Читать книгу International Data Protection Laws - Amit Luhach - Страница 8

1

GDPR Terminology

Personal Data

The GDPR defines personal data as any information relating to an identified or identifiable natural person.¹ An identifiable natural person can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.² In determining whether a natural person is identifiable, the controller or another person is required to take all reasonable means likely to be used such as singling out, directly or indirectly, to identify the natural person.³ In Breyer v. Deutschland, the CJEU while dealing with the dynamic IP address held that “so far the means likely reasonably to be used by both the controller and by any other person, for information to be treated as personal data, it is not required that all the information enabling the identification of the data subject must be in the hands of one person. Thus, it appears that the online media services provider has the means which may likely reasonably be used to identify the data subject, with the assistance of other persons, namely the competent authority and the internet service provider, based on the IP addresses stored”.⁴ The above-cited case is based on the repealed Directive 95/46/EC and can be utilized in understanding the definition of personal data under the GDPR.

Sensitive Personal Data

The GDPR classifies certain types of personal data as special categories of personal data. These are personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data⁵, biometric data⁶ to uniquely identify a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. The processing of sensitive personal data is prohibited under the GDPR unless an exception applies.

Processing

Processing means any operation or set of operations performed on personal data or sets of personal data whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.⁷

Controller

A controller is someone who determines the purposes and means of the processing of personal data.⁸ Under the GDPR, natural or legal persons, public authority or other body may act as a controller. With far-reaching consequences, CJEU in Holstein v. Wirtschaftsakademie held that “the concept of ‘controller’ encompasses the administrator of a fan page hosted on a social network”.⁹ Accordingly, the opinion of Article 29 Data Protection Working Party (WP29)¹⁰ was rejected by the CJEU. WP29 had stated that “the preference should be given to consider as a controller the company or the body as such, rather than a specific person within the company or the body”.¹¹ In Google Spain v. AEPD, the CJEU held that “the activity of a search engine consisting in finding information published or placed on the internet by third parties, indexing it automatically, storing it temporarily and, finally, making it available to internet users according to a particular order of preference must be classified as the processing of personal data, and the operator of the search engine must be regarded as the ‘controller’ concerning that processing”.¹²

Processor

A processor is defined as a natural or legal person who processes personal data on behalf of a controller.¹³

Recipient

A recipient is a legal or natural person to whom the data is disclosed, whether a third party or not. In this context, the term recipient is wider than the term ´third party´. The distinction is essential to decide whether disclosure of data is lawful. For example, a third party would not be able to use personal data processed by a controller without some legal ground but a recipient need not fulfil any such requirement if it is an employee of that controller or processor. However, a public body receiving such data for a particular inquiry under Union or Member State law is not considered to be a recipient under the GDPR.¹⁴

Third Party

A third party is a natural or legal person who is different from the data subject, controller, processor and persons under the direct authority of the controller.¹⁵ This would cover organizations other than the controller´s, even if they belong to the same holding or group.

Data Subject

The GDPR does not define the data subject explicitly. An `identified or identifiable natural person` under the definition of `personal data` would qualify as a data subject.