Annex I Definitions


Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Data subject

See ‘personal data’ below.

Data Controller

The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

Data portability

A data subject can request receipt of their personal data which they have provided to a controller and has the right to transmit it to another data controller without hindrance (or can request that data be transmitted directly to another data controller where technically feasible).

Data Processor

A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. A processor must only act on the documented instructions of a controller. If a processor determines the purpose and means of processing then it will be considered to be a controller.

Data Protection Impact Assessment

An assessment of the impact of processing operations on the protection of personal data. Sometimes referred to as a ‘privacy impact assessment’.

Lawfulness of processing

Personal data must be processed lawfully and in a transparent manner in relation to the data subject. Article 6 of the GDPR (reproduced in Annex I) sets out six scenarios, including consent to the processing being given by the data subject, which will comply with ‘lawfulness of processing’.

Personal data

Any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

A low bar is set for “identifiable”; if anyone can identify a natural person using “all means reasonably likely to be used” the information is personal data, so data may be personal data even if the organisation holding the data cannot itself identify a natural person (eg name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address). Online identifiers are expressly called out in Recital 30 with IP addresses, cookies and radio frequency identification tags all listed as examples.

Personal data breach

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.


Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Privacy impact assessment

Also known as a ‘Data Protection Impact Assessment’ (see above).

Special categories of personal data (‘sensitive data’)

Terms used in GDPR to refer to personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, also capture genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. Article 9 of GDPR prohibits the processing of such data unless it meets one of the conditions set out therein eg explicit consent. Article 10 of GDPR imposes stricter requirements on the processing of personal data relating to criminal convictions and offences.