Main Categories | Law | GDPR:Balancing Criteria

BC.05 Nature of Processing


Any risk assessment required under the GDPR must also take into account the "nature of processing". When determining which measures are appropriate to achieve the lawfulness of the processing, there are several weighting parameters. The "nature of processing" is one of them. In addition, other GDPR provisions for assessing the risk of data processing are also based on the "nature of processing":


Art. 23 II f: Any legislative measure that restricts the data subjects‘ rights, shall contain specific provisions like storage periods and safeguards taking into account the “nature of processing”.


Art. 24 I 1: The "nature of processing" is a criterion for assessing which measures ensure that the processing is carried out in accordance with the GDPR.


Art. 25 I: The "nature of processing" is a criterion for assessing which measures are necessary to ensure data protection by design.


Art. 27 II a: The “nature of processing” shall be taken into account when determining whether a controller or processor not established in the Union must designate a representative.


Art. 32 I: The "nature of processing" must be taken into account when considering what measures will ensure an appropriate level of data security.


Art. 35 I: Whether a data processing poses a high risk to the data subject and therefore requires a data protection impact assessment depends, among other things, on the "nature of processing".


Art. 37 I b: The "nature of processing" is a criterion to be taken into account when considering whether to appoint a data protection officer. (See also Rec. 97).


Art. 39 II: The data protection officer shall take into account the "nature of processing" in the performance of his/her duties. [see also § 7 III German Federal Data Protection Act: „have due account“]


Art. 83 II a: The "nature of processing" also plays a role as a criterion in the decision of a supervisory authority on the imposition of a fine and its amount.


§ 22 II BDSG (German Data Protection Act): The controller must take into account, among other things, the "nature of processing" in the measures he must take if he processes data on the basis of § 22 I BDSG in derogation of Art. 9 I GDPR.


§ 35 I 1 BDSG (German Data Protection Act):  In the case of non-automated data processing, the data subject's right to erasure pursuant to Art. 17 I GDPR does not exist if erasure is not possible or only possible with a relatively high effort due to the "special nature of storage" and the data subject's interest in erasure is to be regarded as low.

Winfried Veil
Related Tiles (0)
Social Media
Last update: 2021-05-22 14:23:46
By: Winfried Veil
Created at: 2021-05-12 21:06:52