What counts as “processing personal data” under GDPR?

Under the GDPR, processing personal data encompasses virtually any action performed on personal data, whether automated or manual. This includes collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, and destruction. For email marketers, this means that simply storing an email address in your database, segmenting subscribers based on behavior, or even viewing subscriber records all constitute processing activities that must comply with GDPR requirements.

The breadth of this definition is intentional-the GDPR aims to regulate the entire lifecycle of personal data from the moment it's collected until it's permanently deleted. When you import a subscriber list, send a campaign, analyze open rates by demographic, or share subscriber data with a third-party email service provider, each of these actions represents distinct processing activities. Even passive storage without active use still counts as processing, which means you remain obligated to maintain security and honor data subject rights regardless of how frequently you interact with the data.

For email marketing specifically, key processing activities include collecting email addresses through signup forms, storing subscriber preferences and consent records, sending marketing messages, tracking engagement metrics, and synchronizing data with CRMs or other platforms. Each processing activity requires a lawful basis under Article 6 of the GDPR, such as consent or legitimate interest. If you're handling EU subscriber data in any way, you're processing it, and that means GDPR compliance is not optional.