Article 4


For the purposes of this Regulation:


‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;


‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;


‘restriction of processing’ means the marking of stored personal data with the aim of limiting their processing in the future;


‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;


‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;


‘filing system’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;


‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;


‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;


‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;


‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;


‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;


‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;


‘genetic data’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;


‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;


‘data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;


‘main establishment’ means:


as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;


as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;


‘representative’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation;


‘enterprise’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;


‘group of undertakings’ means a controlling undertaking and its controlled undertakings;


‘binding corporate rules’ means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity;


‘supervisory authority’ means an independent public authority which is established by a Member State pursuant to Article 51;


‘supervisory authority concerned’ means a supervisory authority which is concerned by the processing of personal data because:


the controller or processor is established on the territory of the Member State of that supervisory authority;


data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or


a complaint has been lodged with that supervisory authority;


‘cross-border processing’ means either:


processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or


processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.


‘relevant and reasoned objection’ means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union;


‘information society service’ means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council (19);


‘international organisation’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.

What does it mean?

A cookie is a text file that allows information to be stored or accessed on the user’s device and sometimes to collect data about the user.

Advertising based on user behaviour often involves the processing of personal data.

Behavioural advertising usually involves managing IP addresses and processing unique identifiers via the cookie.

The information contained in the context of behavioural advertising relates to an individual’s characteristics or behaviour and is used to influence that particular individual. This information will be linkable to directly personally identifiable information provided by the data subject.

This is a list of different types of personal data that an organisation processes and the purposes for which the data is processed. This is similar to the records of processing activities, which GDPR article 30 requires organisations to maintain.

A company should have data retention policies that specify how the organisation should keep personal data and when they should delete it.

Data minimisation is one of the principles described in article 5, which says that personal data should only be collected and processed to the extent necessary for their specific purpose.

Data mapping is identifying and documenting the flow of personal data within an organisation and the relationships between different data processing activities. This is a necessary process to maintain the required records of processing activities.

Data classification categorises data according to its sensitivity and the level of protection it needs. This is an integral part of the records of processing activities and is especially important for creating risk assessments.

Information Security is about putting measures in place to protect information from unauthorised access, use, disclosure, or destruction. Information security is a field within IT security, and the GDPR rules are part of a company’s information security.

Most companies are required to have data protection policies in place. They are a set of guidelines that outlines an organisation’s approach to data protection and sets out the measures in place to protect personal data.

A privacy-enhancing technology minimises the collection and processing of personal data or makes it more difficult to identify individuals from their data. 

A data subject is a person about whom personal data is processed. A company will typically record information about customers and employees, so these are “data subjects” in the context of the GDPR.

The records of processing activities map the company’s processes in processing personal data. There are specific requirements for this record of processing activities, and these are outlined in article 30. 

By law, everyone who processes personal data must have this record of processing activities updated and maintained.

A risk assessment identifies and evaluates potential risks to individuals’ privacy. 

Organisations must conduct a risk assessment when processing personal data to identify and mitigate any possible risks to the privacy of individuals. 

The risk assessment should consider the potential threats to the privacy of individuals. 

The assessment should include the types of personal data and the purposes for which the data is being processed.

The risk assessment should be carried out regularly, reviewed, and updated as necessary.

Organisations must also document the results of their risk assessment, including any measures they have taken to mitigate identified risks. This will demonstrate compliance with the GDPR.

Anonymisation is the process of rendering data anonymous by removing or obscuring any information used to identify individuals. It should be impossible to identify the data subject after anonymisation.

The impact assessment is an extended version of the risk assessment. 

It should be carried out if a risk assessment shows the processing of personal data involves high risk. There are particular requirements in the GDPR concerning the conduct of an impact assessment.

A controller must agree with its processor on how personal data is processed. This agreement must describe the conditions regarding the security of the processor’s processing of the controller’s data.

The controller shall be able to document this agreement and that it complies with the GDPR. Therefore, the controller shall also monitor the processor’s compliance with this agreement.

The GDPR describes seven principles of sound data processing. The principles provide insight into how personal data should be processed. You can find the principles in article 5 of the GDPR.

GDPR is basically about information security. 

Information security is a multidisciplinary discipline involving IT, law, and business processes, about protecting information, which, e.g. can be in software and hardware.

The discipline aims to secure information, so it is not compromised, e.g. unauthorised persons shouldn’t be able to access the information, data should be accurate, and data should be available when needed. 

Maintaining your information’s confidentiality, integrity, and availability can prevent it from being compromised.

Confidentiality is part of the information security triad CIA (Confidentiality, Integrity and Availability), ensuring that sensitive information is only accessible to those authorised to view or use the information. Controls like passwords, authentication and permissions are tools to restrict access to data to the intended users.

Integrity is part of the information security triad CIA (Confidentiality, Integrity and Availability. You should maintain the integrity of the data so no one can alter the information without the proper authorisation and security. Data should be accurate and reliable.

Availability is part of the information security triad CIA (Confidentiality, Integrity and Availability). It refers to the ability of authorised users to access information when needed.

Social engineering uses manipulation or deception to influence individuals to divulge sensitive information or perform actions that may not be in their best interest. It is a type of cybercrime that relies on exploiting human emotions and trust rather than technical vulnerabilities.

Privacy by default is protection by default settings.

An example is a software application that protects the processing of personal data by default. Instead of turning on a 2-factor identification feature, it should be on by default.

Privacy by design requires new systems and processes to be designed with data protection in mind from the beginning. Data protection shouldn’t be added later but factored in at the design phase. 

A data protection officer ensures that an organisation complies with data protection laws and regulations. 

The DPO is a point of contact between the organisation and the supervisory authority and internally organises data protection issues. 


The GDPR requires DPOs for specific organisations that handle large amounts of personal data. 

The responsibilities of a DPO vary depending on the size and complexity of the organisation and the nature of its processing of personal data.

Data portability is the right of data subjects, according to article 20. A data subject has the right to receive a copy of the personal data they have provided to the controller in a structured file format, which could be used to transfer the data to another supplier.

The concept of data portability is designed to give individuals more control over their data.

Awareness Training

Ensure that your entire company is equipped with the necessary awareness training on the basics of GDPR and IT security.



Get Started within 24 hours.

Once you have submitted your details, you’ll be our top priority!