top of page

GDPR Policy

Overview of the General Data Protection Regulation

 

The Charity will ensure that all personal data that it holds will be:

  • processed lawfully, fairly and in a transparent manner

  • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes

  • adequate, relevant and limited to what is necessary

  • accurate and kept up to date

  • kept in a form which permits identification of data subjects for no longer than is necessary

  • processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage

 

Contents (Summary)

 

1. Introduction to the GDPR

2. Definitions {Art:4}

3. Principles of the GDPR {Art:5}

4. Lawful Processing

5. Individual Rights

6. Operational Policies & Procedures – The Context

7. Personnel

8. Collecting & Processing Personal Data

9. Information Technology

10. Data Subjects

11. Privacy Impact Assessment

12. Third Party Access to Data

13. Data Breach

14. Privacy Policy & Privacy Notices

 

Full Contents

 

1. Introduction to the GDPR

2. Definitions {Art:4}

3. Principles of the GDPR {Art:5}

4. Lawful Processing

4.1 By Consent

4.2 By Contract

4.3 By Legal Obligation

4.4 By Vital Interest

4.5 By Public Task

4.6 Legitimate Interest

5. Individual Rights

5.1 The right to be informed {Arts 12-14}

5.2 The right of access {Art:15}

5.3 The right to rectification {Art:16}

5.4 The right to erase {The right to be forgotten}  {Art:17}

5.5 The right to restrict processing {Art:18}

5.6 The right to data portability {Art:20}

5.7 The right to object {Art:21}

5.8 Rights in relation to automated decision making and profiling.  {Art:22}

6. Operational Policies & Procedures – The Context

7. Personnel

7.1 Data Protection Officer

7.2 Data Controller

7.3 Data Processor

7.4 Access to Data

7.5 Training

8. Collecting & Processing Personal Data

9. Information Technology

9.1 Data Protection by Design/Default

9.2 Data Processing Equipment

9.3 Data Processing Location

9.4 Data Backups

9.5 Obsolete or Dysfunctional Equipment (Disposal of Removable Storage Media)

10. Data Subjects

10.1 The Rights of Data Subjects

10.2 Rights of Access, Rectification and Erasure

10.3 Right of Portability

10.4 Data Retention Policy

11. Privacy Impact Assessment

11.1 Trustees’ Data

11.2 Volunteers’/Members’ Data

11.3 Supporters’ & Enquirers’ Data

12. Third Party Access to Data

13. Data Breach

14. Privacy Policy & Privacy Notices

 

Data Protection Policy

  1. Introduction to the GDPR

Under the EU General Data Protection Regulations (GDPR) Kelsall Wellbeing Hub Charity (herein after referred to as “the Charity”) is required to comply with the GDPR and undertakes to do so.

Throughout this policy document, numbers prefixed by “Art: “in brackets (e.g.: {Art:5}) refer to the relevant Article(s) in the GDPR.
For ease of access, extracts of relevant GDPR Articles are contained in the Appendix to this Policy.

  1. Definitions {Art:4}

The definitions of terms used in this policy are the same as the definitions of those terms detailed in Article-4 of the GDPR.

Data Subject

A data subject is an identifiable individual person about whom the Charity holds personal data.

 

Contact Information

For the purposes of this Policy, “Contact Information” means any or all of the person’s:
full name (including any preferences about how they like to be called);
full postal address;
telephone and/or mobile number(s);
e-mail address(es);
social media IDs/UserNames (eg: Facebook, Skype, Hangouts, WhatsApp)

  1. Principles of the GDPR {Art:5}

The Charity will ensure that all personal data that it holds will be:

  1. processed lawfully, fairly and in a transparent manner in relation to individuals

  2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes

  3. adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed

  4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay

  5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and

  6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.

  1. Lawful Processing

The Charity will obtain, hold and process all personal data in accordance with the GDPR for the following lawful purposes.

In all cases the information collected, held and processed will include Contact Information (as defined in 2 above).

  1. By Consent

  1. People who are interested in, and wish to be kept informed of, the activities of the Charity.

  2. Subject to the person’s consent, this may include information selected and forwarded by the Charity on activities relevant to those of the Charity by other organisations.
    Note: this will not involve providing the person’s personal data to another organisation.

The information collected may additionally contain details of any particular areas of interest about which the person wishes to be kept informed.

The information provided will be held and processed solely for the purpose of providing the information requested by the person.

