Key definitions
«personal data»: any information relating to an identified or identifiable natural person («data subject»); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
Examples: first and last name, phone number, tax code, car license plate, image, identity card number, details of debit and credit cards
«processing»: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
Examples: collection of personal data on paper or on-line forms, images taken in video or photographic format, shooting with video surveillance systems, data entry in digital filing systems, organisation of contracts or forms with personal data, intersection of personal data to create profiles or for subsequent statistical purposes, electronic processing of data kept in different filing systems, destruction of documents or deletion of files
«restriction of processing»: the marking of stored personal data with the aim of limiting their processing in the future
Examples: the data subject has asked that personal data are processed only for administrative purposes and not for other purposes (such as, for instance: interconnection with other data, marketing activity, dissemination on the Internet)
«profiling»: any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements
Examples: interconnection of information stored in own or third parties’ filing systems, in electronic format, to create behavioural profiles, preferences or interests and analyse such information to classify a person in a specific cluster / target, according to the person’s characteristics. This is a tool used for profiling to the extent that it is related to direct marketing activities and purposes. Profiling can be carried out using profiling cookies on websites (be they first party or third party)
«pseudonymisation»: the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person
Examples: personal data identifying a person are stored in a filing system which is different from the filing system storing other data (additional information, such as details on identity cards and credit and debt cards stored separately from first and last name of the person in such a way that data are protected and do not allow to identify immediately the data subject)
«filing system»: any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis
Examples: database containing customers’ / donors’ / suppliers’ data; database of employment contracts, database of invoices. It does not matter if on paper or digital format
«controller»: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data
Examples: it is the entity which decides purposes and means to process personal data, as well as the security measures to apply to protect personal data and the procedures to implement for data processing (from collection of data to their erasure). If it is a structured entity, such as a company or a not-for-profit organisation or a public body, the controller is the entity as a whole and not its legal representative or others with power of representation (e.g.: company name with address and other details for its identification, such as tax code or VAT number)
«processor»: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller
Examples: the processor is a third party (company, organisation, public body or natural person) which carries out data processing according to instructions given in writing by the controller. A processor, for instance, can be a work consultant, a company printing letters and documents with addresses, data centre which provides data storage services, a company which keeps documents or files containing personal data, call centre, data processing company
«communication»: disclosing personal data to one or more identified entities other than the data subject, the data controller’s representative in the State’s territory, the data processor and persons authorised to data processing, in any form whatsoever, including by making available or interrogating such data
Examples: making available, in a paper or electronic format, personal data to third parties which are uniquely identified. Such third parties shall process data for their purposes and using their own predetermined means and procedures, and, in so doing, they are autonomous controllers (e.g.: third companies or organisations, public bodies for their institutional / marketing / communicational purposes or because the communication is due in force of law)
«recipient»: a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not
Examples: autonomous data controllers, such as public bodies (e.g.: tax agency) for institutional functions or companies / organisations for direct marketing or communication purposes or work consultant acting as a processor
«third party»: natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data
Examples: another controller acting autonomously (see definitions: «communication» and «recipient»)
«dissemination»: disclosing personal data to one or more unidentified entities other than the data subject, the data controller’s representative in the State’s territory, the data processor and persons authorised to data processing, in any form whatsoever, including by making available or interrogating such data
Examples: differently from the communication, personal data are made available to third parties which are not previously identified when data are spread. Their identity is not known or predetermined: it may be the case of printing personal data on leaflets, newspapers, or broadcasting data through media or displaying videos and photos on the Internet / social media
«consent»: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her
Examples: consent may be expressed by ticking a box while visiting a website or by signing a document. Consent must be expressed by the data subject, so silence or pre-ticked boxes or inactivity are not regarded as a valid consent. Inactivity means denying consent. Consent is not the unique legal basis which makes processing lawful. There are exemptions, so that personal data can be lawfully processed without the data subject’s consent
«personal data breach»: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed
Examples: intentional or negligent action which causes damage to the data subject and to confidentiality of the data subject’s private sphere. Data may be lost, damaged, altered, destroyed, deleted, unlawfully processed by unauthorised persons. This may happen when there is a cyber-attack and unauthorised third parties have access to data. A data breach may occur when the security measures are not adequate and suitable to prevent data from risks
«genetic data»: personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question
Examples: DNA
«biometric data»: personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data
Examples: fingerprints, iris configuration (often used as authentication credentials to access a computer, as an alternative to username and password)
«data concerning health»: personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status
Examples: illness, pathology, organ and tissue transplantation, rehabilitation of the physically and mentally disabled or incapacitated, clinical records or medical certificates, medical prescriptions and diagnosis, medical treatment, pregnancy. These data do not necessarily concern pathologies and in the event of pathology, not necessarily permanent
«special categories of data»: data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation
Examples: membership of a political, religious, philosophical, or trade-unionist movement or association. Data may be revealed through statements freely given by the data subject
«personal data relating to criminal convictions and offences»
Examples: criminal records, condition of suspect or defendant, information on judicial proceedings, criminal penalties, security measures related to criminal convictions and offences
