What does data collection mean in the context of GDPR? One of the most important terms in data processing

Data processing begins as soon as personal data is collected. Data collection is the earliest possible activity of processing. From this alone, a responsibility under the GDPR can already arise, along with numerous obligations. Only those who collect data can be responsible. But what does collecting data mean?

Why is data collection an important term?

Collecting data is equivalent to processing data. Only those who process personal data or initiate processing by others can be held responsible (and often are, when purpose and means are determined).

Whoever is responsible in the sense of the GDPR must comply with the regulations of the GDPR. Therefore, it is particularly important to know what Erheben von Daten means. The legislative text of the Data Protection Basic Regulation does not define this.

The following terms are introduced by me for explanation of what is meant by data collection:

• Address
• Container (in the sense of mailbox or buffer)
• Collecting
• Offer

You might be surprised by some of these terms in the context of data collection. Especially the term of Containers, which I introduce here, should be new in data protection circles, if one excludes document destruction. The other terms do not appear (or only very restricted) in the legislative text of the GDPR. Maybe the term Mailbox is better understandable, although it is too concrete and thus vague.

This contribution aims at information that has been brought to a responsible person rather than at such which a responsible person has taken care of themselves.

Boundary.

Furthermore, a distinction is made in the following between Data Collection and Responsibility. Data collection itself is not yet a critical data protection issue, but it will probably become one when responsibility arises. Responsibility again can only exist if data collection took place. Not being responsible for any data collection is equivalent to having no responsibility.

Introduction

Under Article 4, Number 2 of the GDPR , data processing is defined as: processing of personal data means any operation or set of operations which is performed on personal data or on sets of personal data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction

The collection, recording, organisation, structuring or processing, storage, alteration or modification, retrieval, consultation, use, disclosure by transmission, dissemination or making available a copy, comparison or linking, restriction, erasure or destruction

Definition of the term data processing according to Article 4, paragraph 2 GDPR.

In legal texts in English, the word collection (from to collect) is used for Gathering.

In the legislative text there is no definition for the term of collection. Therefore I had to write this article to provide clarity.

In this article only collections of personal data in the non-private sector are considered that either take place automatically or semi-automatically, or are stored in a file system or are to be stored there. This corresponds to the scope of application of the Data Protection Regulation as regulated in Art. 2 DSGVO, excluding the exceptions mentioned in Section 2.

Data collection is the first processing activity

It is noticeable that the activities which imply processing are listed in an orderly sequence. The order consists of the fact that the first-mentioned activity, lifting, is the earliest possible time-consuming processing activity, and all further processing processes follow later.

The three activities mentioned in the legislative text that follow – restriction, deletion, and destruction – I will exclude from the following discussion because they are destructive activities that are more positively evaluated from a data protection law perspective, as they reduce or eliminate liability.

The activities that data processing entails, according to Article 4 No. 2, are in chronological ascending order, namely in the sequence mentioned in the legislative text:

1. Raise, then only can it
2. Follow up, then is the aftermath
3. Possible organisation, equally the
4. Organizing, then (or also without organization or organizing), is the
5. Storage possible, thereafter (or alternatively before storage) the
6. Change, but only after saving that
7. Guessing or that
8. Querying. With or without storage follows the possibility of
9. Usage or the
10. Disclosure by transmission, distribution or any other form of provision, as well as
11. Comparison or linking.

This order is therefore no accident and cannot be an accident since there are 11! (11 factorial) possibilities of arranging this list. 11! = 11 * 10 * 9 * 8 * 7 * 6 * 5 * 4 * 3 * 2 * 1 = 39,916,800, so just under 40 million. Even if two of the eleven term pairs are considered equal in value, the number of possibilities is over 300,000. The probability that the list came together by chance would therefore be 1/362,880 = 0.0000028.

The Article 29 Working Party, Opinion 3/2013 has also clarified that collection is the first data processing activity.

