GDPR titbits series: Some defintions


With GDPR round the corner, everyone is asking questions and bandying a lot of terms around. However I’ve noticed that a number of times we’re not really clear on what those terms actually mean or signify. This is why for this post, I’ve picked up some keywords from GDPR and went after their definitions.


[dt_divider style=”thin” /]


Data Subject: is an identifiable person who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.


Personal data: any personal information elements relating to an identified or identifiable natural person or data subject. Personal Information is split into 3 categories: General, Organisational & Sensitive

Examples of General personal information elements:

  • Name
  • Gender,
  • Age
  • D.o.B
  • Marital status
  • Citizenship
  • Language spoken

Examples of Organisational personal data elements

  • Physical address
  • IP address
  • Business & personal address
  • Business and personal phone numbers
  • Business and personal email addresses
  • Internal identification numbers
  • Government issues identification numbers
  • Identity verification information

Examples of Sensitive personal information elements:

  • Racial or ethnic origin,
  • political opinions,
  • religious or philosophical beliefs,
  • trade-union membership,
  • health & sex life,
  • offences or criminal convictions (in EU)


Supervisory Authority: also known as the Data Protection Authority is a supervisory entity chartered to enforce privacy or data protection laws and regulations in a particular jurisdiction.


Data Controller: is an organization or individual that decides how and why information is processed.


Data Processor: is defined as an organization or an individual that processes data on behalf of the data controller


Anonymous vs Pseudoanonymous

Anonymous – cannot in any way be traced back to an individual. This data is not protected under GDPR

Pseudoananymous – Has been anonymized to a certain extent however connections exist that can (no matter how difficult that is) be traced back to an individual.

[author’s note] Hence assigning an internal reference number to a data subject and having all other records reference the internal reference number means that you have pseudoanonymized the data, however the data is not yet anonymous.


Lawful Processing Criteria is considered when

  1. Having obtained consent for a specific processing activity
  2. Protecting the vital interest of the data subject when consent could not be obtained,
  3. Meeting a legal obligation,
  4. Performing a contract to which the data subject is party or
  5. To take steps at the request of the data subject and for the legitimate interests of the controller unless it overrides the rights or freedoms of the data subject
  6. Necessary for the public interest


Personal Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. whereas

  • ‘Destruction’ means the data no longer exists
  • ‘Damage’ means the personal data has been altered, corrupted, or is no longer complete.
  • ‘Loss‘ means the data may still exist, but the controller has lost control or access to it, or no longer has it in its possession.
  • ‘Unauthorised or unlawful processing’ may include disclosure of personal data to (or access by) recipients who are not authorised to receive (or access) the data, or any other form of processing which violates the GDPR.


Article 29 Working Party: A European Union organization that functions as an independent advisory body on data protection and privacy also known as the European Data Protection Board.


Privacy Policy: internal statement targeted towards users of personal data that define the handling practices of that data.


Privacy Notice: an external statement, example on a website, targeted towards the data subject that describes how the entity collects, retains, uses and discloses personal data.


[dt_divider style=”thin” /]


Have you encountered any more terms that people might not be clear about in relation to GDPR? Leave me a comment down below and I’ll add it to this post.


Would you like be notified when new posts come out? Drop us a note via the contact us section and we’ll add you to our mailing list.