As soon as you write down a name, the first name on a sheet of paper, that you store this sheet in your cupboard in identified hanging files, it becomes data processing. It is, therefore, a very broad concept which concerns even the simplest action, which can be done on personal data.
Here Are Some Examples Of Data Processing:
The collection, that is to say, the recovery of personal data. It must be done exclusively with the person concerned. The data can not be recovered from the partners without the explicit consent of the person concerned.
It can be done using an information sheet, a registration form, a form on a website for example.
Recording: once the data has been collected, the act of recording it in a database, electronic or not, is data processing.
Conservation: As soon as personal data is collected, it is necessary to define the retention period.
The definition of this retention period for each data that you process is imposed by the GDPR and must be respected.
Indeed, it is not necessary to keep personal data outside the duration of their processing. Keeping personal data longer than the processing requires it represents a risk of loss or data breach.
This retention period is to be defined by you according to your legal obligations and the processing requirements apply to the personal data for which you are responsible.
It must be respected. Any data for which the defined retention period has been exceeded must be permanently deleted.
Having a serious complaint about data that should no longer be present in your databases is an aggravating factor in the eyes of the CNIL.
Communication, transfer and interconnection : The export of personal data is subject to the general data protection regulations. It is not allowed to transfer data without the explicit permission of the data subjects unless it is a matter of national security. For transfers within the same group in different countries: consultation of the CNIL is necessary because for some countries it is strictly forbidden to transfer personal data of European citizens.
Is Data Processing Exclusively Electronic?
Well NO, data processing is considered as soon as there is a data processing and not necessarily by electronic means.
All personal data, including those contained in paper files, are processing subject to European data protection regulations.
Here Is The Example:
Throughout your professional life, you collect business cards from other professionals you meet. These business cards contain personal data.
If you throw away these business cards in bulk in a shoebox, it does not constitute a personal data file.
On the other hand, if you store them in a cardholder in a structured manner in alphabetical order which makes it possible to easily find an individual and all his data, this constitutes a personal data file.
There is no limit to privacy, professional data is also personal data.
All the information that you collect and that your structure correctly constitutes a file of personal data.
Finally, note that the context is not decisive, which means that even in a Business to Business (B2B) context, data processing is subject to European regulations.
Because even if the name of a company is not a personal data, this company name is always, in your telephone directory or in the file system of your company, attached to the name of a commercial agent, of a director or other.
Am I Responsible If I Outsource My Data Processing?
Faced with such complexity, such a diversity of processing of personal data, you have the right to tell me: yes, but I outsource all my processing, the person in charge is, therefore, my supplier… Well no !!!
Even if you subcontract your processing of personal data, you remain the only data controller in front of the law.
You are required to ensure that your service provider carries out the processing correctly and to provide proof thereof, in the event of control by the CNIL or the authorities.