5 examples of GDPR processing activities

Apr 17, 2025

The General Data Protection Regulation (GDPR), enacted by the European Union in May 2018, has transformed how organizations handle personal data. It sets strict guidelines for the processing of personal data, ensuring individuals’ privacy rights are protected while allowing businesses to operate within a clear legal framework. Understanding what constitutes a “processing activity” under GDPR is critical for organizations to ensure compliance and avoid hefty fines. In this article, we explore five real-world examples of GDPR processing activities, detailing their implications, legal requirements, and best practices for compliance. This comprehensive guide, spanning approximately 2500 words, aims to provide clarity for businesses, data protection officers, and individuals alike.

Introduction to GDPR and Processing Activities

The GDPR defines “processing” as any operation or set of operations performed on personal data, whether automated or manual, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction (Article 4(2)). Essentially, any action involving personal data falls under the scope of processing.

Processing activities are at the heart of GDPR compliance. Organizations must identify and document all processing activities, ensure they have a lawful basis for processing, and implement appropriate safeguards. Non-compliance can lead to fines of up to €20 million or 4% of annual global turnover, whichever is higher. To illustrate how processing activities manifest in practice, we will examine five distinct examples: customer relationship management (CRM) systems, employee data processing, online behavioral advertising, health data processing in hospitals, and CCTV surveillance.

Each example will cover the nature of the processing activity, the lawful basis for processing, key compliance requirements, and practical steps organizations can take to align with GDPR. By exploring these scenarios, we aim to provide actionable insights for organizations navigating the complexities of data protection.

1. Customer Relationship Management (CRM) Systems

Overview

Customer Relationship Management (CRM) systems, such as Salesforce, HubSpot, or Zoho, are widely used by businesses to manage customer interactions, track sales, and deliver personalized services. These systems collect and process personal data, including names, email addresses, phone numbers, purchase histories, and preferences, making them a prime example of a GDPR processing activity.

Processing Activities

The processing activities in a CRM system include:

  • Collection: Gathering customer data through forms, website interactions, or direct input.

  • Storage: Storing customer profiles in a centralized database.

  • Use: Analyzing data to segment customers, generate leads, or personalize marketing campaigns.

  • Disclosure: Sharing data with third-party tools (e.g., email marketing platforms) for campaign execution.

  • Erasure: Deleting data when a customer requests it or when it is no longer needed.

Lawful Basis

The lawful basis for processing in a CRM system typically includes:

  • Consent (Article 6(1)(a)): For marketing communications, customers must explicitly opt-in, with the option to withdraw consent at any time.

  • Contract (Article 6(1)(b)): Processing is necessary to fulfill a contract, such as delivering a purchased product.

  • Legitimate Interests (Article 6(1)(f)): For activities like customer support or fraud prevention, provided the organization’s interests do not override the individual’s rights.

Compliance Requirements

To comply with GDPR, organizations using CRM systems must:

  • Obtain Consent: Ensure marketing-related processing is based on clear, informed, and specific consent. Consent forms should be granular, allowing users to opt-in to specific activities (e.g., email newsletters vs. targeted ads).

  • Provide Transparency: Include a privacy notice at the point of data collection, explaining what data is collected, why, and how it will be used.

  • Enable Data Subject Rights: Facilitate requests for access, rectification, erasure, or data portability. For example, a customer may request a copy of all data stored in the CRM.

  • Secure Data: Implement technical measures like encryption and access controls to protect customer data from breaches.

  • Conduct Data Protection Impact Assessments (DPIAs): For large-scale processing, DPIAs are required to identify and mitigate risks.

Best Practices

  • Use double opt-in mechanisms for email marketing to ensure robust consent.

  • Regularly audit CRM data to remove outdated or unnecessary records.

  • Train staff on GDPR compliance to prevent accidental misuse of customer data.

  • Vet third-party processors (e.g., cloud providers) to ensure they comply with GDPR.

Real-World Example

A retail company using Salesforce to manage customer data must ensure that its email campaigns are based on explicit consent. If a customer unsubscribes, the company must promptly update the CRM to reflect this choice and cease marketing communications. Failure to do so could result in a GDPR violation.

2. Employee Data Processing

Overview

Organizations process personal data of employees for payroll, performance management, and compliance with labor laws. This includes sensitive data such as names, addresses, bank details, social security numbers, and health information, making employee data processing a critical GDPR activity.

