EU GDPR | Art. 4

Definitions

 

Data

‘Data’ is information which:-

a. is processed by means of equipment operating automatically in response to instruction given for the purpose.  (computerised)

b. is recorded with the intention that it should be processed by means of such equipment (a.) (manual paper to be computerised)

c. is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system. (filing cabinets, or similar where the information is stored in a structured or indexed way and therefore necessarily readily accessible.)

d. does not fall within a.-c. above but forms part of an accessible record. (generally a health, medical, educational or public record held by a local authority for housing or social services purposes).

e. is recorded information held by a public authority and does not call within any of the paragraphs a.-e.

Personal Data

Any information relating to an identifiable ‘natural’ person who can be directly or indirectly identified in particular reference to an identifier.

Sensitive Personal Data

Sensitive Personal Data (Special under the GDPR). A special category of personal data as it relates to information that individuals may assume to be of a more sensitive nature.

This category no longer includes Criminal convictions or offences.

Data Controller

The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data – (either alone or jointly or in common with others).

‘Joint’ Data Controllers typically act together to use the data for a joint purpose; they have joint liability where things go wrong.

‘In Common’ Data Controllers have equal and shared access to data but will have their own purposes and reasons for processing.

Data Processor

‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller and is not a employee by the controller.

Processing Data

‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Basically anything you can do with data!

Lawful Basis

Processing personal data without any legal and therefore necessarily lawful basis can and will lead to damage to your business, brand and reputation.  Doing so will almost certainly give rise to bad publicity and possibly the closure of your business.

“Regardless of your size, if you are a business that handles personal information then data protection laws apply to you.

“If a company is subject to a cyber attack and we find they haven’t taken steps to protect people’s personal information in line with the law, they could face a fine from the ICO. And under the new General Data Protection Legislation (GDPR) coming into force next year, those fines could be a lot higher.”

Source: Sally Anne Poole, ICO enforcement manager

Data Subject

An individual who is the subject of personal data.

From a business perspective, it is important to remember that certain partnerships and sole traders information is personal data.

Data Recipient

A natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.

It includes any person (such as an employee or agent of the data controller or agent of the data processor) to whom data are disclosed in the course of processing data for the data controller

  • but does not include a person entitled to access the information in connection with a particular inquiry made in the exercise of a statutory power
Third Party

A natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

So to break that down, it’s any person other than,

  • the data controller
  • the data processor, or
  • any data processor or any other person authorised to process the personal data for the data controller or data processor, or
  • the data subject
Relevant Filing System

Any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.

This is usually manual records held in filing cabinets, with some form of indexation to aid searching for and retrieving the information

Accessible Record

A health record – a record that does not fall within categories a-c and which consists of information relating to the physical or mental health or condition of an individual, and has been made by, or on behalf of a health professional (see s 69) in connection with the care of that individual or

An educational record – a record that does not fall within categories a-c and which is processed by, or on behalf of the governing body or a teacher at a school which is maintained by an LEA or a “special school” (not private ones), and relates to a pupil, past or present, and originates from specific categories of persons or

An accessible public record – a record that does not fall within categories a-c and which is processed by

  • a social services authority for any purpose of the authority’s social services functions
  • a Housing Act local authority for the purpose of any of the authority’s tenancies.
Category 'e' Unstructured Data

Information held by public bodies that does not fall within categories a-d.

‘Pseudonymised’ Personal Data

Where the personal data has key-coded to remove the relational or identification element of the data.  The key is held elsewhere and would be needed to re-compile that data into any meaningful form.

'Anonymised' Personal Data

A step above ‘pseudonymisation’ it is coded in no meaningful way with no way to re-compile or reconstruct the personal data.

Restriction of Processing

The marking of stored personal data with the aim of limiting their processing in the future.

Profiling

Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements

Consent

Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of their personal data.

Personal Data Breach

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Genetic Data

Personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.

Biometric Data

Personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data (fingerprints!).

Representative

A natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation.