We review which personal data is processed in the business and in which flows it appears, to define what should be assessed. This provides a clear picture of responsibilities and dependencies before you decide on measures.
What is lawful processing of personal data?
GDPR lawyers assess processing, responsibilities, risks and documentation requirements
What is lawful processing of personal data?
The core rule for all processing of personal data under GDPR is strict adherence to the principles set out in Article 5 GDPR. These principles underpin every activity and impose demanding obligations on organisations to safeguard individuals’ rights and privacy. In practice, to act lawfully every operation must comply with the following:
- Lawfulness, fairness and transparency: processing must be lawful, fair and transparent for the data subject.
- Purpose limitation: data may only be collected for specific, explicit and legitimate purposes.
- Data minimisation: process only what is necessary for the stated purpose.
- Accuracy: keep personal data accurate and up to date.
- Storage limitation: do not keep data longer than necessary.
- Integrity and confidentiality: protect data against unauthorised access, alteration, loss or destruction.
The GDPR definition of processing personal data: In the GDPR definition with regard to processing personal data, “processing” is any operation performed on personal data, whether automated or not. As a rule of thumb: if anything is done to a personal data item, it is a processing operation.
Approach for personal data processing
We clarify which transparency requirements are triggered and who is the controller versus the processor in each scenario. This makes it easier to allocate tasks internally and avoid gaps in communications to data subjects.
We assess which legal basis fits the processing and which practical follow-on requirements flow from that choice. Where legitimate interests apply, we structure the supporting material so the assessment is traceable and clear.
We translate the assessments into updated texts and ways of working that can be used day to day—for example policies, routines, and information wording. This reduces the risk of inconsistency between actual handling and what is communicated.
We set up a simple follow-up model so new processing activities, changed systems, or new recipients are captured in time. This keeps the work up to date without turning every change into a major project.
Map processing smartly
Once you understand your processing, it becomes easier to prioritise actions and allocate responsibility. Start with records and storage, then add contracts for your suppliers. Click through to make mapping a governance tool, not a one-off exercise.
Information about processing of personal data
Providing clear and relevant information to data subjects is a fundamental principle of GDPR processing personal data. Organisations must know what is processed, for what purposes and how it affects individuals’ rights. Delivering the right information at the right time reduces administrative burden while preserving customer trust.
Articles 13 and 14 GDPR specify what must be communicated — Article 13 applies when data is collected from the individual, while Article 14 applies when obtained from another source. Failures can trigger complaints, administrative fines or reputational damage.
Morling Consulting provides tailored advice on what to communicate and how. We draft and review privacy notices, identify practical ways to provide information to data subjects and deliver training and ongoing advice on GDPR processing personal data across Europe.
IDENTIFY THE LEGAL BASIS
What is lawful processing of personal data? Legal bases under Article 6
Identifying the legal basis for processing is essential to meet GDPR. It reflects Article 5 GDPR’s principles and is a precondition for lawful activity. Processing without a valid legal basis is unlawful and may result in administrative fines following supervision by the Data Protection Agency. Under Article 6 GDPR there are six legal bases:
- Consent of the data subject.
- Performance of a contract.
- Legal obligation.
- Protection of vital interests.
- Task carried out in the public interest or exercise of official authority.
- Legitimate interests.
Choosing the right legal basis is not always straightforward and demands a careful assessment of the purpose and context. Each basis carries different requirements — for example documentation, information to data subjects or a right to object — and must be applied within its limits, consistent with the GDPR definition of processing personal data and with the obligations arising in the GDPR definition with regard to processing personal data.
How we support you with processing of personal data
We help your organisation apply the principle of personal data processing by assessing your activities against GDPR’s principles. Common questions include what is processing of personal data, which information must be provided to data subjects and how to operationalise lawful grounds in practice. Our guidance is pragmatic, business-focused and aligned with GDPR processing personal data.
Working with Morling Consulting gives you access to specialist GDPR lawyers who assess your processing arrangements and risks. In doing so, you protect your brand and customer relationships. Contact us to discuss how we can help you manage GDPR processing personal data across Europe.
Common questions and answers on processing of personal data
Processing is any operation performed on personal data — automated or not. It includes collecting, recording, organising and storing, as well as altering, using or disclosing. Restricting, erasing or destroying also count as processing in the GDPR definition with regard to processing personal data.
All processing must follow GDPR’s principles. Personal data must be processed lawfully, fairly and transparently; only for specific and legitimate purposes; only to the extent and for the time necessary; and with protection for privacy and confidentiality.
Under Articles 13 and 14 GDPR, organisations must explain what data is processed, why and on what legal basis, who the controller is, how long data is kept and what rights the individual has. Morling Consulting helps you formulate the mandatory information, for example in a privacy notice, and tailor it to your operations.
Several legal bases may be available for a processing activity, but one must be selected and documented before processing starts. Article 6 GDPR sets out six options: consent, contract, legal obligation, vital interests, public interest and legitimate interests. We help you identify and document the appropriate basis correctly.
Support typically includes: reviewing how personal data is handled in your systems; drafting privacy notices and consent wording; guiding you through incidents; assessing whether a Data Protection Impact Assessment (DPIA) is required and conducting it where needed; and providing legal interpretation for specific scenarios. Advice is tailored to your size, ways of working and needs.
Any information relating to an identified or identifiable natural person. For example: name, national ID number, email address or IP address; images, audio or video; or staff, customer or supplier records. Even indirect identifiers can be personal data if they can be linked to an individual.
Breaches can lead to supervision by the Data Protection Agency, administrative fines of up to EUR 20 million or 4% of global turnover, and loss of trust among customers, partners and the public. Morling Consulting helps you minimise risks and respond correctly to scrutiny.
A data processing agreement is required when you, as controller, engage an external party (for example a cloud provider) to process personal data on your behalf. We review or draft agreements to ensure they meet GDPR.
Speak to a GDPR lawyer
Do you need to assess a personal data processing activity and its requirements? Contact us to discuss
"*" indicates required fields