Data Controller
A person or entity who decides the purpose for which any personal data is to be processed
and the method for how that data will be processed. This can be decided by one person
alone or jointly with other people.
Data Processor
A person or entity that processes personal data on behalf of a data controller. This will
include sub-contractors.
What is personal or sensitive data?
Any information relating to a living individual who can be directly or indirectly identified from
that information or from other information that is likely to be held by a data controller.
Examples of personal data and sensitive personal data are listed below:
| Not Personal Data | Personal Data | Sensitive Personal Data |
|---|---|---|
| Address without a name | Name and address | Racial or ethnic origin |
| A generic email address such as info@xx.com |
Personal email address | Political opinions |
| A receipt with date, time, last 4 digits of credit card number but no name or email |
Name and last 4 digits of credit card number |
Religious beliefs |
| Corporate accounts with summary payroll data |
Pay records with gender and age, even if without a name |
Sexual preferences |
| Company name and website | A web cookie | Biometric information (such as fingerprints) |
Data Protection Officer
A formal role required for certain categories of data controllers, with responsibility for
advising on, monitoring internal compliance with and assisting in the implementation of data
protection regulations within a business.
Profiling
Any form of automated processing of personal data in order to evaluate certain personal
aspects relating to a living individual, such as for analysis or prediction purposes.
Processing
Any operation or set of operations which is performed on personal data or on sets of
personal data, such as collection, recording, organisation, structuring, storage, adaptation,
restriction, erasure or destruction.
Consent
Any freely given, specific, informed and unambiguous indication of an individual's wishes by
which he or she, by a statement or by a clear affirmative action, signifies agreement to the
processing of personal data relating to him or her.
Pseudonymisation
The processing of personal data in such a manner that the personal data can no longer be
attributed to a specific individual without the use of additional information, provided that such
additional information is kept separately and is subject to technical and organisational
measures to ensure that the personal data are not attributed to an identified or identifiable
living individual.
Personal data breach
A breach of security leading to the accidental or unlawful destruction, loss, alteration,
unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise
processed.