Data processing and GDPR

January 25, 2024
5 min read

Data Processing & Compliance

GDPR (General Data Protection Regulation) sets a high standard for data processing of personal data, and how you document your actions. For that reason it’s important that you know what personal data is and how they’re processed correctly.

In this article we dive deep into data processing and explain:

  • What is data processing and what is considered sensitive data?
  • What requirements does GDPR set for your data processing?
  • How do you process personal data correctly?
  • What’s in a data processing agreement?
  • What’s the difference between a data processor and a data manager?

What is data processing and what is sensitive data?

Data processing is any activity in which personal data is collected, registered, stored, analyzed, transmitted, deleted, sold etc. The term is defined so broadly that any contact with personal information is basically considered as data processing.

Data, in this case, is defined as formalized information that is typically handled by a machine or a computer.

Most businesses and organizations will, in one form or another, handle or process some type of data, most often personal data. The GDPR defines personal data as: “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

Typically, personal data is divided into two categories. Some countries also have a third category while others consider the category “Confidential personal data” to be of the same category as sensitive data.

  • General or common personal data: names, e-mail addresses, place of residence, place of employment, and other factual information that is publicly available.
  • Sensitive personal data (‘Special category of personal data’): Health records, information about a subject’s ethnicity, religion, or sexual identity. This data is more personal, and should therefore be handled with greater care.
  • Confidential personal data: social security numbers, criminal records and other classified information that needs to be regulated separately.

What requirements does GDPR set for your data processing?

According to the GDPR all personal data needs to be handled and processed particularly and sensitively. The more personal or private the information, the more rules and regulations you have to uphold during the processing of the data.

If you want to know more about how you should protect your clients’ personal data, you can read our article about data security.

Here is a concrete example on what the GDPR demands of you when you process data: A business needs to verify whether a given name actually belongs to the client. This is a requirement under KYC as defined in the Anti-Money Laundering Directive. Here you are required to use authoritative data sources that verify the credibility of the information. You could for example do this by seeing a copy of their passport or driver’s license. You are then required to document that you’ve verified their identity. All of this data processing needs to happen in accordance with the GDPR.

Is there a difference between data handling and data processing?

Data handling and data processing is often used interchangeably.

However, you could say that data processing is the overall term for both data handling and data utilization.

Data handling can be seen as an almost passive or non-transformative processing of data, whereas with data utilization, you do something with that data, such analyzing, deleting, or changing it.

How do you process personal data correctly?

In order to process personal data correctly, you need:

  • The legal right and a legitimate purpose
  • Consent from the person whose personal data you’re processing
  • A data processing agreement

A legal right and a legitimate purpose are prerequisites whenever you process personal data. Your rights are limited by whether you’re processing general or sensitive personal data.

You need consent from the person whose personal data you’re processing. This needs to fulfill a number of requirements: it needs to be voluntary, limited or specific, informed, and unambiguous. Furthermore, you need to document and verify that you’ve obtained the consent correctly.

There are exceptions as to when a business can get consent. This could be if, for example, it’s necessary out of care and due diligence to the person, or if there is a legitimate reason for the data manager that isn’t superseded by the subject’s own interests.

You can read more about consent on GDPR.eu.

Thirdly, businesses need a data processing agreement. This is a contract which contains instructions for the data processor on how to process the information. This agreement is between the data manager and data processor.

What’s in a data processing agreement?

A data processing agreement needs to give clear instructions to the data processor concerning how the information should be handled and processed. It’s a legally binding document that needs to be in writing and kept electronically.

The purpose of the agreement is to ensure that the personal data is treated and processed responsibly and securely. It’s also important that it contains requirements for how and when to contact the data manager if there’s suspicion of a security breach or misuse. If your business is the data processor it’s your responsibility to inform the data manager about suspicions of misuse or data breaches.

As part of the instructions the data processor should also be required to perform yearly, or by agreement, audits to document that they’re following the instructions and current laws. This can be done through an audit report that needs to be certified by an external auditor.

You can find a template for a data processing agreement on GDPR.eu.

What’s the difference between a data processor and a data manager?

The data processor and the data manager are not the same person.

The data manager is the party that determines which data to process, to what purpose, and using which tools. The data manager defines the ground rules for how the data ought to be processed.

On the other hand, the data processor is the party that performs the actual processing on behalf of the data manager.

It’s important to separate the two, because they have different requirements. One party, the data manager, ensures that the data processing is GDPR compliant, whereas the other party, the data processor, takes responsibility for acting in accordance with the given instructions.

Easier data processing with Meo

With Meo you can easily find the information you need about your clients using a simple search. And personal data is deleted or properly archived, whenever a business relation ends.

The platform makes sure that you comply with GDPR and makes it easy to handle data for:

Onboarding

Onboard your clients using secure channels.

Validation

Determine your requirements for validation of information.

Documentation

Full log and tracking of actions and access.

See how Meo can help you win big for your clients.

Let us show you why Meo is the preferred choice for lawyers and law firms wanting to automate their AML processes.