«representative»: a natural or legal person established in the Union who, designated by the controller or processor in writing, represents the controller or processor with regard to their respective obligations under the GDPR
Examples: when the controller has its registered office in a third country, but data processing is carried out in the European Union, the GDPR requires that a representative established in the European Union should be designated in writing (e.g.: a contract). The representative represents the controller with regard to its obligations under the GDPR
«main establishment»:
a) as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment
Examples: a controller may have more than one establishment located in the European Union. The main establishment is where there is the administration, but if the purposes and means of processing are decided by a different establishment, then the establishment which determines the purposes and means of processing shall be regarded as the main establishment
or
b) as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under the GDPR
Examples: a processor may have more than one establishment located in the European Union. The main establishment is where there is the administration in the European Union, but if the establishment is not in the European Union or if the processing is mainly carried out in an establishment in the European Union which is different from the establishment of the administration, then the main establishment shall be identified in the establishment where such main processing activities are performed
«enterprise»: a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity
Examples: companies such as limited liability companies, as well as not-for-profit organisations which have also commercial purposes carried out on a regular basis and not only occasionally
«group of undertakings»: a controlling undertaking and its controlled undertakings
Examples: companies, bodies and / or associations and parent, subsidiary and / or related companies
«binding corporate rules»: personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity
Examples: rules determined by a group of undertakings or group of enterprises engaged in a joint economic activity with the aim of being compliant with the GDPR when they transfer personal data to third countries. These rules must be previously approved by a competent supervisory authority. For instance: a company is located in Italy and has an establishment in Brasil and transfers employees’ data to Brasil where data processing related to administrative activities concerning human resources are carried out on behalf of the whole group of enterprises
«supervisory authority»: an independent public authority which is established by a Member State
Examples: the supervisory authority in Italy is the Garante per la Protezione dei Dati Personali, with its office in Piazza Venezia 11, 00187 Roma (RM – Rome – Italy) – www.garanteprivacy.it, and it controls, enquires and requests to produce information on all data protection matters, so as to make sure that processing is carried out meeting the GDPR requirements. It can impose administrative fines and penalties, since the Garante has powers and duties to supervise the correct and constant application of the GDPR. Data subjects can lodge a complaint with the Garante
«cross-border processing»:
a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State
Examples: it is the same controller (company or organisation) which carries out data processing in several offices located within the European Union. For instance, it operates in Italy, France and Belgium with offices in each of these countries
or
b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union, but which substantially affects or is likely to substantially affect data subjects in more than one Member State
Examples: even though the registered office of the controller or the processor (company or organisation) is in a country which is in the European Union, data processing concerns persons who are not in that country but in another country. For instance, when the controller is in Italy, but it processes personal data of persons residing in France or Germany or in another European Union country
«information society service»
Examples: interactive communication services, services provided through the Internet
«electronic communication»: any information exchanged or conveyed between a finite number of parties by means of a publicly available electronic communications service. This does not include any information conveyed as part of a broadcasting service to the public over an electronic communications network except to the extent that the information can be related to the identifiable or identified contracting party or user receiving the information
Examples: e-mail service, Internet / network connection
«call»: a connection established by means of a publicly available electronic communications service allowing two-way communication
Examples: phone call, anyway made (e.g.: video call, from landline or mobile, via Skype, WhatsApp)
«electronic communications service»: a service which consists wholly or mainly in the conveyance of signals on electronic communications networks, including telecommunications services and transmission services in networks used for broadcasting
Examples: e-mail service, Internet connection, interactive TV
«contracting party»: any natural or legal person, body or association who or which is party to a contract with the provider of publicly available electronic communications services for the supply of such services, or is anyhow the recipient of such services by means of pre-paid cards
Examples: a natural person (or a person different from a natural person) who has entered into a contract to use landline or mobile phone, either as a subscription or with pre-paid cards
«user»: natural person using a publicly available electronic communications service for private or business purposes, without necessarily being a contracting party to such service
Examples: a user can only be a natural person (and not a legal person) who uses phone, e-mail, Internet connection for private and personal or professional purposes and who can be a contracting party (contractor) or the beneficiary of these services (e.g.: a person who uses a pre-paid card). For instance, the person uses the mobile phone with a pre-paid card which has been activated by another person
«traffic data»: any data processed for the purpose of the conveyance of a communication on an electronic communications network or for the billing thereof
Examples: time of a call / conversation on the phone or connection, received and dialled calls
«location data»: any data processed in an electronic communications network or by an electronic communications service, indicating the geographic position of the terminal equipment of a user of a publicly available electronic communications service
Examples: data detected by geolocation systems (GPS)
«electronic mail»: any text, voice, sound or image message sent over a public communications network, which can be stored in the network or in the recipient’s terminal equipment until it is collected by the recipient
Examples: e-mail service to receive and send textual messages or videos and photos
«rights of data subjects»: right of access, rectification, erasure, restriction of processing, data portability, right to object also to processing carried out for direct marketing and / or for profiling purposes. These rights allow data subjects to have control of the processing operations concerning their personal data.
To learn more, click here or read FAQs or contact me.
Leave a Reply