The legislator has therefore clearly and without any doubt placed the collection at the beginning of data processing. This is also evident from the title of Article 13 DSGVO: "Information obligation when collecting personal data from the affected person".

Whoever collects data processes data. Data collection is the earliest possible data processing operation!

Conclusion from Article 4, Section 2 of the GDPR.

Data collection takes place before data capture, as the law says. To collect means, according to Duden, to gather together or collect, which can also be inferred from the English legal text (to collect).

The German word zusammentragen sounds a bit strange at first. After some thought, I managed to decipher and substantiate the term.

Collecting data requires a recipient address.

My understanding of the definition of data collection.

A data collection can only take place if an address is named where a person can send a message. Surprisingly, the term of collecting can be derived from the address! As shown, the address does not even have to be that of the actual recipient, but can be any recipient's address.

The collection of data comes therefore after receipt and before recording.

An address implies a container. This seems even more astonishing. I am satisfied with this insight, all the more so since this kind of derivation is nowhere to be found.

A container is referred to in English, but also in computer science, as Box or Collection. The programming language Java knows the concept of Collection and Containers as well.

Examples of addresses with indication of the corresponding container are:

• Mailbox address
• Email address: Mailbox (more precisely: mail server inbox)
• IP address at website call: Server's main memory
• Personal entertainment: Mind of the addressed person (memory)
• Phone number/phone call: ditto
• Phone number/answering machine: "tape" recording (nowadays mostly digital)

An address is a container that can be accessed through a unique designation, whose contents can be revealed to a recipient.

My definition of address in the context of GDPR.

A dead mailbox, which (for whatever reason) cannot be emptied objectively by anyone, is not an address in this sense. The possibility of obtaining knowledge of messages does not exist here. In computer science there is the Null device as a "virtual output device", "which discards everything that is written to it" (Source: Wikipedia, whose statement I can confirm as a computer scientist). The Null device is also referred to as NUL-target and is not an address in the sense of the DSGVO, because it is almost impossible to obtain knowledge of received messages.

A special case is an address with a container that can only accept one message at a time. If the container is not emptied in time, messages are lost. This is also conceivable for every container with higher message capacity. From practice it is certainly known the problem of a full e-mail inbox that cannot take any further messages until it has been emptied. Further receipt is thus not possible because receiving was already impossible alone.

The concept of collecting (in a container) initially only means an interim storage, not storage or permanent storage. That a permanent storage is possible in some containers does not contradict this (example: email inbox).

Data collection is the possible receipt of a message by a recipient that was sent to an address.

My definition of data collection must apply under Article 2, paragraph 1 of the GDPR.

A data collection means therefore the possible recognition of a message that was sent to an address. The actual recognition can also be automated (this is also stated in Art. 4 Nr. 2 DSGVO), for example by a server that provides a website. The recognition occurs through a recipient. The data processing must take place according to Art. 2 Abs 1. DSGVO.

The possible receipt is recorded in the DSGVO with the term Recipient, which is defined in Art. 4 No. 9. A recipient is therefore a natural or legal person to whom personal data are disclosed.

Difference from receiving data

Collecting data is a later process than receiving data. A synonym for receive is get (obtain). Delivery in the postal sense has occurred when a message has arrived correctly at a correct address, thus being dedicatedly received.

A mailbox receives messages. These are considered received or taken in at the moment they are in the mailbox and at the moment of proper removal from the mailbox as lifted. If the mailbox is full, both receiving and lifting the message would not be possible (excluding that a mailman could deliver the letter personally etc.). If a letter goes to an incorrect address, perhaps due to a mistake by the mailman, the owner of the mailbox has received the message but not lifted it.

A mailbox whose contents are only manually processed, or not stored in a file system, is outside of consideration. See Art. 2 Abs. 1 DSGVO. Some companies use scanners to automatically process any mail. In this case, the content of the mailbox of these companies falls within the scope of the DSGVO. Using data in an email or sending it via email is also equivalent to automated storage in a file system.

