in the GDPR

The following analyzes what the GDPR defines as a processing operation.

Art. 5(1)(f) GDPR states the necessity of “protection against unauthorized [..] processing”. This implies that the ordinary processingneeds to be authorized. It is also clear from the context that such authorization must come from the controller who bears the full responsibility for the processing. But how can a controller limit the processing to what is authorized?

A partial answer to this question can be found in Art. 29 GDPR: “The processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process those data except on instructions from the controller, [..].” Also Art. 32(4) GDPR uses a very similar wording. Art. 29 GDPR implies the following conception:

  • The processing operation is executed by “natural a person acting under the authority of the controlleror the processor”. Such persons are most often employees of the controller, but could also work for a processor or work without actual employment[1]. They are calledhuman resources in the sequel. Note that these persons in turn control technical means that support or partially automate the processing[2].
  • The means with which a controller ensures that only authorized processing takes place is through issuing instructions.

To ensure that only authorized processing takes place, the instructions must specify all relevant aspects of the processing activity: who, when, what, and how. In other words, human resources need to act only on instruction (who, when) and as instructed (what, how).

Albeit with less clarity, the GDPR also states that technical resources are necessary. This is very clear in Recital 39 (sentence 12) that speaks of the “equipment used for the processing”. Other terms related to technical resources that are used in the GDPR are “data processing equipment” in Art. 58(1)(f) and “processing systems” in Art. 32(1)(b).

While the GDPR uses the term instruction only in the context of human resources, it is clear that also technical resources require instructions in order to execute only authorized processing. In the technical domain, the term machine instructions is used here. An important type of such instructions is software.

In summary, when looking at an individual (human or technical) resource, the GDPR defines a processing operation as follows:

individual processing operation
execution of
the controller’s instructions by a single resource

In most cases, the overall processing operations involve a system of a multitude of interacting human and technical resources. This is expressed in the following:

overall processing operations

multitude of individual processing operations
executed by individual human and technical resources


Figure 1: The GDPR’s conception of a processing operation.

Figure 1 illustrates the GDPR’s concept of processing operations in a wider context. It illustrates the domain of responsibility of the controller by a dashed box. The controller determines the authorized processing operations by issuing or selecting/approving[3] instructions to both, human resources (HR) who act under its authority (see Art. 29 GDPR) and technical resources (TR) under its control. All resources interact to form the overall processing system. The context of this processing system is defined by data subjects who interact with human and/or technical resources, and optionally third party recipients (see Art. 4(9) and (10) GDPR) to whom resources disclose personal data.

This model of processing operations represents the processing authorized by the controller. It is used in the next section to better understand what determining the means actually entails.



1See also EDPB guidelines on the concepts of controller and processor in the GDPR, paragraph 88 for a discussion of the meaning of “persons who, under the direct authority of the controller or processor, are authorised to process personal data”.

2Note that even in the case of “fully automatic processing”, it is always a person who controls such processing by starting and stopping it. The control by a person is even more evident when looking at computerized “tools” that are used by humans though a human-machine-interface.

3Selecting and approving of instructions by a controller is for example done when off-the-shelf software is acquired or when a controller chooses the service of a given processor.


Skip to content