Definition of Key Terms
The following terms used throughout this guide have specific legal meanings under the GDPR. In order to understand your rights fully, please read the following glossary of key terms.
The term “personal data” means any information relating to a living person who is identified or identifiable (such a person is referred to as a “data subject”). If the information can be used on its own or in combination with other information to identify a specific person, then it counts as personal data.
The GDPR gives examples of identifiers, including names, identification numbers, and location data. A person may also be identifiable by reference to factors which are specific to their identity, such as physical, genetic or cultural factors.
The term “processing” refers to any operation or set of operations performed on personal data. Processing includes storing, collecting, retrieving, using, combining, erasing and destroying personal data, and can involve automated or manual operations.
Data Protection Commission
The “Data Protection Commission” was established by the Data Protection Acts 1988 to 2018 ('the Data Protection Acts'). Under the GDPR and the Data Protection Acts, the Commission is responsible for monitoring the application of the GDPR in order to protect the rights and freedoms of individuals in relation to processing. The tasks of the Commission include promoting public awareness and understanding of the risks, rules, safeguards and rights in relation to processing, handling complaints lodged by data subjects and cooperating with (which includes sharing information with) other data protection authorities in other EU member states.
A “data controller” refers to a person, company, or other body which decides the purposes and methods of processing personal data.
A “data processor” refers to a person, company, or other body which processes personal data on behalf of a data controller.
Some types of processing are carried out on the basis that you have given your consent. Under the GDPR, consent to processing must be freely given, specific, and informed. You cannot be forced to give your consent, you must be told what purpose(s) your data will be used for and you should show your consent through a ‘statement or as a clear affirmative action’ (e.g. ticking a box).
Consent is not the only lawful basis on which your personal data can be processed. Article 6 of the GDPR sets out the complete list of lawful reasons for processing personal data as:
- to carry out a contract,
- in order for an organisation to meet a legal obligation,
- where processing the personal data is necessary to protect the vital interests of a person,
- where processing the personal data is necessary for the performance of a task carried out in the public interest,
- in the legitimate interests of a company/organisation (except where those interests contradict or harm the interests or rights and freedoms of the individual).*
*It is important to note that Article 6(1)(f) provides that the "legitimate interests" reason is not available to public authorities where the processing is being conducted in the exercise of their functions.
Profiling is any kind of automated processing of personal data that involves analysing or predicting your behaviour, habits or interests.
Special categories of personal data
Certain types of sensitive personal data are subject to additional protection under the GDPR. These are listed under Article 9 of the GDPR as “special categories” of personal data. The special categories are:
- personal data revealing racial or ethnic origin,
- political opinions,
- religious or philosophical beliefs,
- trade union membership,
- genetic data and biometric data processed for the purpose of uniquely identifying a natural person,
- data concerning health,
- data concerning a natural person’s sex life or sexual orientation.
Processing of these special categories is prohibited, except in limited circumstances set out in Article 9 of the GDPR.
Data Protection Officer (DPO)
The GDPR requires data controllers and data processors to appoint a Data Protection Officer (DPO) in certain circumstances. A data controller can also voluntarily decide to appoint a DPO.