What does data collection mean in the context of GDPR? One of the most important terms in data processing

Data processing begins as soon as personal data is collected. Data collection is the earliest possible activity of processing. From this alone, a responsibility under the GDPR can already arise, along with numerous obligations. Only those who collect data can be responsible. But what does collecting data mean?

Why is data collection an important term?

Collecting data is equivalent to processing data. Only those who process personal data or initiate processing by others can be held responsible (and often are, when purpose and means are determined).

Whoever is responsible in the sense of the GDPR must comply with the regulations of the GDPR. Therefore, it is particularly important to know what Erheben von Daten means. The legislative text of the Data Protection Basic Regulation does not define this.

The following terms are introduced by me for explanation of what is meant by data collection:

• Address
• Container (in the sense of mailbox or buffer)
• Collecting
• Offer

You might be surprised by some of these terms in the context of data collection. Especially the term of Containers, which I introduce here, should be new in data protection circles, if one excludes document destruction. The other terms do not appear (or only very restricted) in the legislative text of the GDPR. Maybe the term Mailbox is better understandable, although it is too concrete and thus vague.

Furthermore, a distinction is made in the following between Data Collection and Responsibility. Data collection itself is not yet a critical data protection issue, but it will probably become one when responsibility arises. Responsibility again can only exist if data collection took place. Not being responsible for any data collection is equivalent to having no responsibility.

Introduction

Under Article 4, Number 2 of the GDPR , data processing is defined as: processing of personal data means any operation or set of operations which is performed on personal data or on sets of personal data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction

The collection, recording, organisation, structuring or processing, storage, alteration or modification, retrieval, consultation, use, disclosure by transmission, dissemination or making available a copy, comparison or linking, restriction, erasure or destruction

Definition of the term data processing according to Article 4, paragraph 2 GDPR.

In legal texts in English, the word collection (from to collect) is used for Gathering.

In the legislative text there is no definition for the term of collection. Therefore I had to write this article to provide clarity.

In this article only collections of personal data in the non-private sector are considered that either take place automatically or semi-automatically, or are stored in a file system or are to be stored there. This corresponds to the scope of application of the Data Protection Regulation as regulated in Art. 2 DSGVO, excluding the exceptions mentioned in Section 2.

Data collection is the first processing activity

It is noticeable that the activities which imply processing are listed in an orderly sequence. The order consists of the fact that the first-mentioned activity, lifting, is the earliest possible time-consuming processing activity, and all further processing processes follow later.

The three activities mentioned in the legislative text that follow – restriction, deletion, and destruction – I will exclude from the following discussion because they are destructive activities that are more positively evaluated from a data protection law perspective, as they reduce or eliminate liability.

The activities that data processing entails, according to Article 4 No. 2, are in chronological ascending order, namely in the sequence mentioned in the legislative text:

1. Raise, then only can it
2. Follow up, then is the aftermath
3. Possible organisation, equally the
4. Organizing, then (or also without organization or organizing), is the
5. Storage possible, thereafter (or alternatively before storage) the
6. Change, but only after saving that
7. Guessing or that
8. Querying. With or without storage follows the possibility of
9. Usage or the
10. Disclosure by transmission, distribution or any other form of provision, as well as
11. Comparison or linking.

This order is therefore no accident and cannot be an accident since there are 11! (11 factorial) possibilities of arranging this list. 11! = 11 * 10 * 9 * 8 * 7 * 6 * 5 * 4 * 3 * 2 * 1 = 39,916,800, so just under 40 million. Even if two of the eleven term pairs are considered equal in value, the number of possibilities is over 300,000. The probability that the list came together by chance would therefore be 1/362,880 = 0.0000028.

The Article 29 Working Party, Opinion 3/2013 has also clarified that collection is the first data processing activity.

The legislator has therefore clearly and without any doubt placed the collection at the beginning of data processing. This is also evident from the title of Article 13 DSGVO: "Information obligation when collecting personal data from the affected person".

Data collection takes place before data capture, as the law says. To collect means, according to Duden, to gather together or collect, which can also be inferred from the English legal text (to collect).

The German word zusammentragen sounds a bit strange at first. After some thought, I managed to decipher and substantiate the term.

A data collection can only take place if an address is named where a person can send a message. Surprisingly, the term of collecting can be derived from the address! As shown, the address does not even have to be that of the actual recipient, but can be any recipient's address.