Art. 4 № 2 GDPR establishes the legal definition of the processing. It is valid as of May 25th, 2018. Thereafter, any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction shall be deemed as processing.Processing of personal data usually begins with the collection of the data of a natural person. For example, it may occur at the enterprise via an input form on a website or even through the employees that carry out a manual recording of the data.


Even the receipt of an e-mail containing information on a natural person is usually a collection of personal data. This is the reason why every company collects personal data. As a rule, data collection is followed by data processing, for example, the entry into an order system. Without the date with the reference to an individual, the controller could not ultimately place an order.

Processing procedures are therefore found throughout the enterprise.


The notion of processing includes not only any use or data modification; also the disclosure by means of transmission to the service provider is covered. Among other things, the electronic communication of the address data of natural persons to the parcel service, which assumes the delivery of your goods, is qualified as processing of the personal data.


  • Input form on the website;

  • Collection by an employee;

  • Storage as an electronic fax;

  • Receipt of an E-mail;

  • Reading out data;

  • Query of staff data.


  • Data import to invoices

  • Data transmission to service provider

  • Data storage

  • Dissemination in the internet

  • Data erasure

  • Limitations of processing

-i Please, pay attention

The processing of personal data is only permitted if the provisions of the General Data Protection Regulation (effective as of 25 May 2018) or the law of the Member States es allows. The controller must, as a rule, inform the data subject in advance of the processing of the data concerning him or her, Art. 13, 14 GDPR.

There is much to pay attention to. The German Association for Data Protection will be glad to assist you.

Specific Questions in regard to your Personal Situation?