DEFINITIONS AND BASIC CONCEPTS

1) ‘personal data’: any information about an identified or identifiable natural person (data subject); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;

 2) ‘processing’: any operation or set of operations carried out on personal data or sets of personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or modification, retrieval, consultation, use, disclosure by transmission, dissemination or any other means of making available, alignment or combination, limitation, deletion and destruction;

3) ‘limitation of the processing’: the marking of stored personal data to limit its processing in the future;

4) ‘creation of profiles’: any mean of automated processing of personal data consisting of using personal data to assess certain personal aspects of a natural person, in particular to analyse or predict aspects relating to professional performance, economic situation, health, personal preferences, interests, reliability, behaviour, location and movement of this natural person;

5) ‘pseudonymisation’: the processing of personal data to ensure that they cannot be attributed to the data subject without using additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure the personal data are not attributed to an identified or identifiable natural person;

6) ‘filing’: any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;

7) ‘controller’: the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; if the Law of the Union or Member States determines the purposes and means of processing, the controller or the specific criteria for their appointment may be set by the Law of the Union or the Member States;

8) ‘processor’: the natural or legal person, public authority, service or other body which processes the personal data on behalf of the controller;

9) ‘recipient’: the natural or legal person, public authority, service or other body to which data are disclosed, whether they are a third party or not. However, public authorities which may receive personal data as part of a specific inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of such data by these public authorities shall be in compliance with the applicable data protection regulations regarding the purposes of the processing;

10) ‘third party’: any natural or legal person, public authority, service or body other than the data subject, the controller, the processor and the people authorised to process the personal data under the direct authority of the controller or processor;

11) ‘data subject’s consent’: any demonstration of free, unequivocal, specific, and informed consent to the processing of their data; whether through a statement or a clear affirmative action;

12) ‘personal data security breach’: any security breach that causes the accidental or illegal destruction, loss or alteration of personal data that are transmitted, stored or processed in another way or unauthorised communication or access of these data;

13) ‘genetic data’: personal data relating to inherited or acquired genetic characteristics of a natural person, which provide unique information about the physiology or health of a person, in particular those obtained from the analysis of a biological sample of this person;

14) ‘biometric data’: personal data obtained from a specific technical process relating to the physical, physiological or behavioural characteristics of a natural person, which enables or confirms the unique identification of this natural person, such as facial images or dactyloscopic data;

15) ‘health-related data’: personal data relating to the physical or mental health of a natural person, including the provision of healthcare services that reveal information about their health;

16) ‘company’: natural or legal person engaged in an economic activity, irrespective of its legal form, including the companies or associations regularly engaged in an economic activity;

17) ‘business group’: group consisting of a controlling companies and its controlled companies;

18) ‘binding corporate regulations’: the data protection policies which are adhered to by a data controller or processor, established in the country of a Member State for transfers or sets of transfers of personal data to a data controller or processor in one or more third-party countries with a business group or union of business working on a joint economic activity;

19) ‘supervisory authority’: the independent public authority established by a Member State;

20) ‘supervisory authority concerned’: the supervisory control which is concerned by the processing of personal data because:

a) the controller or processor is established in the territory of the Member State of that supervisory authority;

b) the data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing;

c) a complaint has been lodged with that supervisory authority.

-----------------------------------------

 

Reference: REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND EUROPEAN COUNCIL of 27 April 2016 (Article 4)