This article is written in collaboration with a law agency. However, it is intended for general information purposes only. It does not constitute a client-attorney relationship or personalized legal advice.
In order to properly understand GDPR, there are some definitions that you need to know:
- Data subject
- Personal data
- Sensitive data
We’ve tried to explain them as clear and simple as possible. Take the time to read and understand, otherwise you’ll just be very confused later on.
Who is a data subject?
A data subject is a natural person (i.e. a human being) whose personal information (more on that below) you are processing. For example, a data subject is a website visitor, a customer or an employee.
What is processing?
Processing can be any activity or set of activities performed on personal data, e.g. viewing, collecting, storing, transferring, modifying, erasing.
Simply put, pretty much anything you do with your customers’ data on purpose is “processing.”
GDPR Art. 4 (2): processing is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
What is personal data?
Personal data is almost any data about a person. For example:
- personal identification number
- location info
- appearance description
- information about hobbies
- cultural preferences
GDPR Art. 4 (1): Personal data is any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Sensitive data: a special category
Sensitive data is data about a person’s:
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade union membership
- sex life or sexual orientation
- genetic data
- biometric data
(Technically, all this is called “special categories of data” by GDPR, but for the sake of brevity, we’ll continue referring to it as sensitive data.)
The important part: you are not allowed to process sensitive data without an explicit consent from the data subject (unless exceptions listed under GDPR Art. 9 (2) apply). Sensitive data also requires more strict safety and security measures. If you’re dealing with sensitive data, we recommend getting legal advice to ensure compliance.
Personal data is personal as long as you have a way to tie it to an actual person. This means that if the data contains someone’s name, address, email, IP address etc, it’s personal data. However, if you remove everything that ties to to a person, the data is effectively anonymized and no longer counts as personal data.
Who is a controller?
The short version: You are the controller.
A controller is someone who determines the purpose (the why) and means (the how) of processing personal data. If you own a website that does anything with its visitors personal data, you are the controller. You control your customers’ data and you are ultimately responsible for it.
GDPR Art. 4 (7): A controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Who is a processor?
A processor processes personal data on behalf of someone else. For example, your web hosting provider is a data processor. They own the servers where your customers data is stored, so they also have access to your customers personal data. It’s also likely that they will occasionally need to process it, whether manually (fixing a bug somewhere) or automatically (making backups). Another example would be MailChimp (or any other similar service), which also has access to your customers personal data. Your web developer is also a data processor.
The important part: there has to be a written contract between you and your data processor (GDPR Art. 28). This is something that most bigger service providers will handle by themselves. However, note that you’ll also need a contract with your web developer and any other third party who you share the data with, otherwise there might be trouble.
GDPR Art. 4(8): A processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
The definitions are explained more thoroughly in GDPR Art. 4.