30 July 2018
The Key terms and definitions you need to know:
Binding corporate rules: personal Data Protection policies adhered to by controller or processor in the Member State for transfer of personal data to controller or processor in third country
Originally devised by Article 29 Working Party to transfer secure large data internationally while reducing bureaucracy
GDPR establishes conditions for Member State to establish own binding corporate rules to streamline international transfers.
Cross-border processing: (a) processing personal data in establishment of more than one Member State of the Controller or Processor where Controller or Processor is established in more than one Member State or (b) processing personal data in single establishment of Controller or Processor but is likely or does substantially affect data subjects in more than one Member State.
Health data: awarded particular protections under Regulation; additional restrictions as to how it is processed; level of consent required for processing. Member State permitted to introduce further restrictions.
Data controller: natural or legal person, public authority, agency or other body, determines purposes and means of processing personal data. Usually public-facing entities like hospitals – online health questionnaire, hospital would be data controller.
Data processor: natural or legal person, public authority, agency or other body, processes personal data on behalf of controller. Online health questionnaire form provider will be data processor as act of collecting data. In many cases, the Controller and Processor will be same entity.
Processing: operation performed on personal data such as collecting, recording, organising, structuring, storing, adapting, altering, retrieving, consulting, using, disclosing by transmission, disseminating, aligning, combining, restricting, erasing, destruction.
Profiling: automated processing of personal data to evaluate certain aspects, e.g. performance at work, economic situation, health etc. The Data Subject must always be informed of any profiling processes that will be performed before they consent.
Representative: natural or legal person established in the Union who is designated by Controller or Processor under Art 27 to represent the Controller or Processor regarding their respective regulatory obligations.
Organisations (both Controller and Processor) not in EU but wish to conduct processing in line with Art 27 must appoint a representative established in EU to ensure the personal data collection and processing has presence within Union and ready contact with authorities.
Supervisory authority: independent public authority established by a Member State under Art 51. In UK it is the ICO.
To find how our friendly and knowledgeable solicitors can help you, contact us today.
Make a free enquiry - Call now - 0151 659 1070
