In the GDPR, “processing” basically means doing anything at all with personal data , from the moment you get it until the moment you delete it.

Core idea in one line

Under GDPR, “processing” is any operation performed on personal data, whether done by computers or by humans, online or offline.

The legal definition (plain English)

Article 4(2) GDPR defines processing as:

Any operation or set of operations performed on personal data, whether or not by automated means.

The law then gives a non‑exhaustive list of examples, meaning it’s illustrative , not complete.

Typical examples of processing include:

  • Collecting data (e.g., web forms, sign‑up sheets)
  • Recording and organising it in a system or file
  • Structuring it in a database or CRM
  • Storing it (servers, cloud, paper files in a locked cabinet)
  • Adapting or altering it (correcting a typo, updating an address)
  • Retrieving or consulting it (looking up a customer record)
  • Using it (sending emails, generating reports about individuals)
  • Disclosing it by transmission (emailing, APIs, sharing with vendors)
  • Disseminating or otherwise making it available (dashboards, portals)
  • Aligning or combining it with other data sets
  • Restricting it (putting a hold so it can’t be used)
  • Erasing or destroying it (deletion, shredding paper files)

If you touch personal data in almost any systematic way, you’re “processing” it under GDPR.

Why the definition is so broad

The definition is intentionally as broad as possible so that GDPR applies to the full life cycle of personal data.

That means:

  1. You can’t say “we’re only storing it, not really processing it” – storage is processing.
  1. Even just letting data “sit” on a server or in a filing cabinet counts as processing.
  1. Manual, paper‑based activities (e.g. printed HR files) also fall under processing if they’re part of a structured filing system.

An easy mental model:

If your activity wouldn’t exist without that personal data, it’s almost certainly processing.

What this means in practice (controllers and processors)

Because “processing” is so wide, many roles fall under GDPR obligations.

  • Data controllers decide why and how personal data is processed (e.g., a company deciding to run a newsletter). All of their operations on that data are processing.
  • Data processors act on behalf of controllers (e.g., cloud providers, email platforms, analytics tools). Their services almost always involve processing personal data.

Whenever a controller uses a third‑party service that handles personal data (email tool, hosting, CRM, etc.), that third party is processing data and must be covered by a data processing agreement (DPA) under Article 28 GDPR.

Quick example

Imagine an online store:

  1. A customer fills in a checkout form – you collect and record their details.
  2. You store that data in your order system.
  3. You use it to ship the product and share an address with a courier.
  4. You later combine order history to see returning customers.
  5. After some years, you delete inactive accounts.

Every step above is “processing” under GDPR.

Key takeaway

“Processing” in the context of GDPR is not just advanced analytics or automated profiling; it is almost any interaction with personal data , from collection all the way to deletion.

TL;DR: If you collect, store, view, use, share, organise, or delete personal data in any structured way, you are “processing” it under GDPR and must comply with GDPR rules.

Information gathered from public forums or data available on the internet and portrayed here.