Skip to content

What is "processing" and "limitation of processing"

In the next few episodes of the newsletter, we will continue the series started last month
on the basic concepts that have been defined by the EU legislator in Article 4
of RODO. This time we will take a closer look at two more definitions, i.e. "processing" and "restriction
of processing," which are very often used in the provisions of the RODO.


According to Article 4 para. 2 of the RODO, processing "means an operation or set of operations which is performed upon
personal data or sets of personal data by automated or
non-automated means, such as collection, recording, organizing, structuring,
storing, adapting or modifying, retrieving, viewing, using,
disclosing by transmission, dissemination or otherwise making available, matching
or linking, limiting, erasing or destroying."


As the definition implies, operations can be performed on data in an automated or
non-automated manner. Automated operations are those in which the
processing activities are performed with the use of devices that allow limited human involvement.
An example would be data processing using computer algorithms.
Non-automated data processing, on the other hand, involves performing various
types of actions on data using traditional methods (by humans) without using
tools that allow automation. Due to technological advances, it is increasingly difficult to distinguish
between automated and non-automated data processing. Some
of the computer programs enable data processing in both ways. An example
would be performing actions in Excel. Simply typing and storing
data in a worksheet would be non-automated data processing, while performing
calculations or sorting data using this software's tools are automated operations.


In the definition, the EU legislator cited examples of operations that fall within the
concept of processing. The role of this enumeration boils down to illustrating the categories of operations that are considered
to constitute "data processing." Thus, there is no doubt that the operations indicated
in the provision in question fall within the scope of the legal definition, although the colloquial understanding of this
concept is narrower.
It should also be remembered that the catalog of operations included in "data processing" is
open in nature (thanks to the use of the phrase "such as"). This is because it is not possible
to foresee all the operations that can be performed on personal data.


According to Article 4 para. 3 of the RODO, restriction of processing is "the marking of stored
personal data in order to limit its future processing." In simpler terms, restriction
of processing will mean the act of narrowing the modes of processing that can be undertaken
by the data controller. This may include both the scope of the information processed and the purposes for
which it is used. According to Dr. Marlena Sakowska-Baryla, "Restriction of processing
undertaken at the will of the controller will most often be derived from a desire to reduce the risks
associated with the processing process."


Actions that allow limiting the processing of personal data are approximated
in recital (67) of the preamble of the RODO:
"Among the methods that allow limiting the processing of personal data may be
inter alia: temporarily transferring selected personal data to another processing system,
preventing users from accessing selected data, or temporarily deleting published
data from the website. In automated data sets, the processing should
generally be limited by technical means in such a way that the personal data are not subject to further
processing or alteration. The fact that the processing of personal data is restricted must
be clearly indicated in the system."
The above catalog is also open-ended and only serves as an exemplary representation
of the activities that make it possible to restrict the processing of data.


Closely related to the concept of "restriction of processing" is one of the rights that the subject
has under the provisions of the RODO. We are talking about the right to restrict data processing, which
is regulated in Article 18 of the RODO. The key element of this entitlement is the prohibition of performing
operations on personal data other than storage. You will be able to read more about this
entitlement in a newsletter dedicated to this right, which will turn out in
some time. Meanwhile, I already refer those interested to an article on the subject

See other news