  1. By Contract

People who sell goods and/or services to, and/or purchase goods and/or services from the Charity.

The information collected will additionally contain details of:

  1. The goods/services being sold to, or purchased from the Charity

  2. Bank and other details necessary and relevant to the making or receiving of payments for the goods/services being sold to or purchased from the Charity.

The information provided will be held and processed solely for the purpose of managing the contract between the Charity and the person for the supply or purchase of goods/services.

  1. By Legal Obligation

People where there is a legal obligation on the Charity to collect, process and share information with a third party – eg: the legal obligations to collect, process and share with HM Revenue & Customs payroll information on employees of the Charity.

The information provided will be held, processed and shared with others solely for the purpose meeting the Charity’s legal obligations.

  1. By Vital Interest

The Charity undertakes no activities which require the collection, holding and/or processing of personal information for reasons of vital interest.

  1. By Public Task

The Charity undertakes no public tasks which require the collection, holding and/or processing of personal information.

  1. Legitimate Interest

Staff, Volunteers, Including Trustees

In order to be able to operate efficiently, effectively and economically, it is in the legitimate interests of the Charity to hold such personal information on its staff, volunteers and trustees as will enable the Charity to communicate with its staff and volunteers on matters relating to the operation of the charity, e.g.:

  • the holding of meetings

  • providing information about the Charity’s activities – particularly those activities which, by their nature, are likely to be of particular interest to individual staff/volunteers/trustees

  • seeking help, support and advice from staff/volunteers/trustees, particularly where they have specific knowledge and experience

  • ensuring that any particular needs of the staff/volunteer/trustee are appropriately and sensitively accommodated when organising meetings and other activities of the Charity.

Closed Circuit TV (CCTV) Recording

The Charity collects video CCTV images of people entering and moving around its premises in order to safeguard its collection from theft and vandalism, as required by its insurers.

The information collected is only processed and, where appropriate, shared with other authorities (e.g.: the Police) where it is necessary to investigate a potential crime.

  1. Individual Rights

Note:  The following clauses are taken primarily from the guidance provided by the Office of the Information Commissioner,
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-be-informed/ 

  1. The right to be informed {Arts 12-14}

When collecting personal information, the Charity will provide to the data subject free of charge, a Privacy Policy written in clear and plain language which is concise, transparent, intelligible and easily accessible containing the following information:

  • Identity and contact details of the controller
    Note: where the organisation has a controller’s representative and/or a data protection officer, their contact details should also be included

  • Purpose of the processing and the lawful basis for the processing

  • The legitimate interests of the controller or third party, where applicable

  • Categories of personal data
    Not applicable if the data are obtained directly from the data subject

  • Any recipient or categories of recipients of the personal data

  • Details of transfers to third country and safeguards

  • Retention period or criteria used to determine the retention period

  • The existence of each of data subject’s rights

  • The right to withdraw consent at any time, where relevant

  • The right to lodge a complaint with a supervisory authority

  • The source the personal data originates from and whether it came from publicly accessible sources
    Not applicable if the data are obtained directly from the data subject

  • Whether the provision of personal data is part of a statutory or contractual requirement or obligation and possible consequences of failing to provide the personal data
    Not applicable if the data are NOT obtained directly from the data subject

  • The existence of automated decision making, including profiling and information about how decisions are made, the significance and the consequences.

In the case of data obtained directly from the data subject, the information will be provided at the time the data are obtained.

In the case that the data are not obtained directly from the data subject, the information will be provided within a reasonable period of the Charity having obtained the data (within one month), or,
if the data are used to communicate with the data subject, at the latest, when the first communication takes place; or
if disclosure to another recipient is envisaged, at the latest, before the data are disclosed.

  1. The right of access {Art:15}

The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him/her are being processed, and, where that is the case, access to his/her personal data and the information detailed in the Charity’s relevant Privacy Policy:

  1. The right to rectification {Art:16}

The data subject shall have the right to require the controller without undue delay to rectify any inaccurate or incomplete personal data concerning him/her.

  1. The right to erase {The right to be forgotten}  {Art:17}

Except where the data are held for purposes of legal obligation or public task (4.3 or 4.5) the data subject shall have the right to require the controller without undue delay to erase any personal data concerning him/her.
Note:  This provision is also known as “The right to be forgotten”.

  1. The right to restrict processing {Art:18}

Where there is a dispute between the data subject and the Controller about the accuracy, validity or legality of data held by the Charity the data subject shall have the right to require the controlled to cease processing the data for a reasonable period of time to allow the dispute to be resolved.

