Guide for proper processing of personal data under GDPR.
Key Terms
| Term | Definition | Example |
|---|
| Personal data | Any information identifying a natural person | Name, email, IP address |
| Data subject | Natural person whose data you process | Customer, employee |
| Controller | Determines the purposes and means of processing | Your company |
| Processor | Processes data on behalf of the controller | Cloud provider |
| Processing | Any operation performed on data | Collection, storage, use, deletion |
Categories of Personal Data
Standard Personal Data
| Category | Examples |
|---|
| Identification | Name, surname, date of birth, national ID number |
| Contact | Email, phone, address |
| Online identifiers | IP address, cookies, device ID |
| Financial | Bank account number, payment card |
| Professional | Employer, position, CV |
| Behavioural | Purchase history, browsing history |
Special Categories (Art. 9)
Processing requires explicit consent or a legal exemption:
| Category | Examples | Legal basis |
|---|
| Racial/ethnic origin | Nationality, ethnicity | Explicit consent |
| Political opinions | Political party membership | Explicit consent |
| Religious beliefs | Faith, church | Explicit consent |
| Trade union membership | Trade union | Explicit consent |
| Genetic data | DNA, genetic tests | Health purposes |
| Biometric data | Fingerprint, face ID | Security |
| Health data | Diagnoses, treatment | Healthcare |
| Sexual orientation | Sexual preferences | Explicit consent |
Data Mapping (ROPA)
Records of Processing Activities
GDPR requires maintaining records of processing (Art. 30):
ROPA Table Example
| # | Purpose | Legal basis | Subjects | Data | Recipients | Retention |
|---|
| 1 | E-commerce | Contract | Customers | Name, address, payments | Courier, payment gateway | 10 years |
| 2 | Newsletter | Consent | Subscribers | Email | Email service provider | Until revocation |
| 3 | HR | Contract + Legal obligation | Employees | All | Accountant, social security | 30 years |
| 4 | Analytics | Legitimate interest | Visitors | IP, cookies | Analytics provider | 2 years |
Legal Bases for Processing
Overview of Legal Bases (Art. 6)
| # | Legal basis | When | Example | Caveat |
|---|
| 1 | CONSENT (Art. 6.1.a) | Marketing, cookies, newsletter | Voluntary, specific, informed | Revocable at any time |
| 2 | CONTRACT (Art. 6.1.b) | Performance of a contract with the subject | Goods delivery, service provision | Only necessary data |
| 3 | LEGAL OBLIGATION (Art. 6.1.c) | Law requires processing | Tax, accounting, social security | A specific law must exist |
| 4 | VITAL INTEREST (Art. 6.1.d) | Protecting the subject’s life | Medical emergency | Exceptional situations |
| 5 | PUBLIC INTEREST (Art. 6.1.e) | Exercise of official authority | Government | Only public authorities |
| 6 | LEGITIMATE INTEREST (Art. 6.1.f) | Your legitimate interest outweighs rights | Fraud prevention, direct marketing | LIA (balancing test) required |
Consent --- Requirements
Valid consent must be:
| Requirement | Description | Wrong example | Correct example |
|---|
| Freely given | Without coercion | ”You cannot use the service without consent” | Service works without consent |
| Specific | For a clear purpose | ”I agree to everything" | "I agree to the newsletter” |
| Informed | Subject knows what | No explanation | Clear description of purpose |
| Unambiguous | Active action | Pre-ticked checkbox | Empty checkbox |
| Revocable | Easy withdrawal | Hidden or complicated | Link in every email |
Legitimate Interest --- LIA
Legitimate Interest Assessment (balancing test):
Processing Principles
GDPR Principles (Art. 5)
| Principle | Description | Implementation |
|---|
| Lawfulness | Have a legal basis | Document in ROPA |
| Purpose limitation | Only for the defined purpose | Do not share for other purposes |
| Data minimisation | Only necessary data | Audit, delete unnecessary data |
| Accuracy | Data must be correct | Validation, corrections |
| Storage limitation | Not longer than necessary | Retention policy |
| Integrity | Data security | Encryption, access control |
| Accountability | Demonstrate compliance | Documentation, audit trail |
Data Transfers Outside the EU
Transfer Mechanisms
| Mechanism | When to use |
|---|
| Adequacy decision | Countries with an EC decision (UK, Switzerland, Canada, Japan…) |
| SCCs | Standard Contractual Clauses --- most common |
| BCR | Binding Corporate Rules --- for corporations |
| Derogations | Explicit consent, contract performance (limited) |
US Transfers (post-Schrems II)
- EU-US Data Privacy Framework (2023+) --- for certified US companies
- Must verify whether the vendor is on the DPF list
- Alternatively SCCs + TIA (Transfer Impact Assessment)
Data Processing Agreements
Mandatory DPA Content (Art. 28)
| Item | Description |
|---|
| Subject of processing | What the processor processes |
| Duration | How long |
| Nature and purpose | Why |
| Types of data | What data |
| Categories of subjects | About whom |
| Rights and obligations | Controller vs. Processor |
| Sub-processors | List + approval process |
| Security measures | Technical + organisational |
| Breach notification | SLA for reporting |
| Audit rights | Right to audit |
| Deletion | After termination of the agreement |
| Assistance | Help with DSAR, DPIA |
Retention Policy
Retention Schedule Example
| Data category | Retention | Basis | Auto-delete |
|---|
| Customer data | Contract duration + 3 years | Business need | [ ] Yes |
| Employee data | Employment duration + 30 years | Law | [ ] No |
| Financial records | 10 years | Accounting regulations | [ ] Yes |
| Marketing consent | Until revocation | Consent | [ ] Yes |
| Log data | 1 year | Security | [ ] Yes |
| Backup data | 30 days after deletion | Technical | [ ] Yes |
| CCTV | 72 hours | Legitimate interest | [ ] Yes |
Next Steps
- Data processing understood
- Data subject rights (DSAR)
- Compliance checklist