A registered letter makes the receipt or collection legally binding, provided that the message was delivered to the correct address in a proper condition and the recipient could have actually known about the message. The delivery date is considered to be the date fixed by the post office for registered mail, when the letter what inserted into the recipient's mailbox (or partially handed over to the recipient personally, which would take it one step further). If a properly delivered registered letter is directly taken from the mailbox after that and proven without fault of the recipient to have been stolen, there is ultimately no data collection at the recipient, because they could not have had actual knowledge of the message.

In accordance with the notice of delivery, it is clear that there is a duty that an intended recipient has. Such a recipient is practically obliged to regularly empty their mailbox (if this is reasonable, I would say). Whoever receives a warning can at the end of the deadline simply rely on the fact that they have not emptied the mailbox for seven days because the weather was bad. This obligation does not come from the GDPR, but rather from other legal regulations, which I have not been able to find so far and apparently do not exist explicitly. Legal interpretations from judgments and statements by lawyers suggest this duty.

Notification of a message

First, when a message is taken out of the mailbox, it becomes known. This immediately becomes clear in empty postboxes belonging to the recipient. In containers like the Brain, this process occurs implicitly.

A container serves for collecting objects.

My definition of container concept in the context of data protection are data the objects

In containers (technically: Container) such as the main memory of a Server for a website, the process of becoming aware of a message takes place implicitly, but explicitly from a technical point of view (the server was programmed accordingly). A server with only one incoming network connection can only process one signal at a time. Processing usually takes longer than delivery. So that no signal (= message or request) is lost, Pufferfish a server incoming signals until it can process them. A buffer is a container.

If a server is overloaded and must therefore reject a request, actual knowledge of this was not possible in fact. This does, however, include that the request could not even be accepted for technical reasons, i.e., due to hardware limitations it failed and was not blocked by software first.

Who is responsible according to GDPR?

Just collecting data isn't enough. You also have to be responsible for collecting it so that obligations arise from it.

Data Controller in accordance with the GDPR (Art. 4 Nr. 7) is whoever "alone or together with others decides on the purposes and means of processing personal data". Whoever collects personal data for a given purpose and with predetermined means is especially responsible according to GDPR and must provide information to the affected person in accordance with Art. 13 GDPR.

The term Zweck could also be defined with the term Offer. The meaning of the term Angebot is to be understood in the broadest sense, and was chosen by me here because purpose is a rather abstract term. An offer can be an information offer, a service and so on.

A responsibility arises only on the basis of an offer.

My finding (for actual responsibility further conditions must occur)

Without an offer, no responsibility takes place. If someone sends you their medical records uninvited, which ends up in your hands, there is (probably) a data collection taking place at your end, but you are not responsible for it.

But if you are a doctor and ask a patient to send you the findings of their hospital stay, your practice collects data as soon as your practice receives the patient's findings and these can reach a person in your practice.

If responsibility were possible without an offer, everyone could make a third party responsible against their will.

Responsibility for data collected but not brought to awareness

If someone has collected data but not yet gained knowledge of the data, the question of factual responsibility arises. Has someone therefore received a message in their mailbox due to their offer and this letter reaches third parties without them gaining knowledge of the content of the letter, are they responsible for it? It depends. I assume that here the duty of care and other legal obligations play a role. If someone does not close their mailbox, I believe they are data protection lawfully responsible if third parties take the contents of the mailbox without authorization.

Data that did not come to the knowledge of the responsible person and others, but were collected by the responsible person without knowledge, initially cause no problems, but obligations. A data owner can at least demand deletion, which must then be carried out in such a way that the responsible person must obtain knowledge of the collected data in order to delete them properly afterwards, without endangering other data.

Similarly as with unacknowledged data, I think it behaves in the same way with data that one stores permanently but does not process or pass on to third parties. This creates no problem, but an obligation, for example a duty of care. A deletion request would then be implementable with shortened procedure as in the previous case because knowledge has already been taken.

Who instructs a third party to distribute data that has been raised but not acknowledged is also responsible for it.

