In the context of personal data protection, the term “data processing procedure” frequently appears. The GDPR defines “processing” as any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means (…).

To better understand the concept of a “process,” it is helpful to refer to ISO 27000, which defines it as “a set of interrelated or interacting activities that transforms inputs into outputs.”

In the case of personal data processing, the output of the process is the achievement of the processing purpose, while the input is the personal data itself. Other variables that shape the process include the category of data subjects, the method of processing (especially the technology used), the scope and scale of the processing, the entities involved, and the legal environment surrounding the process.

The Legal Environment of Processing

When considering data protection within an organisation, it is important to look beyond the GDPR and national data protection laws and include all other applicable legal acts.

For instance, in a recruitment process, the scope of personal data an employer may request from job candidates is explicitly specified in Article 221 of the Polish Labour Code. Therefore, any recruitment process must implement the restrictions imposed by the legislator. Although candidates often voluntarily provide additional data beyond the statutory catalogue, such data is processed on the basis of consent. Once the recruitment process is complete and an employee is selected, a new data processing procedure begins – employment. This subsequent process must again be adjusted to comply with legal requirements (e.g. the 10-year retention period for personnel files). It is therefore critical to plan the process from the outset.

Planning and Designing the Data Processing Procedure

The principles for designing and organising a personal data processing procedure are embedded in the GDPR. In particular, the data controller must act in line with the principles set out in Article 5 GDPR: lawfulness, fairness, transparency, data minimisation, accuracy, integrity and confidentiality, purpose limitation, and storage limitation. These principles are equally important and must all be respected.

According to Article 25 GDPR, the concepts of privacy by design and privacy by default must also be integrated into the process from the planning stage.

In practice, the same input data may serve multiple purposes and thus be processed in multiple procedures. For example, when a contract is concluded (e.g. an online sales contract), the legal basis for processing the data is Article 6(1)(b) GDPR. However, the controller may also decide to use the same data for direct marketing based on legitimate interests (Article 6(1)(f) GDPR). This intention must be clearly communicated to the data subject via the information clause.

Processes Evolve Over Time

One of the key characteristics of data processing procedures is that they evolve. As an organisation grows, so too does the way it processes data – a fact often overlooked by controllers. Introducing new technologies, updating IT infrastructure, using new services, or even staff changes can significantly impact the way data is processed, even if the inputs and outputs remain the same.

Returning to the recruitment example – changing the way CVs are collected (e.g. switching from email submission to a cloud-based recruitment app) significantly alters the process and requires an update to the risk analysis or a DPIA. In some cases, such changes may also trigger the need to update the information clause.

The Role of the Information Clause

Managing personal data involves the obligation to inform data subjects about the processing activities. The minimum scope of such information is outlined in Articles 13 and 14 GDPR. The information clause functions as a kind of “processing profile” for the data subject – it should enable the individual to make an informed decision about whether to share their data and help them understand their rights and how to exercise them.

When Does the Information Obligation Need to Be Fulfilled Again?

As noted, any change in the processing procedure may affect the content of the information clause, and therefore trigger a renewed obligation to inform data subjects. Whether this is required must be evaluated in light of Articles 13 and 14 GDPR and the impact of the change on data subjects’ rights and freedoms.

For example, if a controller uses cloud software involving the transfer of data to a third country, such as the United States, and this is disclosed in the clause, a change of service provider within the same country does not automatically require a new clause. This is because:

1. The GDPR does not require the controller to identify the exact recipients of the data – only to disclose the fact of the data transfer and the country involved.
2. Such a change does not affect the rights and freedoms of the data subjects, provided both service providers apply the same level of data protection.

However, if the new provider is based in a different third country, then the information clause must be updated.

A different example – this time requiring an update – is when an organisation implements automated customer profiling software. In such a case, Articles 13 and 14 GDPR require that the data subject be informed about the profiling activity. The processing also has a significant impact on rights and freedoms, as the decision is based solely on algorithms without human involvement. What’s more, profiling triggers additional rights under Article 22 GDPR. Therefore, in this case, the controller is obliged to update the information clause.

Legal Basis:

• Articles 5, 6, 13, 14, 15, 22 of Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR)
• Article 221 of the Polish Labour Code (Act of 26 June 1974)