Binding corporate rules (BCRs): personal data protection policies adhered to by controller or processor in the member state for transfer of personal data to controller or processor in third country. Originally devised by Article 29 Working Party to transfer secure large data internationally while reducing bureaucracy. GDPR establishes conditions for member states to establish own BCRs to streamline international transfers.
(a) processing personal data in establishment of more than one member state of the controller or processor where controller or processor is established in more than one member state; or
(b) processing personal data in single establishment of controller or processor but is likely or does substantially affect data subjects in more than one member state.
Health data: awarded particular protections under regulation; additional restrictions as to how it is processed; level of consent required for processing. Member state permitted to introduce further restrictions.
Data controller: natural or legal person, public authority, agency or other body, determines purposes and means of processing personal data. Usually public-facing entities like hospitals – online health questionnaire, the hospital would be the data controller.
Data processor: natural or legal person, public authority, agency or other body, processes personal data on behalf of controller. Online health questionnaire form provider will be data processor as act of collecting data.
In many cases, the controller and processor will be the same entity.
Processing: operation performed on personal data such as collecting, recording, organising, structuring, storing, adapting, altering, retrieving, consulting, using, disclosing by transmission, disseminating, aligning, combining, restricting, erasing and destruction.
Profiling: automated processing of personal data to evaluate certain aspects, e.g. performance at work, economic situation, health, etc. The data subject must always be informed of any profiling processes that will be performed before they consent.
Representative: natural or legal person established in the Union who is designated by controller or processor under Art 27 to represent the controller or processor regarding their respective regulatory obligations.
Organisations (both controller and processor) not in the EU but that wish to conduct processing in line with Art 27 must appoint a representative established in the EU to ensure the personal data collection and processing has presence within Union and ready contact with authorities.
Supervisory authority: independent public authority established by a member state under Art 51. In the UK this is the ICO.
Contact our Data Protection and GDPR Solicitors Liverpool, Wirral, Merseyside and Across England & Wales