Processing Activities

Key processing activities include:

  • Collection: Gathering data during recruitment (e.g., CVs, references) or onboarding (e.g., contracts, ID documents).

  • Storage: Maintaining employee records in HR systems like BambooHR or Workday.

  • Use: Processing data for payroll, benefits administration, or performance reviews.

  • Disclosure: Sharing data with third parties, such as tax authorities or pension providers.

  • Erasure: Deleting data after an employee leaves, subject to retention periods required by law.

Lawful Basis

The lawful bases for employee data processing are:

  • Contract (Article 6(1)(b)): Processing is necessary to fulfill employment contracts, such as paying salaries.

  • Legal Obligation (Article 6(1)(c)): Processing is required to comply with tax or labor laws.

  • Legitimate Interests (Article 6(1)(f)): For activities like monitoring workplace safety, provided they are proportionate.

Processing sensitive data (e.g., health records) requires additional conditions under Article 9, such as explicit consent or necessity for occupational health.

Compliance Requirements

To comply with GDPR, organizations must:

  • Limit Data Collection: Collect only the data necessary for employment purposes. For example, avoid requesting irrelevant personal details during recruitment.

  • Secure Storage: Use encrypted HR systems and restrict access to authorized personnel.

  • Inform Employees: Provide a privacy notice explaining how employee data is processed and their rights under GDPR.

  • Handle Data Breaches: Notify the relevant data protection authority (e.g., ICO in the UK) within 72 hours of a breach.

  • Respect Retention Periods: Retain data only for as long as required by law (e.g., tax records for seven years) and securely delete it afterward.

Best Practices

  • Implement role-based access controls to limit who can view sensitive employee data.

  • Conduct regular GDPR training for HR staff.

  • Use anonymized data for analytics, such as workforce planning, to minimize privacy risks.

  • Establish clear policies for handling employee data requests, such as access or erasure.

Real-World Example

A multinational company using Workday to manage employee data must ensure that health records (e.g., sick leave documentation) are processed only with explicit consent or under a legal obligation. If an employee requests erasure of their data after leaving, the company must balance this request against legal retention requirements.

3. Online Behavioral Advertising

Overview

Online behavioral advertising involves tracking users’ online activities to deliver targeted ads. Companies like Google and Meta collect data on browsing habits, search queries, and social media interactions, making this a high-risk GDPR processing activity due to its scale and intrusiveness.

Processing Activities

Processing activities include:

  • Collection: Gathering data via cookies, pixels, or device identifiers.

  • Profiling: Creating user profiles based on interests, demographics, or behavior.

  • Use: Serving personalized ads based on profiles.

  • Disclosure: Sharing data with ad networks or partners.

  • Storage: Retaining data for future ad targeting or analytics.

Lawful Basis

The primary lawful basis is:

  • Consent (Article 6(1)(a)): Users must explicitly agree to tracking via cookie banners or consent management platforms. Consent must be freely given, specific, informed, and unambiguous.

  • Legitimate Interests (Article 6(1)(f)): May apply for non-intrusive processing, but consent is typically required for profiling.

Compliance Requirements

GDPR imposes strict requirements for online advertising:

  • Transparent Consent: Cookie banners must clearly explain what data is collected and allow users to opt-out of non-essential cookies.

  • Granular Choices: Users should be able to consent to specific purposes (e.g., analytics vs. ad targeting).

  • Data Minimization: Collect only the data necessary for ad delivery.

  • Third-Party Agreements: Sign data processing agreements (DPAs) with ad partners to ensure GDPR compliance.

  • Right to Object: Users can object to profiling, and organizations must stop processing their data for advertising purposes.

Best Practices

  • Use consent management platforms (e.g., OneTrust) to streamline compliance.

  • Regularly review cookie policies to ensure they reflect current practices.

  • Limit data retention periods for advertising data (e.g., 13 months for Google Analytics).

  • Provide an easy-to-use opt-out mechanism for users.

Real-World Example

A news website using Google AdSense must display a cookie banner that allows users to opt-out of personalized ads. If a user declines consent, the website must serve non-targeted ads and refrain from sharing their data with Google’s ad network.

4. Health Data Processing in Hospitals

Overview

Hospitals process sensitive personal data, including medical records, diagnoses, and treatment plans. This is a special category of data under GDPR (Article 9), requiring heightened protections due to its sensitive nature.

