Data Subject :
Data Subjects are the natural persons or individuals whose data is processed by the company.
Personal Data :
Per Article 4(1) of GDPR “personal data” means any piece of information than can be used to identify a natural person. Following are some of the examples of the personal data:
- Name
- Address
- Personal Code
- Tax ID
- Health Data
- Genetic Data
- Political Affiliations
Processing :
‘Processing’ means any operation or set of operations that are performed on the personal data of the individual. For example:
- Data Collection
- Computations on data
- Data Archiving
- Data Sharing
- Transmission
- Encryption
- Erasure
Processing Purpose :
‘Processing Purpose’ is the reason of processing the personal data. It answers the question ‘why does company need individuals data?’
- Data Collection
- Computations on data
- Data Archiving
- Data Sharing
- Transmission
- Encryption
- Erasure
Data Controller :
Data Controller is the entity that determines the processing purpose of data.
Joint Controller :
If two or more controllers are jointly determining the purposes and means of processing personal data, they are considered joint controllers under GDPR. However, they are not joint controllers if they are processing the same personal data for different purposes.
Processor :
‘Processor’ is the entity that performs the ‘processing’ on the personal data on behalf of the data controller.
Profiling :
‘Profiling’ is any of automated processings that are aimed at evaluating a data subject’s personal aspects based on personal data. After having bought your dream car you fill-in the form for car insurance. There are many factors that can impact the insurance premium, suc as your driving habits, driving history, your age, your health etc. This is known as profiling.
Consent :
‘Consent’ is the permission given by the data subject to process his/her personal data. The consent should be granted by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of data subject’s acceptance of the purpose of processing
- The component ‘freely given’ requires that consent should be given by the data subject independently by the data subject and should not have any negative impact on the existing relation between data controller and the data subject; for example, a customer must be given independence to opt for the flyers and his choice of not opting for the flyer should not impact his data processing by the data controller.An example of ‘tied’ consent is as follows. You get services from a online movie company. The company has sought additional personal data(such as political affiliations) for giving a free movie offer to you. This is not considered as ‘freely given’ consent.
- For the consent to be ‘informed’ and ‘specific’ the individual must be given details of the data controller, processing purpose, data type that will be processed, consent withdrawal details and if data controller is sending to ‘third country’ for processing the appropriate details must be shared with the data subject.
- The ‘unambiguous’ consent is one that conveys the options clearly, for example the consent seeking statement should not use double negatives which can be confusing for the data subject to infer.
Data Subject Access Request :
‘Data Subject Access Request’ authorises the data subject to demand a copy of their personal data processed by the data controller. Further, the data subject can also ask for:
- the purposes for which the data is processed.
- erasure, correction of the data.
- porting the data from one data controller to another
- restricting the processing of personal data
- objecting the processing of personal data
- which organizations the data is shared with.
Data Subject Complaints :
In situations where a data subject is dissatisfied with the personal data processing by the data acontroller s/he can loadge complaint with the local Data Protection Authrotiy. The first point of contact is the data controller.
Data Protection Officer :
Data Protection Officer is a role in an organization that steers it on all data protection issues. Following are some of the responsibilities of a DPO:
- Educating the employees on GDPR complaince requirements.
- Point of contact with the Data Protection Authority
- interacting with data subjects and responding to their Access Requests, Complaints etc.
- conducting audits of Data Protection processes\’ implementation.