Key Concepts

You can locate all the links to all key concepts regarding GDPR on this page.

Personal Data

Almost all of our interactions with organizations involve an exchange of personal data. Examples include name, phone number, and address.

One of these pieces of data may not be enough to identify an individual. However, when collected together, they can identify a particular person and therefore constitute personal data. This is why it is often referred to as personally identifiable information or PII.

Special categories of personal data

Special categories of personal data include sensitive personal data, such as biometric and genetic information that can be processed to identify a person.

Personal data that relates to criminal offences and convictions aren’t included, but there are separate processing safeguards in place. GDPR Article 10 will give you more information on this.

Consent

Companies must ask people’s permission to process their data. Under GDPR this is called ‘consent’.

Consent can be withdrawn by the user at any point. The company must make it simple and accessible to withdraw consent.

Legitimate Interest

In Article 6(1)(f) of GDPR, a lawful basis for processing is presented called legitimate interests. It says:

“[where] processing is necessary for the purpose of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.”

Data Controllers and Processors

The introduction of GDPR has sparked questions about whether certain organizations are generally data controllers or data processors. Understanding the difference between data controllers and processors is vital for GDPR compliance.

Data Protection Officer

GDPR legislation says that Data Protection Officers (DPO) must be appointed by some companies. This refers to public authorities and companies that process large amounts of data.