How-to guide: Understanding key data protection definitions (EU)

Introduction

This guide is a glossary of key definitions and terminology relevant to data protection and is intended to be a useful reference resource for in-house counsel and private practice lawyers advising in this area. It combines statutory definitions, and working definitions/other relevant terminology, as informed by regulatory guidance and practice.

This guide covers:

Overview – legal framework
Key definitions

There are special rules under the EU GDPR (as defined below) relating to processing by law enforcement and intelligence services, but this guide does not deal with these. Instead, it focuses on those requirements that will be most relevant to commercial organisations.

This guide can be used in conjunction with How-to guide: How to ensure compliance with the GDPR and Checklists: Managing a dawn raid, GDPR compliance self-assessment audit and Lawful processing of personal data under the GDPR.

Section 1 - Overview – legal framework

The guide covers the requirements under:

Regulation (EU) 2016/679 – General Data Protection Regulation (EU GDPR);
various European Data Protection Board (EDBP) guidance and, where relevant, EU member states’ supervisory authorities’ interpretation of such EU GDPR requirements.

The EDPB has not published a glossary of the EU GDPR’s key terms. However, the European Data Protection Supervisor (EDPS) – the EU’s independent data protection authority, which provides an independent secretariat to the EDPB that offers administrative and logistic support for the EDPB as well as performing analytical work and contribute to the EDPB’s tasks) – has published a glossary of key terms on its website. Reference and/or links to relevant parts of the EDPS glossary will be included in this guide, where applicable.

Section 2 - Key definitions

Article 4 is the definitions section of the EU GDPR.

Key terms are set out below in alphabetical order.

2.1 ‘Anonymous data’

‘… information which does not relate to an identified or identifiable natural person or … personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.’

Recital 26, EU GDPR.

Anonymisation involves removing identifiers that would enable an individual to be singled out (ie, to create aggregated statistical data) or be re-identified using other data. Properly anonymised data is not personal data and therefore the EU GDPR does not apply to it.

It should be noted that if there are reasonably available means to re-identify the individuals whose data it is (when combined with other data), the data will not have been properly anonymised and instead will only be pseudonymised (see also ‘pseudonymisation’ below).

2.2 ‘Automated decision-making’

Automated decision-making refers to making a decision solely by automated means without any human involvement.

Article 22, EU GDPR imposes certain conditions on this type of decision-making where it has legal or similarly significant effects for individuals.

2.3 ‘Binding corporate rules’ or ‘BCRs’

‘personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity’

Article 4(20), EU GDPR.

BCRs are an appropriate safeguard for intra-group international data transfers. BCRs must be approved by each of EU or European Economic Area (EEA) supervisory authorities from whose country the data is to be transferred.

See the EDPB’s recommendations on the BCR application process for controllers for further information.

2.4 ‘Biometric data’

‘personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data’

Article 4(14), EU GDPR.

Biometric data that is used to uniquely identify someone is ‘special category data’ under article 9, EU GDPR (see below at 2.33). The EU GDPR imposes additional requirements on processing such data.

2.5 ‘Consent’ (of the data subject)

‘any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her’

Article 4(11), EU GDPR.

Data subject consent is one of a number of lawful bases under article 6, EU GDPR upon which personal data is permitted to be processed. Article 7, EU GDPR sets out further conditions for valid consent. See also ‘explicit consent’ below at 2.14.

2.6 ‘Controller’

‘the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law’

Article 4(7), EU GDPR.

The controller is the organisation that makes the key decisions as to why, and by what means, personal data will be processed.

A controller may engage processors to process personal data on their behalf (see ‘processor’ below at 2.26). Whether a party is a processor or controller is a factual issue and has different consequences in terms of legal compliance obligations and liability. See EDPB guidelines on the concept of controller and processors for further information.

2.7 ‘Criminal data’

This is a shorthand way of describing processing of personal data related to criminal convictions and offences under article 10, GDPR. This is not a defined term within the EU GDPR.

2.8 ‘Data concerning health’

‘personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveals information about his or her health status’

Article 4(15), EU GDPR.

