Processing Personal Data: A Complete Legal Guide
Learn what processing personal data means under GDPR, the six lawful bases, and how to stay compliant. Practical guide for website owners.
Every website that collects names, email addresses, IP addresses, or cookie identifiers is processing personal data under European data protection law. Understanding what this term means, and what obligations it carries, is essential for any business that operates online or serves customers in the European Economic Area.
This guide explains the legal definition of processing personal data, the requirements the GDPR imposes on data controllers and processors, and the practical steps you need to take. The information here is educational and should not be treated as legal advice. Consult a qualified attorney for guidance specific to your situation.
What Does Processing Personal Data Mean?
The General Data Protection Regulation defines "processing" far more broadly than most business owners expect. Article 4(2) of the GDPR states that processing means any operation or set of operations performed on personal data, whether by automated means or not.
This includes, but is not limited to:
- Collection: gathering personal data through forms, cookies, or APIs
- Recording: entering data into a database or spreadsheet
- Organisation and structuring: sorting, categorizing, or tagging data
- Storage: keeping data on servers, in cloud platforms, or on paper
- Retrieval and consultation: looking up or viewing stored data
- Use: applying data for any purpose, including analytics or marketing
- Disclosure by transmission: sharing data with third parties or transferring it across borders
- Erasure and destruction: deleting data or disposing of physical records
The breadth of this definition is intentional. If your organization touches personal data in any way, you are processing it. There is no exemption for simply storing data without actively using it.
The Six Lawful Bases for Processing Personal Data
Article 6(1) of the GDPR requires that every processing activity rests on at least one of six lawful bases. You must identify your lawful basis before processing begins, and you must document your choice. Switching to a different basis after the fact is not permitted except in narrow circumstances.
1. Consent (Article 6(1)(a))
The data subject has given clear, affirmative consent to processing for one or more specific purposes. GDPR consent must be freely given, specific, informed, and unambiguous. Pre-ticked boxes and bundled consent do not meet the standard.
2. Contractual Necessity (Article 6(1)(b))
Processing is necessary to perform a contract with the data subject, or to take steps at their request before entering a contract. For example, you need a customer's shipping address to fulfill an online order. This basis only covers processing that is genuinely necessary for the contract, not processing that is merely useful.
3. Legal Obligation (Article 6(1)(c))
Processing is necessary to comply with a legal obligation to which the controller is subject. Tax record retention, employment law reporting, and anti-money laundering checks fall under this basis. The obligation must come from EU or member state law, not from a contractual requirement.
4. Vital Interests (Article 6(1)(d))
Processing is necessary to protect the vital interests of the data subject or another person. This basis is reserved for life-or-death situations, such as medical emergencies. It is rarely applicable in a commercial context.
5. Public Task (Article 6(1)(e))
Processing is necessary to carry out a task in the public interest or in the exercise of official authority. This basis applies primarily to public bodies and organizations performing functions delegated by law.
6. Legitimate Interests (Article 6(1)(f))
Processing is necessary for the legitimate interests of the controller or a third party, except where overridden by the data subject's rights. This is the most flexible basis, but it requires a documented balancing test (known as a Legitimate Interests Assessment, or LIA) weighing the controller's interests against the impact on individuals.
Common legitimate interest use cases include fraud prevention, direct marketing to existing customers, and network security monitoring.
Processing Personal Data: Key Obligations for Controllers
A data controller is the entity that determines the purposes and means of processing. If you run a website and decide what data to collect and why, you are the controller. The GDPR places several obligations directly on controllers.
Transparency: Articles 13 and 14 require you to inform data subjects about your processing activities at the time of collection. Your privacy policy must explain what data you collect, why you collect it, the lawful basis for each processing activity, who receives the data, and how long you retain it.
Purpose limitation: Article 5(1)(b) requires that data be collected for specified, explicit, and legitimate purposes. You cannot collect data for one reason and then repurpose it for something unrelated without a compatible legal basis.
Data minimisation: Article 5(1)(c) requires that you collect only the data that is adequate, relevant, and limited to what is necessary. Asking users for their date of birth when you only need their email address to send a newsletter violates this principle.
Accuracy: Article 5(1)(d) requires that personal data be accurate and, where necessary, kept up to date. You must take reasonable steps to erase or rectify inaccurate data without delay.
Storage limitation: Article 5(1)(e) requires that data be kept in identifiable form only for as long as necessary. Once the purpose for processing has been fulfilled, data must be anonymized or deleted.
How to Document Your Data Processing Activities
Article 30 of the GDPR requires controllers (and processors) with 250 or more employees, or those whose processing involves special category data or criminal conviction data, to maintain Records of Processing Activities (ROPA). In practice, maintaining a ROPA is a best practice for organizations of any size, and supervisory authorities expect it.
Your ROPA should include:
- The name and contact details of the controller (and DPO, if applicable)
- The purposes of each processing activity
- A description of the categories of data subjects and categories of personal data
- The categories of recipients to whom data has been or will be disclosed
- Details of transfers to third countries, including safeguards
- Retention periods for each category of data
- A general description of technical and organizational security measures
Keeping this record current is not just a compliance exercise. When a supervisory authority requests evidence that you are meeting your obligations, the ROPA is typically the first document they ask for.
Processing Personal Data in Practice: Common Website Scenarios
Understanding the theory is one step. Applying it to everyday website operations is where most businesses struggle. Below are common scenarios and the lawful basis that typically applies.
Contact forms: When a visitor submits a contact form, you process their name and email address. The lawful basis is typically legitimate interests (responding to an inquiry) or, if the form explicitly states you will add them to a mailing list, consent.
