Under the GDPR, data processing is any operation performed on personal data, including collection, storage, use, or disclosure. A data controller (for example, an organization) determines the purposes and means of processing personal data.