Data that cannot be automated and not recorded in a file system is not just knowledge; the question arises whether factual knowledge was possible and if so, whether an automated processing or storage in a file system was intended. If this was intended, I say that data collection also occurs without knowledge acquisition.

Example for data collection: website

A website is an offer that determines its purpose through content. It is made available by means of the Internet and other technical circumstances (HTML etc.). In Art. 8 Abs. 1 DSGVO, the term "offer" is incidentally mentioned (and for the first time) in relation to the provision of electronic services, which applies to websites.

As a website, an publicly accessible internet presence is understood here. A password-protected presence is another case. The password protection must actually take place directly on server level so that it's not the same as a publicly accessible website. This can be achieved by a directive in the so-called .htaccess file.

The IP address is a personal data item. With each call of a website, due to the Internet standard TCP (Transmission Control Protocol) the IP address of the caller is transmitted to the server that provides the website. In this regard, the DSGVO applies to every publicly accessible website.

This gives rise to a liability according to Art. 4 No. 7 GDPR , because

1. A data collection is taking place (see above)
2. Personal data are collected (namely at least IP addresses)
3. The purpose is given (Offer over content of the website)
4. The means are determined (internet etc.)

Every publicly accessible website that serves a purpose requires a data protection statement

Reason: There is a responsibility according to Article 4, paragraph 7 of the GDPR for such websites

Therefore, every publicly accessible website must display a Data Protection Declaration. The only possible exception could be a website that does not represent an offer, which is completely empty of any content for example. But even a Entry page of an available web address, which often offers the address of the currently visited website for sale in a few words, is obviously an offer. A business card on the web is also an offer. If it were not, why is it there? Especially a website that is otherwise empty with imprint is considered an offer, unless the imprint was deliberately displayed out of excessive caution. Either the imprint has been displayed according to § 5 TMG, then a commercial offer is present. Or the imprint has been displayed according to §18 MStV. Then an information offer is present. Or both (this is the most common case).

Example for data collection: Email communication

There are several cases to distinguish from, for example:

1. Email address in the imprint of a website: You offer that one can write to you (in this case, because you are obliged to do so according to § 5 TMG or § 18 MStV for legal reasons). Someone uses this for a general inquiry by email, and not out of legal considerations
2. General contact form: You offer one on your website. Someone uses this for a general inquiry. In the background, an email is sent to you
3. Providing your e-mail address as a contact option in case of consulting needs: You offer that someone writes to you. Someone uses this because they want to accept your consulting offer
4. Contact form for consultation needs: You offer one on your website. Someone uses this because they want to take advantage of your consulting offer. In the background, an email is sent to you
5. Someone has called you. They ask him to send them something via mail to the address mentioned on your website, for example his contact details, so that you can send an offer by email to the caller

In all cases there is a data collection taking place. Cases 1 and 2, however, do not represent an (apparent) offer because no specific purpose is pursued (in legal disputes that have arisen through an imprint contact, this may be different). Cases 3 to 5, on the other hand, represent an offer with a specific purpose.

No obligation arises from mere data collection!

The obligation arises only when further conditions are met

From a data collection itself no obligation arises. Rather, you must be responsible for the data collection so that obligations arise for you according to the GDPR.

In relation to the above cases of e-mail communication, this means specifically:

• Fall 1, providing an e-mail address for general contact purposes has no specific purpose. Liability does not arise from an unsolicited mail received through this channel. It would be analogous if someone took your email (or postal) address from a directory or phone book and contacted you
• Fall 2, the general contact form (without selection or predetermination of a matter), has no specific purpose. Liability does not arise from an unsolicited message received via this (by mail or otherwise)
• In Fall 3, providing an email address for the purpose of offering advice (advice offer) means the creation of a responsibility
• Providing a contact form in order to offer advice means taking on responsibility
• Fall 5, asking someone to send you a personal information means taking on responsibility. You're offering to take care of something here.

