GDPR, with its 11 chapters and 99 Articles, aims to protect user data privacy across the European Union(EU). Unfortunately, across these 11 chapters and 99 articles, the makers of GDPR have used complex jargon that is not easy to understand.
In this article, we’ve listed and explained all the GDPR article 4 definitions of legal-speak in the GDPR framework in a way that is easy for everyday folks to understand. If you are on the DIY route to GDPR compliance or are seeking expert advice, this GDPR 4 article is for you.
What is GDPR Article 4?
GDPR Article 4 is the glossary of all the terms used in the GDPR framework. Here we talk about the 26 phrases you commonly come across throughout the GDPR law in simple English and include examples where possible.
Any piece(s) of information used to identify an individual comes under GDPR’s definition of Personal Data.
For example, identification numbers, physical location, and any information that could reveal information on a user’s genetic, economic, mental, or cultural stature come under the definition of Personal Data.
For any information to be qualified as ‘Personal Data,’ it has to be true to these four factors.
- Any information
- Relating to
When data sets have these four attributes, they are classified as Personal Data.
Any individual providing these data sets comes under the scope of the GDPR Data Subject definition.
GDPR Processing Definition is generally used when any action is taken with personal data.
The term ‘action’ is used broadly. Here we’ve listed the scenarios where it is commonly used.
- Collection: When information is collected through forms, cookies etc.
- Recording: Information collected through surveillance systems and sensors (CCTV, door sensors, etc.)
- Organization: Access to information based on the roles and responsibilities tagged to the position.
- Classification: When Data is classified according to age, income, gender, or any other broad classification models
- Alteration: When Data is updated, anonymized, or pseudonymized.
- Accessing information for targeted use
- Using Data for physical application. For example: to send mail, packages
- Transmission: When user data is transferred from one organization to another
- When an organization shares user data to an unlimited consumer base unit. For example: Broadcasting through Radio, TV, etc
- Information is made accessible in sources that can be found through search engines.
- Information when used for comparisons
- When information is used for profiling
- When information is overwritten multiple times and is no longer similar to the original data set
- When information is destroyed. For example: Shredding physical evidence
Restriction of Processing
GDPR Definition of Processing is usually used when the Controller has access to specific personal data, which is different from the usual attributes they need for data processing. Restriction of Processing prevents Controllers from deleting said data.
As an organization, if you possess restricted data, ensure that technical safeguards (encryption, hashing methods) are deployed that ensure that these data sets are not used in automated processing or are available for data transfers.
Profiling is the danger or risks a user introduces as a by-product of statistical and mathematical use of data subjects.
These processes usually create a predictive model that forecasts future user behaviour.
This is a form of processing where specific attributes of a data set are either replaced or separated from the original file. The split or replaced files are generally stored in protected systems.
Pseudonymized Data is a form of encryption where any other part without access to protected files will not be able to extrapolate an individual user’s details from the available information.
The term ‘File System’ is generally used when Personal Data is used in non-automated data processing context. That means when a data set is not across multiple portals or locations or is being targeted by electronic methods of targeting.
Examples of the use of ‘File System’ in your organization are:
* Processing Salaries
* Communication with your users
*Guest list to events
Controller is anybody or an organization that decides how or why Personal Data is processed. You are within the scope of GDPR Controller definition if you collect user data on your website through forms, emails, physical methods, or other web-based & accessory-based (such as smartwatch, mobile application) electronic medium.
GDPR Processor is anybody or organization that processes personal data for a Controller.
Suppose a Controller outsources a data processing activity to another company. In that case, the company processing that Data is a Processor.
Consent in this context is when users willingly share their information with you (Controllers). This can either be in electronic or written form.
The most commonly used way of collecting consent is by including a checkbox for users to give their consent.
When taking cookie consent, ensure that information on what kind of Data is collected, its usage, and the duration of use is mentioned clearly in plain and straightforward language.
When designing Consent Management Systems ensure that you have these three critical values.
- Clear and Precise:
The user should be provided with information on everything they are consenting to. Avoid displaying data in the fine print.
- Withdrawing Consent:
Ensure that Users are informed about their right to withdraw their consent. Again, this process should be easy.
- Ensure that the individual giving consent to data use is legally eligible to consent. In cases involving minors, involve their parents or legal guardians in the consent management process.
Any individual, entity, or organization a controller shares user data with is termed as a recipient.
Processors are also termed, recipients.
An International Organization is an entity that is governed by public law. It could also be an entity created by governments of multiple countries.
Examples: World Health Organization (WHO), United Nations (UN)
The concept of a Third Party does not have a definite meaning here. In the data life cycle, the user, the Controller, and the Processor appointed by the Controller are not considered Third parties. However, the Processor becomes a ‘Third Party’ entity if they are based outside the European Union (EU).
Personal Data Breach
Any incident or data breach that involves personal Data is called Personal Data Breach. This could happen for two reasons:
- 1) Attackers or Hackers breached your security systems
- 2) Ignorance or negligence of internal employees in following protocol when processing or storing information.
