Art. 25(1) GDPR speaks of two phases in relation to a processing activity, namely “the time of the determination of the means for processing” and “the time of the processing itself”. It is evident that both these times must be time periods of a certain duration much rather than points in time. It is also evident that the time of determining the means must precede the time of the processing itself. We therefore call these time periods also phases.
Art. 4(7) states that in addition to the means, the controller also “determines the purposes”. This evidently also takes time and precedes the determination of the means. It seems useful to include the determination of purposes for completeness and in case that there are measures that can be implemented in that phase.
Consequently, the GDPR implies the following phase model of a processing activity:
To better understand what exactly happens in each phase, it is necessary to analyze in more detail what the GDPR defines as a processing operation.