The main question is – are you (or your company) allowed to process personal data?

In general, yes. You are allowed to process personal data – you do not need to have any license from a state.

(Even though in some countries such as the UK you might need to pay a fee to a Data Protection Authority or you might need a registration.) 

For the EU, after GDPR became effective, you do not need any special registration of each processing activities of personal data (some countries used to require registration at the local data protection authority).

So as we already mentioned, you do not need any licence for personal data processing. 

But you need to follow quite strict rules because processing of personal data is subject to data protection regulations. In the EU, it is GDPR – General Data Protection Regulation, which has been effective since May 2018 and which united rules for data processing across the European Union (or European Economic Area to be more precise).

This regulation is applicable for the processing of personal data of European citizens – even by companies established in other countries – for example, located in the USA. In the following points, we will focus on GDPR, but many Data Protection Regulations across the world follow a similar approach.

Before we look at the principles, maybe consider looking at previous articles explaining which data is being considered as personal data and which activities are considered to be a processing.

So what are the points to consider, when you process personal data?

1. Legal Basis: Ensure you have a valid legal basis for processing personal data. Common legal bases include consent, contractual necessity, and legitimate interests.
2. Purpose: Clearly define the purpose of processing. Are you collecting data for marketing, customer service, or other specific reasons? In general, you cannot use data collected for one purpose to be used for others (without further legal basis, typically consent).
3. Transparency: Inform individuals about how their data will be used. Provide a privacy notice that explains what data you collect, why, and how long you’ll retain it.
4. Data Minimization: Collect only the necessary data. Avoid excessive or irrelevant information.
5. Rights of Data Subjects: Respect individuals’ rights, including the right to access, rectify, and erase their data. Be prepared to handle data subject requests.
6. Security: Implement appropriate security measures to protect personal data. Encryption, access controls, and regular audits are essential.
7. International Transfers: If you transfer data across borders, ensure compliance with GDPR and other relevant regulations.