Glossary

The controller that is processing personal data is obliged to demonstrate by specific documents that the controller is acting in the manner provided for in the GDPR and has ensured the following areas of personal data processing:

• lawfulness, fairness and transparency
• purpose limitation
• data minimisation
• accuracy
• storage limitation, and
• integrity and confidentiality.

A general obligation stipulated in the GDPR according to which the controller shall, without undue delay and on its own initiative, rectify, delete or complement the personal data stored in the register, which for the purposes of processing is incorrect, unnecessary, incomplete or outdated personal data. Also, the controller has to prevent dissemination of such data if the data can compromise a data subject's protection of privacy or his or her rights.

Deletion of identifiability of personal data so that such personal data can no longer be attributed to a specific data subject even with the use of additional information (cf. pseudonymisation).

A decision intended for evaluating certain aspects of a data subject, which is based solely on automated data processing and produces legal effects concerning the data subject or similarly significantly affects him or her. (Obligation of notification the Data Protection Ombudsman)

The natural or legal person (public authority, agency or other body) which, alone or jointly with others, determines the purposes and means of the processing of personal data. The controller also determines why the register has been created and is responsible for the processing of personal data.

A role designated in an organisation, which is mandatory in the following situations:

• if processing is carried out by a public authority or body (except for courts),
• the core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale, or
• the core activities consist of processing of special categories of data, or personal data relating to criminal convictions and offences.

The GDPR also specifies the position and tasks of a data protection officer. The tasks of the data protection officer include taking into consideration data security issues in the activity of an organisation as set out in the GDPR. The data protection officer also acts as a contact person when a data subject wants to check, alter or erase his or her personal data from the register. A group of undertakings may appoint a single data protection officer; a single data protection officer may be appointed for several authorities or public bodies.

Any information relating to an identified or identifiable natural person (e.g., as a name, social security number, photo, biometric or genetic data, phone number, e-mail address, or any other online identifier; also any reference to a public figure in Wikipedia or any other website).

Any operation performed on personal data, whether or not by automated means. Processing is, e.g., collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data.

In practice, personal data processing is in most cases based on any of these three principles, and the consent of data subject is not always required:

1. Legitimate interest:

Organisations are considered to have various legitimate interests based whereupon they may collect and process personal data. Legitimate interests are related to operations such as, e.g., direct marketing, customer service or product and service development.

2. Contract:

Personal data can be processed in a situation where a data subject is part to a contract or if at the data subject’s request it is necessary to take steps relating to personal data prior to entering into a contract.

3. Consent:

A manner in which a data subject accepts the processing of his or her personal data.

Performance of a public duty or a legal obligation may also constitute a processing basis, e.g., when a company is complying with money laundering legislation.

A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller (e.g., a payroll accountant outsourced by the company).

Profiling is any form of automated processing of personal data consisting of the use of personal to analyse or predict any personal aspects (such as location or movements, economic situation, purchase preferences, reliability or behaviour, health, personal preferences or interests, performance at work or any other behaviour). Profiling is used in numerous social media services and some other applications, but only in specific processing situations profiling or automated decision-making can be based on special categories of data, such as ethnic origin, political opinions or religious beliefs.

The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information. It is also required that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable person.

For example, in a research where sensitive data is processed publication using an alias can be used, but pseudonymised data is personal data as it can be attributed to a person (cf. anonymisation).