Business and administration: What kind of data can be processed and under which conditions?

What type and quantity of personal data can a company / organization process?

GDPR within companies and administrations (question / answer)

While browsing the web, I arrived to discover the website of the European Commission, there are develop several types of articles on the GDPR. Here is one of them, talking about the type of data that can be processed and under what conditions it can be done. Here is the link of the article.

What type and quantity of personal data can a company / organization process?


It depends on the reason for which they are treated (legal reason used) and the purpose for which they are. The company / organization must adhere to several key rules, including the following:

  • personal data must be treated in a lawful and transparent manner, guaranteeing loyalty to the persons whose personal data are processed ("lawfulness, loyalty and transparency");

  • there must be specific purposes for processing the data and the company / organization must indicate these purposes to the persons concerned when collecting their personal data; an enterprise / organization can not simply collect personal data for unspecified purposes ("purpose limitation");

  • the company / organization can only collect and process the personal data necessary to achieve these purposes ("data minimization");

  • the company / organization must ensure that the personal data are accurate and kept up to date with regard to the purposes for which they are processed, and correct them if necessary ("accuracy");

  • the company / organization can no longer use the personal data for other purposes which are not compatible with the purpose for which they were initially collected;

  • the company / organization must ensure that personal data are not kept longer than necessary to achieve the purposes for which they were collected ("limitation of retention");

  • the company / organization must put in place appropriate technical and organizational measures to ensure the security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage , using the appropriate technology ("integrity and confidentiality").


Your company / organization manages a travel agency. When receiving your customers' personal data, you should explain in clear and simple terms why you need this data, how you will use it and how long you intend to keep it. The processing should be personalized in a way that respects the fundamental principles of data protection.


Article 5 (1) and Recital 39 of the GDPR

Article 29 Working Party, Opinion 03/2013 on limitation of purposes (WP 203)

Various articles on the GDPR that could interest you ...