Processing of personal data

The processing of personal data refers to activities such as the collection, storage, use, transfer and disclosure of personal data. All activities involving personal data, from the planning of processing to the erasure of personal data, constitute processing of personal data.

All data related to an identified or identifiable person is personal data. Information such as names, telephone numbers, location data and information on the congenital diseases of the individual's grandparents is personal data.

A controller is an individual or organisation that determines the purposes and means of the processing of personal data. A controller can be an association that collects information on its members, a hospital that processes patient records, an online shop or a social media service.

A processor is an individual or organisation that processes personal data on behalf of a controller. A processor can be a marketing agency taking care of another company’s marketing or an IT service provider with access to the personal data collected by the controller.

Data protection principles and the processing of personal data

Personal data must always be processed in compliance with the data protection principles specified in data protection legislation.

The data-protection principles state that personal data must be

  • processed lawfully, fairly and in a transparent manner in relation to the data subject processed confidentially and securely
  • collected and processed for a specific and lawful purpose
  • collected only to the amount necessary with regard to the purpose of the processing
  • updated when required ‒ inaccurate personal data must be erased or rectified without delay and
  • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.