© GDPR EU 2023. All rights reserved.
Key Concepts - GDPR EU - 2022
You can locate all the links to all key concepts regarding GDPR on this page.
One of these pieces of data may not be enough to identify an individual. However, when collected together, they can identify a particular person and therefore constitute personal data. This is why it is often referred to as personally identifiable information or PII.
Special categories of personal data include sensitive personal data, such as biometric and genetic information that can be processed to identify a person.
Personal data that relates to criminal offences and convictions aren’t included, but there are separate processing safeguards in place. GDPR Article 10 will give you more information on this.
Companies must ask people’s permission to process their data. Under GDPR this is called ‘consent’.
Consent can be withdrawn by the user at any point. The company must make it simple and accessible to withdraw consent.
In Article 6(1)(f) of GDPR, a lawful basis for processing is presented called legitimate interests. It says:
“[where] processing is necessary for the purpose of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.”
The introduction of GDPR has sparked questions about whether certain organizations are generally data controllers or data processors.
Understanding the difference between data controllers and processors is vital for GDPR compliance.
GDPR legislation says that Data Protection Officers (DPO) must be appointed by some companies. This refers to public authorities and companies that process large amounts of data.