Newsletter sign-ups: Email marketing requires consent in most cases under Article 6(1)(a). The consent must be separate from other terms, and you must keep a record of when and how consent was given.
Analytics and cookies: Dropping non-essential cookies (such as those used by Google Analytics) requires consent under both the GDPR and the ePrivacy Directive (Directive 2002/58/EC). A cookie policy that explains your cookie usage is a separate but related requirement.
E-commerce transactions: Processing a customer's name, address, and payment details to fulfill an order falls under contractual necessity (Article 6(1)(b)). However, retaining that data after the transaction for marketing purposes requires a different basis.
Employee records: Processing employee payroll data, tax information, and employment contracts falls under legal obligation (Article 6(1)(c)) for tax and employment law, and contractual necessity for the employment relationship itself.
Data Processor vs. Data Controller: Understanding the Difference
The GDPR draws a clear line between controllers and processors, and the distinction carries real consequences for processing personal data.
Privacy Policy Generator
Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.
Generate NowA data controller determines the purposes and means of processing. A data processor processes personal data on behalf of the controller.
For example, if you use a third-party email service to send newsletters, you are the controller (you decide to send newsletters and choose the audience), and the email service is the processor (it sends the emails on your behalf).
Under Article 28, the relationship between controller and processor must be governed by a written contract (a Data Processing Agreement, or DPA) that sets out:
- The subject matter and duration of processing
- The nature and purpose of processing
- The type of personal data and categories of data subjects
- The obligations and rights of the controller
Processors have their own direct obligations under the GDPR, including maintaining security measures (Article 32) and notifying the controller of data breaches without undue delay (Article 33).
Penalties for Unlawful Processing of Personal Data
The GDPR's enforcement provisions are among the strongest in data protection law. Article 83 establishes a two-tier penalty structure.
Lower tier (Article 83(4)): Violations of controller and processor obligations, including failure to maintain records, inadequate security measures, and failure to conduct impact assessments, can result in fines of up to 10 million EUR or 2% of annual global turnover, whichever is higher.
Upper tier (Article 83(5)): Violations of the core processing principles, including processing without a lawful basis, violating data subject rights, and unlawful international transfers, can result in fines of up to 20 million EUR or 4% of annual global turnover, whichever is higher.
Enforcement is not theoretical. Between 2018 and 2025, supervisory authorities across Europe issued billions of euros in fines. Notable examples include:
- Meta: 1.2 billion EUR (Irish DPC, 2023) for unlawful data transfers to the United States
- Amazon: 746 million EUR (Luxembourg CNPD, 2021) for non-compliant ad targeting
- Google: 90 million EUR (French CNIL, 2021) for cookie consent violations
Beyond fines, data subjects can bring private claims for compensation under Article 82, and supervisory authorities can issue orders to cease processing entirely.
Steps to Ensure Compliant Processing of Personal Data
Building a compliant data processing framework does not require a large legal team. It does require systematic attention to a handful of core practices.
Audit your data flows: Map every point where personal data enters, moves through, and exits your organization. Include website forms, cookies, third-party integrations, employee systems, and paper records.
Identify your lawful basis: For each processing activity, determine which of the six lawful bases applies. Document your reasoning. If you rely on legitimate interests, complete a Legitimate Interests Assessment.
Update your privacy policy: Your privacy policy must accurately describe every processing activity, the lawful basis, retention periods, and data subject rights. A generic or outdated privacy policy is a compliance gap.
Implement consent mechanisms: Where consent is required (marketing, non-essential cookies, special category data), use a consent mechanism that meets GDPR standards: freely given, specific, informed, unambiguous, and as easy to withdraw as to give.
Review your processor agreements: Ensure every third-party processor has a signed Data Processing Agreement that meets Article 28 requirements. Check that processors provide adequate security and do not sub-process without your authorization.
Establish retention schedules: Define how long you keep each category of data, and implement automated or manual deletion processes. Retaining data indefinitely "just in case" violates the storage limitation principle.
Train your team: Everyone who handles personal data, from customer support to marketing, should understand the basics of lawful processing, data subject rights, and incident reporting.
Prepare for data subject requests: Articles 15 through 22 give individuals rights including access, rectification, erasure, restriction, portability, and objection. You must respond within one month. Have a documented process ready before requests arrive.
Tools like TermsBox can help automate parts of this process, particularly generating compliant privacy policies and cookie policies that reflect your actual data processing activities based on automated website scans.
Frequently Asked Questions
What counts as processing personal data under GDPR?
Under Article 4(2) of the GDPR, processing covers any operation performed on personal data, whether automated or manual. This includes collection, recording, storage, retrieval, use, disclosure by transmission, erasure, and destruction. Even viewing personal data on a screen or organizing paper files counts as processing.
What are the six lawful bases for processing personal data?
Article 6(1) of the GDPR defines six lawful bases: consent, performance of a contract, legal obligation, vital interests, public task, and legitimate interests. You must identify and document at least one lawful basis before you begin any processing activity. The basis you choose affects the rights available to data subjects.
Do I need consent to process personal data?
Not always. Consent is one of six lawful bases, and it is not required when another basis applies. For example, processing an email address to fulfill an order falls under contractual necessity, and retaining tax records falls under legal obligation. However, consent is often the only available basis for marketing emails and non-essential cookies.
What happens if you process personal data without a lawful basis?
Processing personal data without a lawful basis is a direct violation of Article 6 of the GDPR. Supervisory authorities can impose fines of up to 20 million EUR or 4% of annual global turnover, whichever is higher. Beyond fines, the data subjects affected may seek compensation for material or non-material damage under Article 82.