Data concerning health is ‘special category data’ under article 9, EU GDPR (see below at 2.33). The EU GDPR imposes additional requirements on processing such data.

2.9 ‘Data protection officer’ (or DPO)

A person appointed by a controller or processor with certain responsibilities under the UK GDPR or EU GDPR for data protection compliance.

Articles 37 to 39, EU GDPR.

2.10 ‘Data subject’

‘an identified or identifiable natural person … an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’

Article 4(1), EU GDPR.

Generally speaking, data protection laws only apply to living individuals. Data related to a deceased person is not considered personal data in most cases under the EU GDPR.

2.11 ‘European Data Protection Board’

Reference is made in Chapter VII, Section 3 of the EU GDPR to the EDPB. In particular, article 68 describes the composition of the EDPB, article 69 requires the EDPB to act independently and article 70 makes clear the tasks of the EDPB.

2.12 ‘Enterprise’

‘a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity’

Article 4(18), EU GDPR.

An enterprise essentially means a business. This term is relevant to the provisions of the EU GDPR relating to BCRs (article 47, EU GDPR and see above at 2.3), data processing records (article 30, EU GDPR), codes of conduct (article 40, EU GDPR) and certification (article 42, EU GDPR).

2.13 ‘Explicit consent’

‘Explicit consent’ is an exemption to the prohibition on special category data processing under article 9, EU GDPR. It can also be used to permit solely automated decision-making and international data transfers. This differs from standard consent (see ‘consent’ above at 2.5) in that (in addition to the standard consent requirements) it requires a very clear and specific statement of consent (ie, to be confirmed in words).

2.14 ‘Filing system’

‘any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis’

Article 4(6), EU GDPR.

This definition implies that personal data needs to be organised in some way.

It is relevant to the material scope of processing of personal data to which the applicable data protection regime applies (see article 2, EU GDPR regarding the material scope of the regulation). The EU GDPR does not cover information that is not, or is not intended to be, part of a ‘filing system’. However, given that modern business practices invariably cause unstructured data to be processed by automated means, or, in the case of manual processing, is likely to be held in a filing system, very little unstructured data would fall outside the material scope of the EU GDPR.

2.15 ‘Genetic data’

‘personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which results, in particular, from an analysis of a biological sample from the natural person in question’

Article 4(13), EU GDPR.

Processing of genetic data for the purpose of uniquely identifying a natural person will involve processing special categories of personal data (see below at 2.33) to which article 9, EU GDPR applies.

2.16 ‘Group of undertakings’

‘a controlling undertaking and its controlled undertakings’

Article 4(19), EU GDPR.

This term is used in the context of the provisions relating to:

BCRs (see definition above at 2.3 and article 47, EU GDPR);
prior consultation (article 36, EU GDPR); and
data protection officers (article 37, EU GDPR).

‘Undertaking’ is not defined in the EU GDPR but assumes the same meaning as under EU competition law – namely, any entity engaged in an economic activity, that is, an activity consisting in offering goods or services on a given market, regardless of its legal status and the way in which it is financed (see articles 101 and 102 of the Treaty on the Functioning of the European Union (TFEU)). The concept of control under competition law concerns the ability of an undertaking to exercise decisive influence over another undertaking.

The term ‘undertaking’ is also relevant to the calculation of administrative fines under article 83, EU GDPR.

2.17 ‘Information society service’

‘A service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council’

Article 4(25), EU GDPR.

‘Information society services’ covers a range of online services.

This term is used in the context of obtaining children’s consent in relation to online services under article 8, EU GDPR, to which additional conditions apply. It also may be relevant to the data subject rights of erasure and objection.

2.18 ‘International organisation’

‘an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.’

Article 4(26), EU GDPR.

This term is relevant to international data transfers under Chapter V and other provisions of the EU GDPR that impose obligations regarding such transfers (eg, article 13 (transparency)).

2.19 ‘Personal data’

‘any information relating to an identified or identifiable natural person (“data subject”)’

Article 4(1), EU GDPR.

