Explore UCD

UCD Home >


Key Terminology of GDPR

The following terms used throughout this guide have specific legal meanings under the GDPR. In order to understand your rights fully, please read the following glossary of key terms.

Data: means information in a form which can be processed. It includes both automated data and manual data.

- Automated data: means, broadly speaking, any information stored on a computer, or information recorded with the intention of putting it on a computer.

- Manual data: means information that is kept as part of a relevant filing system, or with the intention that it should form part of a relevant filing system.

Relevant filing system: means any set of information that, while not computerised, is structured by reference to individuals, or by reference to criteria relating to individuals, so that specific information is accessible.

Data Set: is a collection of related, discrete items of related personal data that are subject to the same processing activities.

Personal data: means any information concerning or relating to a living natural person who is either identified or identifiable (such a person is referred to as a ‘data subject’).

An individual could be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (such as an IP address) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual.

Special category data:

  • Personal data revealing racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data and biometric data processed for the purpose of uniquely identifying a natural person
  • Data concerning health
  • Data concerning a natural person’s sex life or sexual orientation

Processing of these special categories is prohibited, except in limited circumstances set out in Article 9 of the GDPR.

Other types of sensitive personal data:

In addition to 'special category' data there are other types of personal data that require extra protection. These data include: criminal convictions or the alleged commission of an offence; and financial data. A data subject has additional rights in relation to the processing of any such data, and consequently a data controller has additional responsibilities. 

Processing: means performing any operation or set of operations on data, including:

  • obtaining, recording or keeping data,
  • collecting, organising, storing, altering or adapting the data,
  • retrieving, consulting or using the data,
  • disclosing the information or data by transmitting, disseminating or otherwise making it available,
  • aligning, combining, blocking, erasing or destroying the data.

Data Subject: is any person whose personal data is being collected, held or processed.

Data Controller(s):  refers to a person, company, or other body, which either alone or with others decides the purposes and methods of processing personal data, i.e. the ‘why’ and ‘how’ of the processing. Data controllers can be legal entities, Government Departments or voluntary organisations, or they can be individuals such as GPs, pharmacists or sole traders. 

If the controller decides to process data itself, using its own resources within its organisation, for example through its own staff, this is not a processor situation.Employees and other persons that are acting under the direct authority of the controller, such as temporarily employed staff, are not to be seen as processors since they will process personal data as a part of the controller’s entity. In accordance with Article 29, they are also bound by the controller’s instructions.”[Guidelines 07/2020 on the concepts of controller and processor in the GDPR, point 76]

Data Processor: is a person or an organisation that processes personal data on behalf of and under the instruction of a data controller. If a controller outsources a processing activity to a service provider, and the service provider only acts on the client’s instructions, this service provider will generally be a processor. 

Processing personal data on the controller’s behalffirstly requires that the separate entity processes personal data for the benefit of the controller.In Article 4(2), processing is defined as a concept including a wide array of operations ranging from collection, storage and consultation to use, dissemination or otherwise making available and destruction. In practice, this means that all imaginable handling of personal data constitutes processing.”[Guidelines 07/2020 on the concepts of controller and processor in the GDPR, point 77.]

Data Protection Commission (DPC): Irish Regulator and Irelands Data protection Authority (DPA)

Record of Processing Activities (ROPA):One of the GDPR's requirements is to create and maintain a record of processing activities (ROPA), which includes the purposes of processing personal data, the parties to whom you are disclosing the data, how long you will retain the data, and other details (see Article 30).

Data Protection Impact Assessment (DPIA)is a process that helps to identify and minimise the data protection risks of a project. You must do a DPIA for any processing activity that is likely to result in a high risk to individuals. This includes some specified types of processing.

Data Protection by Design & by Default:Data protection by designis ultimately an approach that ensures you consider privacy and data protection issues at the design phase of any system, service, product or process and then throughout the lifecycle.Data protection by defaultrequires you to ensure for example that the default setting of a system is the most private one, without the need for user intervention.

Risks to the Rights and Freedomsof a natural person that may result from the processing of personal data are referred to in GDPR Recital 75: 

The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage, in particular: where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage; where data subjects might be deprived of their rights and freedoms or prevented from exercising control over their personal data; where personal data are processed which reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, and the processing of genetic data, data concerning health or data concerning sex life or criminal convictions and offences or related security measures; where personal aspects are evaluated, in particular analysing or predicting aspects concerning performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, in order to create or use personal profiles; where personal data of vulnerable natural persons, in particular of children, are processed; or where processing involves a large amount of personal data and affects a large number of data subjects.

 Anonymous vs. Pseudonymous:

Anonymisationof data means processing it with the aim ofirreversiblypreventing the identification of the individual to whom it relates. Data can be considered effectively and sufficiently anonymised if it does not relate to an identified or identifiable natural person or where it has been rendered anonymous in such a manner that the data subject is not or no longer identifiable. 

Pseudonymisation of data means replacing any identifying characteristics of data with a pseudonym, or, in other words, a value which does not allow the data subject to be directly identified.

Data which has beenirreversiblyanonymised ceases to be 'personal data'. However, a person does not have to be named in order to be identified. If there is other information enabling an individual to be connected to data about them, which could not be about someone else in the group, they may still 'be identified'. The concept of 'identifiability' is closely linked with the process of anonymisation. Even if all of the direct identifiers are stripped out of a data set, meaning that individuals are not 'identified' in the data, the data will still be personal data if it is possible to link any data subjects to information in the data set relating to them. An effective anonymisation technique will be able to prevent the singling out of individual data subjects, the linking of records or matching of data between data sets, and inference of any information about individuals from a data set. For more info see: (opens in a new window)(opens in a new window)Guidance on Anonymisation and Pseudonymisation

Further Information