Here are a few examples of ‘Personal Data Breach’ scenarios:
- When internal systems get hacked
- When you lose access to your data centres (physical and virtual)
- Data transfers to unauthorized individuals/entities
- Accidental data leak (displaying information on websites, social handles etc.)
- Loss of physical data carriers
- Destruction of data storage centres
- Loss of data due to ransomware encryption
- Loss of data from employee’s unlocked storage units
Genetic Data is unique health information of data subjects that gives insights into their genetic conditions, their medical history, and predictive analysis of future hereditary diseases.
Genetic Data contains buckets that store information on a user’s DNA and RNA, which, when misused, could be abused in the insurance and employment sectors.
Fingerprints, voice patterns, gait, signature, writing style, typing style, and IRIS scans are considered biometric data.
Note that blood type and passport picture are not considered biometric data.
Data Concerning Health
This is also commonly referred to as ‘Health Data’. Health Data is any information that has insights into a user’s physical or mental health. Even data from fitness apps on smartwatches and smartphones are considered Health Data.
Health Data also includes:
- Any information on addiction and its recovery/relapse
- Information on hospitalization notes and expenses
- Mental and physical capacity to work
The Main Establishment is where all the executive decisions of the organization are made. The concept of Main Establishments becomes active when an organization has more than one physical office present.
The Main Establishment is defined so that when under compliance review, the Controller is not allowed to pass the buck.
The Main Establishment is a place:
- Where decisions about the purposes and means of the final signed-off are made
- Where are decisions about business activities that involve data processing made?
- Where does the power to have decisions implemented effectively lie?
- Where is the Director with responsibility for cross-border processing located?
- Where is the controller or Processor registered as a company?
These are natural or legal positions assigned by the Controllers or Processors. The primary responsibility of a Representative is to act as a point of contact for Data Subjects or authorities.
An Enterprise is an individual/entity/a group of entities that are involved in economic activities for a more extended period.
Enterprise comes into play when the regulatory authorities of the GDPR law need to determine the unit that needs to be fined.
Group of Undertaking
When two or more entities work together, and one has the absolute power to influence or impose regulations, those entities are classified as a ‘Group of Undertaking’.
A Controller giving instructions to a Processor will not be considered a ‘Group of Undertaking’.
Binding Corporate Rules
Binding Corporate Rules are instructions and guidelines defined by Controllers and Processors within a union to protect personal data when transferred outside the union.
When an entity transfers data to an entity from a Third country (Outside the EU), these Binding Corporate Rules form a legal basis for said transfer.
Please note that these rules are valid when Data is transferred within the union. However, in instances where it is sent outside the union, these rules become invalid.
Commonly known as Data Protection Authority (DPA), Supervisory Authorities are public organizations whose responsibility is to ensure that the regulations laid down by the GDPR law are complied with.
Every member state appoints DPA(s), and it is the job of the DPA to cater to the needs of the state and also join hands on a national level with DPAs from other member states and work in collaboration when the need arises.
DPAs are the ones an organization communicates with when audited for compliance.
Supervisory Authority Concerned
Situations that qualify for Supervisory Authority Concerned are when:
1) When a Controller/Processor has their physical establishment in the member states’ jurisdictional limits
2)When a Data Subject is in the jurisdictional limit of a Supervisory Authority
3)When a complaint has been lodged with the DPA
When data processing happens in multiple member states of the EU or when an entity from a single member state processes Data that impacts various member states, it is termed Cross-Border Processing.
Relevant and Reasoned Objection
When a DPA objects to a decision or draft imposed by a lead DPA and the objection is backed by data-driven reasons, it is tagged as a Relevant and Reasoned Objection. Complaints of this nature are submitted to the European Data Protection Board (EDPB)
This concept is brought in so that DPAs overburden the EDPB with objections which are generic/or have no data-driven logical arguments.
Information Society Service
This is the legal definition of the term ‘Information Society Service’. GDPR refers to Article 1(1)(b) of Directive (EU) 2015/1535 on a procedure for the provision of information in the field of technical regulations and of rules on Information Society Services. Hereafter, such services are any “normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient”.
In simpler terms:
Information Society Service is when a user asks for information on an organization’s technical and security measures.
According to this:
- The requester need not be physically present to make a request
- Electronic means of communication are used to make the said request.
- This service is provided only when an individual (Data Subject) asks for it
How Do we Demystify Article 4 GDPR for You?
Here in GDPR Article 4 Definitions, we’ve demystified the legal speak to plain English while retaining the complexity and salient features of the GDPR law. The compliance process is full of legal jargon and, when misinterpreted, could result in non-compliance.
At Sprinto, we aim to provide a seamless and straightforward compliance process by presenting complex information sets in easy-to-understand bits. This approach has helped us make the compliance journeys of our 100+ clients breezy.
You are not alone if you find it challenging to become GDPR compliant the DIY way. Contact us today if you wish to automate your compliance process.