In cases 1 and 2 determine the means but not the purpose. In cases 3 to 5 determine the means and purpose, are therefore responsible for that reason. For the contact form a regular case-by-case consideration is necessary to clarify whether there actually is an offer or an equivalent to stating an e-mail address for general contact (best without ostensibly commercial interests). This is however not a data protection issue statement but another one.

If someone receives personal data without being asked for it, they should exclude possible liability by deleting these data. For example, a data breach might otherwise cause additional problems (whether this is so must be checked on a case-by-case basis).

A responsible person is or was a recipient

Only those who are or have been recipients of data, or who have prompted a third party to receive data, can become responsible parties. In recitals 31, 61, 68 GDPR as well as in Art. 14 Abs. 3 c GDPR logical consequences for these proofs themselves exist.

Only those who have been or are recipients of data or have later caused others to receive it can become responsible.

Logical conclusion from the legislative text of the GDPR

The presence of a recipient role with the responsible person or at the request of the responsible person can also be justified in that collecting data (to collect) is only possible if there are data to be collected. These data do not fall from the sky and are not obtained by combining other data when collecting, as clearly stated in Art. 4 Nr. 2 DSGVO on data processing. Even the statements in the DSGVO on transmitting personal data to third countries without an adequate level of protection show that a transmission is necessary so that a data processing process can begin and liability can arise. A transmission, in turn, requires a recipient.

The CJEU has clarified in its judgment of 16 July 2020 (Case C-311/18, para. 83) that "the transmission of personal data from one Member State to a third country as such constitutes a processing of personal data within the meaning of Article 4(2) of the GDPR".

Initiation of a reception by an official

Your family doctor asks you to send your X-ray images that you received in the clinic. He gives you a wrong address, which you then send your data to. Your doctor is not the recipient of the data, but has arranged for someone else to receive it on his behalf. He is responsible for collecting the data (from the other person).

Without contact with the affected person, a responsibility can also arise: Someone advertises his services on a poster. The poster invites data to be sent in. The recipient's address was incorrectly stated, but it is an address of a third party. The person responsible for the poster will be held responsible for the data collected from another recipient without having previously contacted the affected person. The person responsible does not even know the data of the affected person and may never learn them.

In this article cases like these are usually omitted for simplicity's sake. It is therefore only spoken of the recipient of data being shortened. However, it makes a difference with external links, which will be dealt with in more detail later on.

Shared Responsibility

Received data by someone because another person has forwarded them can lead to a shared responsibility. This is, inter alia, evident from the ECJ judgment of 29 July 2019 – C-40/17 ("Fashion ID"). The ECJ judgment deals with the Facebook plugin. To technically embed a plugin on a website means that (initially) both the operator of the website and Facebook receive the same data from users (can). Only when a user clicks on a link or button provided by the plugin, which leads to Facebook, can Facebook collect further data that is causally related to the original data collection.

What effects the knowledge of a responsible person regarding data processing by a third party, to whom the responsible person forwards data, has been discussed by the ECJ in the Fashion-ID judgment (see below, RN. 77). Apparently meant what: If someone embeds a plugin on their website and knows that the traffic data (at least but the IP address) of the website visitor is evaluated by the plugin provider, they are responsible for this. This can be assumed in particular if the data recipient is an internet company whose business model is based on exploiting data.

As a recipient, one must therefore possibly understand a group of actors, if a responsible person forwards data to another responsible person.

Beforehand Facebook can however match data that Facebook previously received from the user with new data. This matching is done according to ECJ judgment only in the responsibility of Facebook (because Facebook alone receives a part of the matched data). This type of data processing, which is carried out by Facebook and without direct instruction by the website operator, also only has Facebook to answer for, as the ECJ clarified (e.g. para 85 of the judgment). However, this may only be true if the website operator does not Consciously benefiting from this comparison.

