Answer ... (a) Data processing
Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (Article 4(2) of the EU General Data Protection Regulation (GDPR)).
(b) Data processor
A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller (Article 4(8) of the GDPR).
(c) Data controller
A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by EU or member state law, the controller or the specific criteria for its nomination may be provided for by EU or member state law (Article 4(7) of the GDPR).
(d) Data subject
An identified or identifiable natural person (Article 4(1) of the GDPR).
(e) Personal data
Any information relating to an identified or identifiable natural person (‘data subject’). An ‘identifiable natural person’ is someone who can be identified, directly or indirectly, in particular by reference to
-
an identifier such as:
-
- a name;
- an identification number;
- location data;
- an online identifier; or
- one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (Article 4(1) of the GDPR).
(f) Sensitive personal data
Defined as ‘special categories of personal data’ in the GDPR, which means:
-
data that reveals:
-
- racial or ethnic origin;
- political opinions;
- religious or philosophical beliefs; or
- trade union membership;
- genetic data;
- biometric data;
- data concerning health; and
- data concerning a natural person’s sex life or sexual orientation (Article 9(1) of the GDPR).