Data processing (DP) generally refers to the organized handling of data volumes with the aim of obtaining information about these data volumes or modifying them. The term was used even before the introduction of computer systems.
Data protection is standardized within the EU. The basis is the General Data Protection Regulation (GDPR), EU Regulation 2016/679, which the individual EU member states also reflect in their national regulations.
The EU regulation is available in at least 24 languages as a PDF or HTML version. >>> General Data Protection Regulation (GDPR)
General data processing is now a daily part of the use of computers, software, and media, and can be carried out via a variety of technical channels and components. This aspect will not be discussed in this section. Rather, the focus will be on the protection regulations governing the processing itself, especially personal data.
Personal data
The daily handling of data volumes, their collection, and storage is not subject to individual discretion. While data processing in private life and for personal purposes on a home PC or smartphone is not subject to any supervision, there are clear rules and conditions for data exchange in business life. These are subject to the General Data Protection Regulation. According to Article 4, Number 2 of the General Data Protection Regulation (GDPR), the term "processing" is defined as:
"‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;"
Source: Art. 4 (2) GDPR
Personal data is particularly protected. The General Data Protection Regulation sets out mandatory rules for the collection and processing of such data. Processing must, in particular, comply with the following principles (Art. 5 Nr. 1 GDPR):
- It must be subject to lawfulness, fairness and transparency
- Data may only be collected for specified, explicit and legitimate purposes and may not be further processed for purposes other than those for which it was collected.
- It is subject to data minimization. Therefore, it is appropriate to the purpose and limited to what is necessary for the purposes of processing.
- It must ensure accuracy and be up to date.
- The form of data storage should only allow the identification of data subjects for as long as is necessary for the purposes for which they are processed.
- As well as ensuring integrity and confidentiality. Their storage must be protected against loss, unauthorized or unlawful processing, as well as accidental damage or destruction.
For larger amounts of data, it is advisable to seek advice from an external data protection officer/consultant, as violations of regulations are subject to sanctions.
Data processing within the framework of order management
If data is processed on behalf of a business partner, the controller and the contractor must agree to this in a separate data processing agreement (data processing agreement with a customer service office or call center). The content of this agreement must also comply with the additional requirements of the General Data Protection Regulation. The aim is to guarantee that:
"... appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.."
Source: Art. 28 (1) DSGVO
Data exchange within corporate groups also requires a legal basis. Subordinate companies are subject to similar regulations as external companies.
---
Source:
General Data Protection Regulation (GDPR)