At some point, data must have been received for a responsibility to arise. If several companies are listed as jointly responsible on a website, it is enough that one of these responsible parties has received data so that the others who were mentioned together are also responsible for this (with) them. Here, therefore, there may be no actual but a logical data reception. At least, a group of jointly responsible parties (together) have received data. A receipt by one in the group means almost simultaneously a receipt by all in the group when clarifying the question of responsibility in the external relationship.

The group of jointly responsible individuals is outwardly a unit from which one can pick out either one or all. This applies at least to warnings, as far as I know. In the internal relationship it may be relevant for clarifying a question of guilt among the members of the group to know who (as the only one) in the group of those responsible actually received or collected the data, so that an internal reckoning with guilt can take place, which does not interest a person outside the group.

Does a responsibility arise when incorporating external images?

When a website embeds an image from a third-party address, personal data of the website visitor is transmitted to the third party at the instigation of the website operator.

The website operator (or the person responsible for the website, who is usually the same) is therefore responsible for embedding the external image. It's just about ordinary, static images of a third party, not about tracking pixels etc. The third party also knows nothing about their good fortune and offers no service when the image is embedded.

The person responsible for integrating the external image must either show an AVV against the third party or be liable in accordance with Article 5, paragraph 1 c DSGVO (principle of data minimisation). There is no justification for embedding an external static image, making local integration impossible or unacceptable.

Images should therefore always be locally embedded. In any case, copyright must be checked.

Does a responsibility arise when setting external links?

Is a link provider, i.e., someone who places a link on their website to a third-party website, liable under data protection law for this link?

Initially it must be noted that data transmission from the link provider to the link target does not occur in a technical sense. This occurs in the user's browser, at the user's instigation, because the user has clicked on the link themselves. The case where a link is clicked "must" be, for example, because it is part of an ordering process, shall be left out here for simplicity.

The link provider, however, does not receive the same data in their container (mailbox) as when clicking on a link. They therefore do not collect data based on a click on a link. Excluded from this is the case where a link provider would indeed have the possibility of tracking clicks on links, for example using Google Analytics or through own JavaScript logics. This case would raise other questions that are less about external links than rather about tracking users (cf. Art. 5 Abs. 1 c DSGVO or § 15 Abs. 3 TMG).

The provider determines the purposes and means of the external link. The provider arranges for the receipt of personal data at the linked site. Therefore, the provider is responsible.

The link target receives only technically necessary data upon clicking on the link, which is provided by the link provider through a person. Assuming that the link provider has no business or contractual relationship with the link target and does not know the responsible party behind the link target.

The link target is also responsible for data collection about itself, there is no joint responsibility according to the above assumptions. This has also been established by the ECJ in the aforementioned judgment on Fashion ID.

The link provider is therefore responsible, but ultimately accountable for nothing. Zero multiplied by responsibility equals zero. In this sense, there may be a theoretical, but no practical accountability on the part of the link provider.

Anders may consider it when clicking on links that imply a data transfer into an insecure third country. Here, Art. 44 DSGVO plays a role, which has become particularly relevant after the Privacy Shield judgment ("Schrems II"). I assume that the user has given their consent to potential risks by clicking on an external link recognizable as such, if they had previously been informed about them beforehand. Without this information provided by the responsible party, there would presumably be further liability, which I cannot discuss further here.

The question of how it looks when the link provider is in connection with the target site, for example through a contract, will not be further considered here. This case is actually also very rare compared to the overwhelming majority of external links for which there is no contractual or similar relationship between the link provider and the target site.

The posting of links to illegal content or content that could cause problems when entering the US is more of a matter of content (§ 7 TMG?).

When does a mutual responsibility arise?

The concept of mutual responsibility is introduced by me only as an auxiliary means. Mutual responsibility here means that two people communicate with each other and send a message in response, each on the initiative of the previous message from the other.

The question of mutual responsibility is actually already answered or answerable through the above explanations, but will be illustrated by way of example for clarification.

Someone sends you an unsolicited email as a private individual in your capacity as such. You respond. In your response, your private address is included, which was not requested (rather, your private address is part of every one of your emails as an automatically inserted signature).

