How to know if something is allowed under the GDPR: a practical tool

Since its introduction in 2018, the General Data Protection Regulation (GDPR) has brought about many changes in how companies handle personal data. However, understanding the GDPR can be challenging, and it is often not immediately clear whether certain actions are allowed. This blog post provides a clear explanation of how you can determine if your practices are in line with the GDPR.


Understanding the GDPR

The GDPR is designed to give individuals more control over their personal data and to make data processing by companies more transparent. It is important to understand the basic principles of the GDPR: lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, and accountability.

Step 1: Know the data you process

Start by identifying what data you collect and process. Is it personal data? The GDPR only applies to personal data, which means information that can directly or indirectly lead to an individual.

Step 2: Establish the lawfulness of processing

For each data processing activity, you must have a legal basis. This could be consent, necessity for the performance of a contract, legal obligations, protection of vital interests, a task carried out in the public interest, or legitimate interests. Make sure you have a clear and lawful basis for each processing activity. Not sure if this basis exists? Involve a privacy officer and if there is doubt: document where your doubts lie. If a processing is not lawful, it is not allowed. If you have doubts and your organization wants to proceed anyway, make sure this decision is made by people with the right mandate. If the processing turns out to be unjustified afterwards, your organization can be held accountable by data subjects or the supervisory authority. Also read our blog about legal grounds that sound good, but are not.

Step 3: Respect the rights of data subjects

The GDPR strengthens the rights of individuals, including the right to access, rectification, erasure, restriction of processing, and the right to object. Make sure you have mechanisms to respect these rights. Be clear about the data you process from people, and do so in a way that people can become aware of this in a timely manner.

Step 4: Apply data minimization and be mindful of purpose limitation

Collect only the data that is strictly necessary for the specific purpose for which it was collected. This principle of data minimization also means that you must have clear purposes for processing and you cannot change these without good justification.

Step 5: Ensure data security

A crucial aspect of the GDPR is the security of personal data. Implement appropriate technical and organizational measures to protect the data from unauthorized access, loss, or destruction. Consider measures to protect access, encryption of data exchange and storage, and logging.

Step 6: Documentation and accountability

Document your data processing activities and ensure that you can demonstrate at all times how you comply with the GDPR. This includes maintaining data processing registers, conducting Data Protection Impact Assessments (DPIAs) where necessary, and having a privacy policy.

Step 7: Stay informed about changes

The interpretation and application of the GDPR continue to evolve. Stay informed about the latest guidelines and case law to ensure your practices remain up-to-date.


Determining whether something is allowed under the GDPR is not a one-time action, but a continuous process of evaluation and adjustment. By following these steps, you can be sure that your actions are in line with the GDPR, thereby not only complying with the law but also strengthening the trust of your customers and partners.


Questions about the GDPR?

Contact Frank van Vonderen.

Related insights