At first glance, the GDPR can appear confusing like any other legal topic. It introduces numerous legal terms that are vital for understanding the regulations.
What is a data controller and how is that different from a data processor? And of the two, which should I look for if I want to assert my rights towards a company?
In this article, we explain the most important terms and concepts relating to the GDPR so that you can stay in control of and exercise your data protection rights. You’ll find that it isn’t that difficult to understand once you know some of the terms.
What is the GDPR?#
The GDPR (short for General Data Protection Regulation) is an EU regulation that came into force on 25 May 2018 that regulates data protection in the European Union. It is intended to give citizens better control over their data and to harmonise data privacy laws across Europe.
As an EU regulation, the GDPR does not have to be implemented by member states, but is directly binding and applicable. For the most part, it replaces the previously applicable national data protection laws such as the British Data Protection Act 1998 (DPA). Certain aspects, however, may also be individually adjusted by the member states. The new Data Protection Act 2018 (DPA 2018) that supplements the GDPR came into effect on 23 May 2018, replacing the 1998 Data Protection Act.
Terms and concepts#
The data controller is the entity which either directly processes your personal data or has it processed by a data processor. The term “entity” is very broad and can refer to a person, a company, an authority or even an organisation.
Data minimisation is an important principle for data protection that the GDPR prescribes. The idea behind it is simple: Only the data necessary for carrying out the stated purpose should be collected and processed. If a company wants to send you a newsletter, all it needs is your email address. Following the data minimisation principle, it should not collect any other data.
This concept is important not least because of security reasons. We live in a time where users' private data are regularly leaked to the public because companies have not sufficiently secured them. Data that a company does not have cannot be lost.
A data processor is — as the name implies — a company that processes personal data on behalf of a data controller. For example, if a company’s email server is hosted externally, the host acts as the data processor.
The data controller and the data processor enter into a so-called “data processing agreement” (DPA), which regulates exactly how the data is processed.
What is important for you as a consumer: As a rule, the data processor is not the person to look for if you want to exercise your rights. Instead, contact the data controller directly.
Data protection officer#
A data protection officer’s task is to ensure that a company (or another organisation, such as a government agency) complies with data protection law. He is appointed by the company itself and must have a certain degree of independence in order to perform his duties.
If a controller has appointed a data protection officer, this person should be your contact person for data protection-related enquiries, for example if you want to exercise your rights.
The data subject is the person whose personal data are processed. As a consumer, this usually refers to you.
One stop shop principle#
The one stop shop principle regulates the responsibility of the data protection supervisory authorities. For you as a consumer, this means that you may also lodge complaints with the supervisory authority in your own country (in concrete terms, this is the “Member State of [your] habitual residence, place of work or place of the alleged infringement”). This is particularly helpful if the controller is located in another country.
Our Data Protection Supervisory Authority Finder will help you find the supervisory authority responsible for you.
The concept of personal data is the crux of the GDPR. Almost all of the regulations refer to it. As soon as information can be assigned to a specific person, it is considered personal data. A name is not necessarily required for the assignment. For example, an IP address, a user name, a cookie, or an identification number would suffice.
The information that the IP address 188.8.131.52 visited our generator on 25 May 2018 would therefore be considered personal data. On the other hand, the information that on the same day in a bakery a third of the customers paid with cash is not.
The GDPR defines processing as virtually everything that a controller can do with personal data. This includes in particular:
- Organisation and structuring
- Adaptation or alteration
- Retrieval or consultation
- Alignment or combination
- Erasure or destruction
The term refers to both automated and manual processes.
Profiling is a form of automated processing where the controller uses your personal data to automatically evaluate certain personal aspects relating to you without any human intervention. It is often a matter of analysing and predicting aspects such as the following:
- Work performance
- Economic situation
- Personal preferences
- Location or movements
A classic example is the mobile phone or credit card credit check that you need to pass before getting a contract. Many companies will forward your data to credit agencies such as Experian or Equifax. These agencies will then determine how likely you are to fulfil your contractual obligations based on information such as your previous payment behaviour or the number of bank accounts that you have.
The GDPR grants you extensive rights with regards to your personal data. This starts with the right to information: If a controller wants to process your data, they must inform you about it and tell you how you can contact them if you have any questions.
Even after the processing of your data has started, you still have numerous other rights. For example, you can ask what personal data is being processed and request a copy of it. You can also request for incorrect data to be corrected and under certain circumstances, even have your data deleted.
You will find a comprehensive overview and a detailed explanation on this subject in our article on your GDPR rights.
Special categories of personal data#
Some data is more sensitive than others. While you may have no qualms about giving your name to a new app, it doesn’t have to know your religious beliefs. The GDPR recognises that these so-called “special categories of personal data” deserve and need special protection. Therefore, the processing of such data is only allowed under certain circumstances.
Concretely, this concerns the following data:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data for the purpose of uniquely identifying a natural person
- Data concerning health
- Data concerning a natural person’s sex life or sexual orientation
The supervisory data protection authorities are independent bodies in each EU country. Their task is to ensure compliance with data protection laws, in particular the GDPR.
To accomplish this, they may monitor controllers, require them to comply with data protection laws, and impose fines where necessary.
For you as a consumer, they are here to help. If you think that a controller is not processing your data correctly, you can contact the data protection supervisory authorities free of charge at any time.
If you are not sure which authority you should contact, take a look at our data protection supervisory authority finder.
on , last edited:
licensed under: Creative Commons Attribution 4.0 International License GDPR cheat sheet — an explanation of the important terms and concepts