When do the rules of the GDPR come into play? That’s simple: from the moment personal data are processed. In this blog we will explain what is meant by ‘personal data’ and ‘processing’. After that, we will discuss the two main actors involved in this data processing, namely the ‘data controller’ and the ‘processor’.
Personal data is the essence of what exactly the GDPR protects. A personal data is any information of a living, individual person who is identified or identifiable. Information from legal entities, such as the name, contact details or legal form of a company, is not personal data and is therefore not protected by the GDPR, except where it would refer to an individual person.
An example: firstname.lastname@example.org is personal data, email@example.com is not.
Personal data can be interpreted very broadly. The basic principle is that the data can be used to establish a link to a certain person. This can be a direct link where you immediately know from the single piece of information to whom it relates. Then the individual person is ‘identified‘. But an indirect link is also sufficient, whereby a piece of information, in combination with other data, can lead to a certain person. In that case the individual person is ‘identifiable‘.
Purely anonymous data are therefore not personal data. You have to be careful here, because obtaining purely anonymous data requires a difficult and highly technical process. Data that at first sight appears abstract is again personal data as soon as there is even a chance of re-identifying an individual person (‘singling out’).
Examples of personal data: names of customers or employees, a personal telephone number or e-mail address, bank and payment data, health data, location data, IP address, etc.
The GDPR distinguishes between ordinary personal data and special (sensitive) personal data. Sensitive data is data from which, among other things, a person’s race, political opinions, sexual orientation or state of health can be inferred. The GDPR also introduces a new category of special personal data, namely the processing of genetic data, biometric data for the purpose of uniquely identifying a person. The processing of such special data is subject to stricter rules and leads to additional obligations for the data controller. More information on sensitive data will follow in future blogs!
Any processing of personal data is called processing. This can also be interpreted very broadly. It includes the collection, updating, storage, consultation, use, transmission, distribution, structuring, combination and the deletion or destruction of personal data. This list is certainly not exhaustive, there are other possibilities in which data processing can be performed.
To fall within the scope of the GDPR, the processing must be automated or recorded in a file or intended to be recorded in a file. In other words, oral processing is not covered. What matters is what is actually registered somewhere. However, this registration can be electronic as well as tangible on paper. So be careful with printing and filing: this forms a treasure trove of personal data that is difficult to oversee!
Examples of processing: consulting customer data, sending advertising e-mails (“direct marketing”), destroying personnel data, storing job application data, etc.
The data controller is a person or service that determines why and how personal data are processed. That person or service may do so alone or jointly with others. In the latter case, the joint controllers must determine their mutual responsibilities.
The data controller is subject to many obligations, such as the obligation to inform the person whose details are being processed. The data controller must also ensure that appropriate technical and organisational measures are taken to protect the data as envisaged by the GDPR.
For example, if I decide to keep a file with all my customers and their ongoing projects, then I am a data controller as far as that processing is concerned.
The processor processes personal data on behalf of the controller. The data controller and processor must therefore regulate the modalities of the processing in an agreement (the processor agreement), including:
- the nature and purpose of the processing;
- the various types of personal data that will be processed ;
- the categories of data subjects whose data will be processed; and
- the rights and obligations of both parties.
The processor may therefore never do more with the personal data than what he or she is instructed to do by the controller.
A variation on the previous example: if I decide to use a provider of a CRM system to implement my decision to keep a file with all my customers and their ongoing projects, then this provider will be a processor for me.
An organisation should therefore consider for each processing activity whether it is a processor or a data controller. In other words: do they decide themselves about the purpose and means, or is this imposed on them?
It is therefore possible that one and the same organisation can fulfil the role of both a controller and a processor, for different processing activities.
For example: as a web developer and host, I keep a file of customers for whom I host websites (and to whom I also invoice). For this processing, I am the data controller. If I also carry out maintenance on the hosted websites for these customers, then I am a processor for a processing for which my customer is the controller.
The distinction between data controller and processor is on the one hand so crucial because of the different responsibilities, and on the other hand in some circumstances so obscure and delicate, that a thorough and objective analysis is definitely advisable. After all, the GDPR is very much about accountability and documentation.
Do you also have doubts about your role as processor or data controller? Contact our specialists at firstname.lastname@example.org.
Written by Larissa De Keyser, Trainee theJurists, Duygu Öztürk – CIPP/E, Privacy Chair theJurists and Kris Seyen, Partner theJurists