Personal data means any information which, by itself or together with other information, can be used to identify a person. In some EU jurisdictions this has to be a living person, but in other EU jurisdictions information relating to deceased persons is protected by certain aspects of data protection law.

2.20 ‘Personal data breach’

‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed’

Article 4(12), EU GDPR.

A personal data breach is effectively a security incident that involves personal data. Controllers have obligations to inform data protection regulators (article 33, EU GDPR) and affected data subjects (article 34, EU GDPR) about personal data breaches. The EDPB has published guidelines particular to personal data breaches.

2.21 ‘Processing’

‘means any operation or set of operations which is performed on information, or on sets of information, whether or not by automated means, such as collection, recording, organisation, structuring or storage, adaptation or alteration, retrieval, consultation or use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, or restriction, erasure or destruction’

Article 4(2), EU GDPR.

Processing is a broad term which covers more or less any use of data.

2.22 ‘Processor’

‘a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller’

Article 4(8), EU GDPR.

A processor must follow the controller’s instructions when processing personal data on their behalf. Whether a party is a processor or controller is a factual issue and has different consequences in terms of legal compliance obligations and liability. See EDPB guidelines on the concept of controller and processors for further information.

2.23 ‘Profiling’

‘any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements’

Article 4(4), EU GDPR.

Profiling means automated processing of personal data to evaluate certain aspects about a person, eg, how they might behave or respond. When profiling is part of an automated decision-making process, additional requirements apply (see ‘Automated decision-making’ above at 2.2).

2.24 ‘Pseudonymisation’

‘the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person’

Article 4(5), EU GDPR.

Pseudonymisation is a technique or data management tool that removes directly identifiable data about individuals, keeping that information separate so it is no longer identifiable. Examples include; using key-coding/persistent IDs/hashing techniques in place of names or email addresses. It is a measure that can make data more secure, but pseudonymised data will still be ‘personal data’ as if such data in combination with other data allows that individual to be re-identified.

See also ‘Anonymous data’ above at 2.1.

2.25 ‘Recipient’

‘a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing’

Article 4(9), EU GDPR.

Recipient means a person or body to which personal data is disclosed.

This term is relevant to the provisions regarding transparency/information notices, data subject rights, data processing records, international data transfers and enforcement action.

2.26 ‘Representative’

‘a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation’

Article 4(17), EU GDPR.

A representative needs to be appointed in certain circumstances (see article 27, EU GDPR) when personal data of individuals in the EU and EEA is being processed by an organisation that does not have an establishment in the EU or EEA.

A representative serves as a point of contact for data subjects and the data protection authority. Enforcement action can be taken against representatives. The EDPB’s guidelines on the territorial scope of the EU GDPR provide further information about representatives.

2.27 ‘Restriction of processing’

‘the marking of stored personal data with the aim of limiting their processing in the future’

Article 4(3), EU GDPR.

In practice, restriction of processing means using technical or other measures to pause or limit processing of personal data.

Restriction of processing is a data subject right under article 18, EU GDPR. The controller will have to restrict processing of personal data if certain conditions are met.

2.28 ‘Special category data’

‘personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation’

Article 9(1), EU GDPR.

This is a shorthand way of describing ’special categories of personal data’ under article 9, EU GDPR, which is extracted above. The EU GDPR imposes additional conditions on processing this more sensitive type of personal data.

2.29 ‘Third country’

Although not defined in the EU GDPR, this term is relevant to the provisions relating to international data transfers under Chapter V, EU GDPR.

A ‘third country’ refers to countries or territories outside the EU (or the EEA by virtue of relevant legislation). Additional safeguard requirements need to be met if personal data is to be transferred to a third country from the EEA if there is not an adequacy decision in place. The European Commission has granted various other countries adequacy in accordance with article 45, EU GDPR. See Checklist: GDPR Compliance self-assessment audit Step 8.

2.30 ‘Third party’

‘a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data’

Article 4(10), EU GDPR.

The term ‘third party’ is used in various contexts under the EU GDPR to refer to a party that is somehow involved in data processing (other than the controller, processor or data subject) and are authorised to do so.