Data Controller
A person or entity who decides the purpose for which any personal data is to be processed
and the method for how that data will be processed. This can be decided by one person
alone or jointly with other people.

Data Processor
A person or entity that processes personal data on behalf of a data controller. This will
include sub-contractors.

What is personal or sensitive data?
Any information relating to a living individual who can be directly or indirectly identified from
that information or from other information that is likely to be held by a data controller.

Examples of personal data and sensitive personal data are listed below:

Not Personal Data Personal Data Sensitive Personal Data
Address without a name Name and address Racial or ethnic origin
A generic email address
such as
Personal email address Political opinions
A receipt with date, time, last
4 digits of credit card number
but no name or email
Name and last 4 digits of
credit card number
Religious beliefs
Corporate accounts with
summary payroll data
Pay records with gender and
age, even if without a name
Sexual preferences
Company name and website A web cookie Biometric information (such
as fingerprints)

Data Protection Officer
A formal role required for certain categories of data controllers, with responsibility for
advising on, monitoring internal compliance with and assisting in the implementation of data
protection regulations within a business.

Any form of automated processing of personal data in order to evaluate certain personal
aspects relating to a living individual, such as for analysis or prediction purposes.

Any operation or set of operations which is performed on personal data or on sets of
personal data, such as collection, recording, organisation, structuring, storage, adaptation,
restriction, erasure or destruction.

Any freely given, specific, informed and unambiguous indication of an individual's wishes by
which he or she, by a statement or by a clear affirmative action, signifies agreement to the
processing of personal data relating to him or her.

The processing of personal data in such a manner that the personal data can no longer be
attributed to a specific individual without the use of additional information, provided that such
additional information is kept separately and is subject to technical and organisational
measures to ensure that the personal data are not attributed to an identified or identifiable
living individual.

Personal data breach
A breach of security leading to the accidental or unlawful destruction, loss, alteration,
unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise