Authors: Vagelis Papakonstantinou and Paul De Hert
For the purposes of this Regulation:
(2) ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
1. Overview and legislative history
- Overview: An easily-met criterion for GDPR applicability, that conceals these provisions’ true value
Processing is a key term in the GDPR system; essentially, the whole GDPR legal architecture is based on it, as, after all, declared in its title (“on the protection of natural persons with regard to the processing of personal data”). Hence, understanding the exact content of the term is of crucial importance. Fortunately, its definition is provided for under this Art. 4 no. 2. Rather than leaving the interpretation of this term open-ended, to follow technical developments or social context, the GDPR chose to define it in considerable detail. The first concrete result of this policy option is that establishment of this condition, in other words whether “processing” under the GDPR meaning occurs or not ought not be taken for granted, but rather needs to be explicitly examined and justified.
In laying down expressly what it considers “processing”, and what not, the GDPR follows the example of its predecessor, the DPD. In fact, the GDPR wording is almost identical to that of the DPD (Art. 2 lit. b). Consequently, analogy is the legal tool to be employed here, when it comes to elaborating upon the exact meaning of this Art. 4 no. 2. All that was applicable with regard to the DPD’s Art. 2 lit. b applies, by analogy, also with regard to Art. 4 no. 2 of the GDPR. This includes case law as well as SAs’ and Art. 29 WP’s practices and guidance. The GDPR makes no substantial changes or amendments to the wording employed by the DPD, therefore practices and ideas of the past are not expected to be affected in the future. Other than that, the fact that the GDPR used the same wording as the DPD did some twenty years ago demonstrates not only the significance of these provisions, but also, perhaps more importantly, persistence and consistency, warranting thus legal certainty.
What is of importance while applying this Art. 4 no. 2 is its expansive, all-encompassing approach. This has best been described in the Explanatory Memorandum of the DPD, where it was expressly stated that the relevant provisions aimed at a possibly wide scope of application, in order to warrant individual protection. Their aim was to include all operations in all stages of personal data processing, from collection until deletion of the data.[1]
In the same context, the listing of processing operations in this Art. 4 no. 2 is indicative. The legislator’s intent is to warrant a possibly wide protection for data subjects. “Processing” is not a filter to limit, restrict or even rationalise the scope of the GDPR, as e.g. is the case of the “filing system” (Art. 2 para. 1 and 4 no. 6; → Art. 2 mn. 32), or processing for household purposes (Art. 2 para. 2 lit. c; → Art. 2 mn. 54), or even the definition of “personal data” itself. Here, the approach is open: all operations on “personal data”, even the simplest, most routine and mundane ones, such as merely reading the data,[2] should be considered as constituting “processing” for the purposes of the GDPR. In essence, any interaction with personal data should be considered as “processing” under the GDPR meaning, rendering thus cases that this is not the case practically inconceivable. In Ian Lloyd’s words, “it might be suggested, with little element of exaggeration, that whilst the act of dreaming about data will not constitute processing, any further activities will bring a party within the scope of the legislation”.[3] While, therefore, “processing” is introduced as a concrete, basic criterion with regard to GDPR applicability, in practice it is merely of theoretical value, and is not actually expected to place any limitations or restrictions in this regard.
This open approach has been consistently validated by the CJEU over the past few years under the, identical, wording of the DPD. In Lindqvist[4] the Court, despite of the fact that Mrs. Lindqvist argued that “processing” requires something more than simply compiling a list in a word processor, finally sided with the broadest approach possible to “processing”.[5] The same, unsophisticated approach to “processing” of personal data has been undertaken by the Court both in the Weltimmo[6] and in the Google Spain[7] cases, where it found that the operation of loading personal data on an internet page constitutes processing.[8]
[…]
[1] See Dammann/Simitis, p. 106.
[2] Dammann/Simitis, p. 110.
[3] Lloyd, Information Technology Law, p. 49.
[4] Bodil Lindqvist v Åklagarkammaren i Jönköping, No. C-101/01, ECLI:EU:C:2003:596 (CJEU 6 November 2003).
[5] Lindqvist at para. 25.
[6] Weltimmo s. r. o. v Nemzeti Adatvédelmi és Információszabadság Hatóság, No. C-230/14, ECLI:EU:C:2015:639 (CJEU 1 October 2015).
[7] Google Spain and Google, No. C‑131/12, ECLI:EU:C:2014:317 (CJEU 13 May 2014).
[8] In para. 37 and para. 26, respectively.