Under as well as under the GDPR, the data controller is the party that, alone or jointly with others, determines the purposes and means of the processing of personal data. The actual processing may be delegated to another party, called the data processor. The controller is responsible for the lawfulness of the processing, for the protection of the data, and respecting the rights of the data subject. The controller is also the entity that receives requests from data subjects to exercise their rights.
The principle of “data minimisation” means that a data controller should limit the collection of personal information to what is directly relevant and necessary to accomplish a specified purpose. They should also retain the data only for as long as is necessary to fulfil that purpose. In other words, data controllers should collect only the personal data they really need, and should keep it only for as long as they need it.
The data minimisation principle is expressed in Article 5(1)(c) of the GDPR and Article 4(1)(c) of , which provide that personal data must be "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed".
Data mining is the process of analysing data from different perspectives and summarising it into useful new information. Data mining software is one of a number of tools for interrogating data. It allows users to analyse data from many different dimensions or angles, categorise it, and summarise the relationships identified. Technically, data mining is the process of finding correlations or patterns among dozens of fields in large relational databases. It is commonly used in a wide range of profiling practices, such as marketing, surveillance, fraud detection and scientific discovery. Obviously, for data mining to be effective it is necessary to analyse large amounts of previously collected data.
A data protection authority (DPA) is an independent body which is in charge of:
- monitoring the processing of personal data within its jurisdiction (country, region or international organization);
- providing advice to the competent bodies with regard to legislative and administrative measures relating to the processing of personal data;
- hearing complaints lodged by citizens with regard to the protection of their data protection rights.
According to Article 51 of the GDPR, each Member State shall establish in its territory at least one data protection authority, which shall be endowed with investigative powers (such as access to data, collection of information, etc.), corrective powers (power to order the erasure of data, to impose a fine or a ban on processing, etc.), and authorisation or advisory powers (issuance of opinions, power to accredit certification bodies, etc.). The EDPS is established as an independent data protection authority at EU level by Article 52 of Regulation (EU) 2018/1725.
National data protection authorities have been established in all European countries, as well as in many other countries worldwide.
In addition to the data protection officer foreseen by Regulation (EU) 2018/1725, some EU-institutions have appointed a data protection coordinator in order to coordinate all data protection aspects in the relevant DG, Departments or Units.
Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (also known as "Data Protection Directive") is the centrepiece legislation at EU level in the field of data protection.
The Directive is a framework law, meaning that it is implemented in EU Member States through national laws.
It aims to protect the rights and freedoms of persons with respect to the processing of personal data by laying down guidelines determining when the processing is lawful. The guidelines mainly relate to:
- the quality of the data;
- the legitimacy of the processing;
- the processing of special categories of data;
- information to be given to the data subject;
- the data subject's right of access to data;
- the right to object to the processing of data;
- the confidentiality and security of processing;
- the notification of the processing to a supervisory authority.
The Directive also sets out principles for the transfer of personal data to third countries and provides for the establishment of data protection authorities in each EU Member State.
The Member States of the Council of Europe and the European institutions celebrate Data Protection Day each year on 28 January.
This date marks the anniversary of the Council of Europe's Convention 108, the first legally binding international instrument related to data protection.
The EDPS usually takes part in the celebration of the event by setting up an information stand in the main EU institutions.
The controller shall carry out an assessment of the impact of the envisaged processing operations on the protection of personal data when a type of processing is likely to result in a high risk to the rights and freedoms of natural persons.
This assessment has to be done prior to the processing and, in particular if using new technologies, has to take into account the nature, scope, context and purposes of the processing.
A single assessment may address a set of similar processing operations that present similar high risks, as stated in the Article 39 of Regulation 2018/1725.
Further information, click here and see the EDPS Guidelines on DPIA.
Each Community institution and body shall, in order to comply with Regulation (EU) 2018/1725, have a data protection officer (DPO). The DPO should be an expert on data protection law and practices, and be in a position to operate independently within the organisation. The DPO is to ensure the internal application of the Regulation and that the rights and freedoms of the data subjects are not likely to be adversely affected by the processing operations. The DPO shall keep a register of processing operations performed or controlled by the institution or body.
Data quality refers to a set of principles laid down in Article 5 of the GDPR and Article 4 of Regulation (EU) 2018/1725, namely:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality
Data retention refers to all obligations on the part of controllers to retain personal data for certain purposes.
The Data Retention Directive (Directive 2006/24/EC (pdf)) contains an obligation for providers of electronic communications to retain traffic and location data of communications through telephone, e-mail, etc. The retention takes place for the purpose of the investigation, detection and prosecution of serious crime.
See also Council framework Decision 2008/977/JHA.
See: Security of Processing
The data subject is the person whose personal data are collected, held or processed.
Transfers are subject to specific safeguards when the recipient is located in a country outside the EU / European Economic Area (EEA) according to Chapter V of the GDPR and of Regulation (EU) No 2018/1725. See for instance the conditions for the transfer of PNR data or relating to the EU-US Privacy Shield scheme.