Key Definitions

Personal data, processing, personal data file, controller, data subject and processing of personal data on behalf of someone else are all central concepts within the field of data protection.

Personal data means any information on a private individual, his or her personal characteristics or personal circumstances. What is essential is whether a certain individual is identifiable based on the data at hand. Purely anonymous data, which does not relate to an identifiable individual, is not regarded as personal data. Processing of such anonymous data does not fall under the definition of personal data in the data protection legislation and is not covered by the privacy regulations.  

Processing of personal data means the collection, saving, organization, use, transfer, disclosure, storage, editing, combination, protection, deletion and erasure of personal data, as well as other measures directed at personal data. Therefore, the definition is fairly broad.

Controller means the person, company, organization or other entity, which sets out the purposes and the manner in which personal data is processed.

Data subject means a natural person to whom the personal data relates.

Processing personal data on behalf of someone else means an arrangement where a data controller outsources some or all of its data processing activities to a subcontractor, i.e. the processor of personal data. A processor can also have its own sub-processors. The data controller is responsible for the data and the processing thereof. The GDPR requires that the subcontracting arrangements and the related responsibilities for data processing are agreed in writing.