The most common questions we receive regarding GDPR compliance are all related to terms and definitions. Controllers, processors, processing, sub-processor, joint controller, controller-processor – there’s so many complicated, similar GDPR terms. If you’ve been confused by what terms mean and which definitions are vital to the compliance process, you are not alone. What’s your organization’s role? Who enforces GDPR? What kind of data is covered under the law? What kind of person is covered under the law? Understanding key GDPR terms will help you be able to answer these important questions and help you begin your GDPR compliance journey.
Key GDPR Terms Defined
Perhaps two of the most ambiguous terms associated with GDPR are data subject and personal data. Let’s take a look at what each of these terms mean.
Data Subject: Some may assume that “data subjects” means EU citizens, but the explicit language of the law applies to processing the personal data of “data subjects in the Union” which could cover tourists, non-citizen residents, international students, and much more. Because GDPR uses informal descriptions for the term “data subject,” the public has been left with varying interpretations and significant challenges. We generally see five definitions proposed for data subjects:
- A person located in the EU,
- A resident of the EU,
- A citizen of the EU,
- An EU resident/citizen physically located anywhere in the world, or
- A person whose personal data is processed within the EU, regardless of that person’s location.
Organizations should closely monitor regulatory and legal developments related to the definition of “data subject.”
Personal Data: Per Article 4(1), personal data is any identifiable information related to a data subject. For example: name, geographic location data, email address, IP address, photographs, video or voice recordings, biometric data, or an online identifier of the specific physical, physiological, genetic, mental, economic, cultural, or social identify of a data subject.