Any operation involving personal data, also including their access or vision, is considered as data processing.
Even the usage of a video surveillance system or a drone taking images of people, even without filming, is considered as data processing.
The data processing should be lawful, fair and transparent. The information about the data processing has to be clear and plain in order to make clear without difficulties which data should be treated and how.
The data processing should have precise, explicit, lawful purposes. When data has to be process for a certain aim indicated in the Information (e.g. for sending information), those data cannot be used for other purposes – different from those indicated – which the data subject could think of.
The requested data should be relevant, adequate and limited to what is necessary for the purposes. If data are requested for sending a product purchased online, it is beyond the limit asking information about the sport played or about places where spending holidays.
Data should be correct and updated.
Processing should occur for the limited time required to perform the activity needing those data, unless the national regulation foresees a longer period.
An adequate security is the fundamental principle concerning data processing. Security here means the ability of a network or an information system to resist accidental events even malicious that may compromise data.
Before starting a processing, it is necessary to carry out a DPIA (Data Protection Impact Assessment) in order to understand risks and how to avoid them.
In the case the risks are high and it is hard to contain them, it could be necessary to consult, as a precautionary measure, the supervisory authority.
Security is a fundamental condition to transfer data among companies of the same group and make the Binding Corporate Rules (BCR) approved.