General Data Protection Regulation 2018

Please liaise with the relevant Data Protection Officer before commencing any project, with a view to ensuring compliance with any institutional data protection policies. A new data protection regulation will take effect on the 25th May 2018


Help Identifying Data Controller - WORKSHEET


"Data Controller"- means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

“Data Processor”- means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.

"Personal Data" - means any information that relates to an identified or identifiable living individual.

  • Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.
  • Personal data that has been de-identified, encrypted or pseudonymised but can be used to re-identify a person remains personal data and falls within the scope of the law.
  • Personal data that has been rendered anonymous in such a way that the individual is not or no longer identifiable is no longer considered personal data. For data to be truly anonymised, the anonymisation must be irreversible.
  • The law protects personal data regardless of the technology used for processing that data – it’s technology neutral and applies to both automated and manual processing, provided the data is organised in accordance with pre-defined criteria (for example alphabetical order). It also doesn’t matter how the data is stored – in an IT system, through video surveillance, or on paper; in all cases, personal data is subject to the protection requirements set out in the GDPR.

"Examples of Personal Data" - include the following:

  • a name and surname
  • a home address
  • an email address such as name.surname@company.com
  • an identification card number
  • location data (e.g. the location data function on a mobile phone)*
  • an Internet Protocol (IP) address
  • a cookie ID*
  • the advertising identifier of your phone
  • data held by a hospital or doctor, which could be a symbol that uniquely identifies a person
*Note that in some cases, there is a specific sectoral legislation regulating for instance the use of location data or the use of cookies – the ePrivacy Directive (Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 (OJ L 201, 31.7.2002, p. 37) and Regulation (EC) No 2006/2004) of the European Parliament and of the Council of 27 October 2004 (OJ L 364, 9.12.2004, p. 1).

"Examples of Data not considered Personal Data" - include the following:

  • a company registration number
  • an email address such as info@company.com
  • anonymised data

REFERENCES

  1. Articles 2, 4(1) and(5) and Recitals (14), (15), (26), (27), (29) and (30) of the GDPR
  2. WP 01245/07/EN, WP 136 Opinion 4/2007 on the concept of personal data
  3. Article 29 Working Party Opinion 05/2014 on Anonymisation Techniques