Personal data means any information which relates to a natural person. Examples may include: full name, phone number, IP address, email address, payment data, personal interest of a person, shopping history, health data etc.
Warning: the primary objective of personal data protection regulation is to secure the data which is processed in digital format. However, if you process and structure personal data according to some criteria (age, work experience, skills, interests etc.) using a traditional format you will also need to take care of compliance with legislation on data protection.
Processing of personal data means any operation performed on personal data. Examples may include: collection of a data via a registration form, statistical analysis, storage of the data etc.
Sensitive data means personal data, processing of which possess a high risk to rights and freedoms as such data may be used to easily discriminate against any person. Such data includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation. Also, criminal record, data about certain types of abuse against a person and location data or movement routes.
Data controller means a natural or legal person, which determines the purposes and means of the processing of personal data
Examples: an employer is a data controller for its employees, a website owner is a data controller for the website visitor, an application owner is a data controller for its users, and so on
Data processor means a natural or legal person which processes personal data on behalf of the controller.
Examples: outsource software development company, email newsletter service provider.
Data subject means a natural person whose personal data is processed by the controller or the processor.
Legal bases for processing means to process personal data you must have a legal basis. Usually, one basis corresponds to one purpose of personal data processing. For example, when providing a service or selling goods, the legal basis is the performance of a contract, when sending advertising emails - consent, and when preventing fraud - legitimate interest of the organisation.
Перелік законних підстав для обробки:
- performance of a contract - processing is needed to perform a contract. For example, to provide a service to the data subject.
- consent- freely given, specific, informed and unambiguous indication of the data subject's wishes. For example, consent to receive an advertising newsletter.
Freely given- the subject has a real choice (a refusal to process data will not have a negative impact on them), consent is not bundled with provisions that are not subject to change, consent can be revoked.
Specific - consent must relate to a specific data processing process, it is forbidden to obtain one consent for several purposes.
Informed - the subject must know at least: the identity of the data controller, the purpose of processing, the category of data, the right to withdraw consent.
Unambiguous - consent must leave no doubt that the subject has agreed to the processing.
legitimate interest - data processing that a person can expect and that does not violate their rights and freedoms. For example, analysis of a website’s traffic statistics.
compliance with a legal obligation - the processing which is required by the legislation. For example, HR data has to be stored for 75 years.
vital interest - processing is necessary when, literally, there is a matter of life and death. For example, when an unconscious person needs immediate medical attention and their data is processed to save a life.
public interest - processing which is permitted by a specific regulation for the public interest, such as health care.