An organization processes personal data on behalf of a processor. Sub-processors must comply with the same contractual and compliance requirements as a processor.

Independent, public authorities for each EU member state that are responsible for monitoring the application of GDPR and addressing non-compliance. For example: National Commission of Computing and Freedoms in France, the Federal Commissioner for Data Protection and Freedom of Information in Germany, the Agency of Protection of Data in Spain, and the Information Commissioner’s Office in the United Kingdom.

Processing is any action that happens to or uses personal data, including accessing, collection, storage, archiving, reviewing, or destroying.

A processor is the natural or legal entity that processes personal data in support of a controller. Processors cannot process data without the authority of the data controller; therefore, processors must provide controllers with sufficient GDPR compliance guarantees, notification of data breaches and adding/changing of sub-processors.

Personal data is any identifiable information related to a data subject. For example: name, geographic location data, email address, IP address, photographs, video or voice recordings, biometric data, or an online identifier of the specific physical, physiological, genetic, mental, economic, cultural, or social identity of a data subject.

One of the seven major data processing principles of GDPR is to ensure that personal data is processed lawfully, fairly, and transparently. To comply this principle, Chapter 6 of the GDPR requires any organization processing personal data to have a valid legal basis for that personal data processing activity. Think of these as scenarios in which it would be lawful to process data. GDPR provides six legal bases for processing: consent, performance of a contract, legitimate interest, vital interest, legal requirement, and public interest.