Controlling and processing data under the GDPR - concepts and principles
The General Data Protection Regulation (GDPR) came into force across the EU on 25 May 2018.
An accompanying Directive establishes data protection standards in the area of criminal offences and penalties. This is known as the law enforcement Directive.
The GDPR and the Directive reform previous data protection rules. They provide for higher standards of data protection for individuals and impose increased obligations on organisations that process personal data. They also increase the range of possible sanctions for infringements of these rules.
This document outlines the key concepts and principles around controlling and processing data under the GDPR.
The key concepts around controlling and processing data under the GDPR are personal data, data subjects, data controllers, data processors and profiling.
Under the GDPR, personal data is data that relates to or can identify a living person either by itself or together with other available information. Examples of personal data include a person’s name, phone number, bank details and medical history.
A data subject is the individual to whom the personal data relates. You can read about the rights of data subjects in our document Your rights under the GDPR.
Data controllers are defined in the GDPR as persons or organisations that, alone or with others, determine the purpose and means of processing of personal data. Examples of data controllers include medical professionals, banks, government departments, and voluntary organisations. A local hairdresser or supermarket may be a data controller if that business keeps customer details on file, for example, to make appointments or to operate a promotional points system.
Data processors are persons or organisations that process personal data on behalf of a controller. Examples of data processors include payroll companies and market research companies, all of which may hold or process personal information on behalf of a data controller. The GDPR defines data processing as any operation(s) performed on personal data, for example, collecting, storing, distributing or destroying.
Many controllers also process personal data and do not require a separate data processor.
You can read about the obligations of data controllers and processors under the GDPR.
Profiling is a specific form of processing described for the first time under the GDPR. Profiling means any form of automated processing of personal data to evaluate certain personal aspects for any person. For example, the processing of data to analyse or predict a person's performance at work, economic situation, health, personal preferences, interest, behaviour, location or movement.
Controllers and processors who carry out profiling have to inform data subjects about how the profiling mechanism works before processing.
Data protection principles
There are strict principles of data protection under the GDPR. Data controllers are responsible for these principles and must be able to show that they comply with them. Data processing under the GDPR is lawful only if it satisfies one of the defined legal bases for lawful processing, listed below. Consent must also be given by data subjects.
Principles for data controllers
Personal data must be:
- Processed lawfully, fairly and in a transparent manner in relation to the data subject
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
- Adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed
- Accurate and kept up to date and every reasonable step must be taken to ensure that personal data that is inaccurate is erased or rectified without delay
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage
Legal bases for processing data
The legal bases for lawful processing are:
- The data subject has given consent to the processing of his or her personal data for one or more specific purposes
- Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
- Processing is necessary for compliance with a legal obligation to which the controller is subject
- Processing is necessary in order to protect the vital interests of the data subject or of another natural person
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
- Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data, in particular where the data subject is a child. This does not apply to processing by public authorities.
Data subject consent
Where data processing is based on consent, the controller must be able to show that consent was given by the data subject.
If a data subject's consent is given as part of a written document, the request for consent must be presented clearly and separately from any other matters, using plain language. Any part of such a document that conflicts with the GDPR will not be enforceable.
A data subject has the right to withdraw their consent at any time. Before giving consent, the data subject must be informed of their right to withdraw their consent and it must be as easy to withdraw consent as to give it.
Under the GDPR, a data subject must be at least 16 years old to give their valid consent. If the data subject is younger than 16, the consent of a guardian will need to be given. Individual member states may set the age for consent as low as 13 years but not younger.
In Ireland, the Data Protection Act 2018 has set the age of consent at 16 years, excluding cases where personal data is provided to preventative or counselling services.