Processing Activities

Key activities include:

  • Collection: Recording patient information during consultations or admissions.

  • Storage: Maintaining electronic health records (EHRs) in systems like Epic or Cerner.

  • Use: Analyzing data for diagnosis, treatment, or research.

  • Disclosure: Sharing data with other healthcare providers or insurers.

  • Erasure: Deleting data after legal retention periods (e.g., 20 years for medical records).

Lawful Basis

Lawful bases include:

  • Explicit Consent (Article 9(2)(a)): For non-essential processing, such as sharing data for research.

  • Vital Interests (Article 9(2)(c)): For life-saving treatments when consent cannot be obtained.

  • Healthcare Provision (Article 9(2)(h)): For processing necessary to provide medical care.

Compliance Requirements

Hospitals must:

  • Secure Data: Use robust encryption and access controls to protect EHRs.

  • Conduct DPIAs: Assess risks for large-scale health data processing.

  • Inform Patients: Provide clear privacy notices about data use.

  • Enable Rights: Facilitate patient requests for access or rectification of medical records.

  • Appoint a DPO: A Data Protection Officer is mandatory for large-scale health data processing.

Best Practices

  • Use pseudonymization to reduce risks when sharing data for research.

  • Regularly train healthcare staff on GDPR and data security.

  • Implement audit trails to track access to patient records.

  • Establish clear protocols for data sharing with third parties.

Real-World Example

A hospital using an EHR system must ensure that only authorized staff access patient records. If a patient requests a copy of their medical history, the hospital must provide it in a structured, machine-readable format (e.g., PDF or XML).

5. CCTV Surveillance

Overview

CCTV systems are used for security in workplaces, retail stores, and public spaces. They process personal data by recording images or videos of individuals, making this a GDPR-regulated activity.

Processing Activities

Activities include:

  • Collection: Capturing footage via cameras.

  • Storage: Storing recordings on servers or cloud platforms.

  • Use: Reviewing footage for security incidents or investigations.

  • Disclosure: Sharing footage with law enforcement if required.

  • Erasure: Deleting footage after a retention period (e.g., 30 days).

Lawful Basis

The lawful basis is typically:

  • Legitimate Interests (Article 6(1)(f)): For ensuring safety and security, provided it is proportionate.

  • Legal Obligation (Article 6(1)(c)): When footage is required by law enforcement.

Compliance Requirements

GDPR requirements include:

  • Transparency: Display signs informing individuals of CCTV surveillance.

  • Proportionality: Use CCTV only where necessary and avoid excessive monitoring (e.g., in private areas like restrooms).

  • Secure Storage: Protect footage from unauthorized access.

  • Limit Retention: Retain footage only for as long as necessary (e.g., 30 days unless required for an investigation).

  • Enable Rights: Allow individuals to access footage featuring them, subject to third-party privacy considerations.

Best Practices

  • Conduct a DPIA to assess the impact of CCTV on privacy.

  • Use privacy-enhancing technologies, such as blurring faces in non-critical areas.

  • Restrict access to footage to authorized personnel.

  • Regularly review CCTV policies to ensure compliance.

Real-World Example

A retail store using CCTV must display signs stating “CCTV in Operation” and limit recordings to public areas like entrances and cash registers. If a customer requests footage of an incident, the store must provide it while protecting the privacy of other individuals in the footage.

Conclusion

The five examples—CRM systems, employee data processing, online behavioral advertising, health data processing, and CCTV surveillance—illustrate the diverse nature of GDPR processing activities. Each involves unique challenges and compliance requirements, but they share common principles: transparency, data minimization, security, and respect for data subject rights.

To ensure GDPR compliance, organizations should:

  1. Map Processing Activities: Maintain a record of all processing activities as required by Article 30.

  2. Identify Lawful Bases: Clearly document the lawful basis for each activity.

  3. Implement Safeguards: Use technical and organizational measures to protect data.

  4. Train Staff: Ensure employees understand GDPR obligations.

  5. Engage a DPO: Appoint a Data Protection Officer for high-risk processing.

By understanding and addressing these processing activities, organizations can not only avoid penalties but also build trust with customers, employees, and stakeholders. GDPR compliance is an ongoing journey, requiring vigilance and adaptation to evolving data protection standards.