Initially you are not responsible for the unsolicited received e-mail in terms of GDPR. You have only collected the data received but made no offer that someone should send you a message. You pursue no purpose with this, that someone sends you an unsolicited message.

The recipient of your response collects your data. He is responsible for the personal data he requested, which he received as a result of his inquiry. He is initially not responsible for the data you sent him unasked and without connection to his request. Whether parts of an answer could be related to an inquiry, although no question was asked about it, must be checked on a case-by-case basis. For example, an e-mail signature may be strictly prescribed (e.g., in business correspondence), which would result in responsibility for the recipient.

Is it permissible to pass on data that has been received uninvited?

Yes, if there is a legal basis for this. For example, law enforcement agencies can be informed of you if you received contents that you consider unlawful or threatening. Recently, there was a case of an eBay buyer. The buyer found out that the hard drive contained data from its previous owner, who was different from the seller. The buyer contacted the previous owner as the data owner and returned the data to him in this way. If a data owner retrieves his own data from someone who received it unintentionally, there is usually no problem. A problem could arise if, for example, the sender chose a careless transmission method. Even free, out of kindness neighborhood help brings (for reasons other than data protection) significant obligations for the helper!

The legal bases of the GDPR for data processing are defined in Art. 6 GDPR. In the aforementioned example of law enforcement, it may be that legal bases from other laws play a role, because when there is a threat, it's not primarily about data protection. The GDPR also states that "authorities, which may receive personal data within the framework of a specific investigation mandate under Union or Member State law", do not count as recipients. If your data transfer to an authority is legitimate, this does not create liability for the authority under the GDPR, because without a recipient no data collection takes place. I hope that's correct and according to Art. 2 GDPR, I assume that (therefore) there are own laws for authorities that regulate their liability.

Should data be stored indefinitely?

With data here personal data is meant that a responsible person has collected. As long as a person obtains an erasure in accordance with Article 17 DSGVO, data are to be deleted accordingly.

Other legal provisions outside of GDPR may require longer retention, for example, in tax matters.

Data may only be used for specific purposes and only in accordance with the legal bases from Art. 6 DSGVO. Further processing for other purposes is not permitted according to Art. 5 Abs. 1 b DSGVO. However, storage is not further processing, so this regulation does not apply.

As long as stored data is not further processed, I consider an indefinite storage period permissible, provided the data owner does not object thereto etc. Of course also from storage obligations arising. I have not investigated this deeper and look forward to feedback.

Conclusion

The definition of the term Raise is, in my opinion, plausible and logically derivable. It is clear that data collection represents the earliest possible data processing activity. No storage or evaluation is required to have already collected data. It is also clear that it requires a Adresse to which a Nachricht can be sent from which an Empfänger can gain knowledge. Actual knowledge acquisition is not necessary. The _Möglichkeit zur Kenntnisnahme_ is sufficient.

However, a purely theoretical possibility of knowledge does not seem sufficient for data collection to be present. Rather, an actual possibility of knowledge must be present. Compare the example of the full email inbox or the mailbox that caught fire directly after mail delivery.

Anyone collecting personal data for their own purposes with means of their choice is responsible and therefore obliged to handle the personal data only in accordance with the GDPR.

The explicit statement that a Responsible Person must be a recipient or have had to arrange for receipt by third parties is missing from the GDPR legislation, which I am not aware of any reason (if I'm mistaken, please let me know). My assumption is that this is due to the complexity of the GDPR or that it was assumed that a recipient role would be obvious from the term Transmission. Without having received data first, data from others cannot exist.

Someone is only held responsible if they provide an offer, which is referred to as purpose in the GDPR.

I think it's brilliant that data collection or Collection of data is defined as the first possible data processing operation in the GDPR, and that the concept of collecting data is being addressed at all. Hardly anyone would come up with the idea that (always) a data collection takes place after receiving data for an address and making it available to the recipient.