Personal data processing definition in GDPR
In the previous post I explained what data should be considered to be personal data. Now I would like to concentrate on the second definition from article 4 of GDPR [1]Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) explaining what personal data processing is.
Any operation performed on personal data
According to the article 4 p. 2) of GDPR, personal data processing “means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”.
The definition construed in such way makes everything clear – all activities connected with personal data should be qualified as processing. The catalogue of the activities determined in GDPR is open by use of the term “such as”. Mentioned actions are therefore only examples, but it is difficult to imagine some other activities related to personal data. However, if anyone is able to find out any other, such action will be processing as well.
Personal data processing starts form data collection (receiving from users, clients or contractors) and covers all what happen to them until the moment of deletion. After deletion of data processing is over.
Processing whether or not by automated means
In the definition contained in GDPR it is stipulated that personal data processing covers both automated and not automated activities. Therefore it does not matter whether data is processed within computer systems or only manually on paper – in each case the rules of processing determined in GDPR apply.
Examples from jurisprudence
There are not much doubts about the definition of personal data processing. However, it is worthy to supplement the above theory with examples form court decisions. Because the definition from GDPR is very similar to the definition from the Polish Act on Personal Data Processing which was in force before GDPR, we can look at older judgments.
- Requiring personal data is factual activity which precedes collection of personal data. It does not constitute personal data processing yet and therefore is not cot covered by the provisions of the Act on Personal Data Processing. If employer asks labor association to send to him list of employees but these data are note submitted to him, there is no personal data processing. – judgment of Supreme Administrative Court of 28th June 2011, files no. I OSK 1264/10.
- Making available name and last name by the district head on the website of the district, constitutes personal data processing – judgment of Voivodship Administrative Court in Warsaw of 24th November 2011, files no. II SA/Wa 1828/11.
- Collecting statements containing personal data of heating oil constitutes personal data processing – judgment of Voivodship Administrative Court in Bydgoszcz of 13th February 2013, files no. I SA/Bd 1012/12.
Przypisy
| ↑1 | Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) |
|---|