  1. The right to data portability {Art:20}

Where data are held for purposes of consent or contract (4.1 or 4.2) the data subject shall have the right to require the controller to provide him/her with a copy in a structured, commonly used and machine-readable format of the data which he/she has provided to the controller, and have the right to transmit those data to another controller without hindrance.

  1. The right to object {Art:21}

  1. The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him/her which is based Public Task or Legitimate Interest (4.5 or 4.6), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

  2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him/her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

  3. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

  4. At the latest at the time of the first communication with the data subject, the right referred to in paragraphs a) and d) shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.

  1. Rights in relation to automated decision making and profiling.  {Art:22}

Except where it is:  a) based on the data subject’s explicit consent,  or  b) necessary for entering into, or performance of, a contract between the data subject and a data controller;  the data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him/her or similarly significantly affects him/her.


 

Operational Policies and Procedures

  1. Operational Policies & Procedures – The Context

Kelsall Wellbeing Hub (the Charity) is a small charity holding just a small amount of non-sensitive data on a small number of people.

The Trustees understand and accept their responsibility under the EU General Data Protection Regulation (GDPR) to hold all personal data securely and use it only for legitimate purposes with the knowledge and approval of the data subjects.

By the following operational policies and procedures, the Trustees undertake to uphold the principles and requirements of the GDPR in a manner which is proportionate to the nature of the personal data being held by the Charity.   The policies are based on the Trustees’ assessment, in good faith, of the potential impacts on both the Charity and its data subjects of the personal data held by the Charity being stolen, abused, corrupted or lost.

  1. Personnel

  1. Data Protection Officer

In the considered opinion of the Trustees the scope and nature of the personal data held by the Charity is not sufficient to warrant the appointment of a Data Protection Officer.

Accordingly, no Data Protection Officer is appointed.

  1. Data Controller

The Board of Trustees is the Data Controller for the Charity.

  1. Data Processor

The Board of Trustees will appoint at least 2 and not more than 5 of its number, or other appropriate persons, to be the Data Processors for the Charity.

The Charity will not knowingly outsource its data processing to any third party (eg: Google G-Suite, Microsoft OneDrive) except as provided for in the section “Third Party Access to Data”.

  1. Access to Data

Except where necessary to pursue the legitimate purposes of the Charity, only the Data Processors shall have access to the personal data held by the Charity.

  1. Training

The Board of Trustees and Data Processors will periodically undergo appropriate training commensurate with the scale and nature of the personal data that the Charity holds and processes under the GDPR.

  1. Collecting & Processing Personal Data

The Charity collects a variety of personal data commensurate with the variety of purposes for which the data are required in the pursuit of its charitable objects.

All personal data will be collected, held and processed in accordance with the relevant Data Privacy Notice provided to data subjects as part of the process of collecting the data.

A Data Privacy Notice will be provided, or otherwise made accessible, to all persons on whom the Charity collects, holds and processes data covered by the GDPR.   The Data Privacy Notice provided to data subjects will detail the nature of the data being collected, the purpose(s) for which the data are being collected and the subjects rights in relation to the Charity’s use of the data and other relevant information in compliance with the prevailing GDPR requirements.

  1. Information Technology

  1. Data Protection by Design/Default

Inasmuch as:

  1. none of the Charity’s volunteer Trustees are data protection professionals

  2. it would be a disproportionate use of charitable funds to employ a data protection professional, given the scale and nature of the personal data held by the Charity

the Trustees will seek appropriate professional advice commensurate with its data protection requirement whenever:

  1. they are planning to make significant changes to the ways in which they process personal data

  1. there is any national publicity about new risks (e.g. cyber-attacks)

which might adversely compromise the Charity’s legitimate processing of personal data covered by the GDPR.

Personal data will never be transmitted electronically (eg: by e-mail) unless securely encrypted.

  1. Data Processing Equipment

The scale and nature of the personal data held by the Charity is not sufficient to justify the Charity purchasing dedicated computers for the processing of personal data.

Instead, the Charity will purchase and own at least 2 and not more than 5 removable storage devices to store the personal data that it holds and processes.
The removable storage devices will also act as backup devices.

Whilst the data will be processed on the computers/laptops to which the Data Processors have access, no personal data covered by the GDPR will be stored on those computers/laptops.   All interim working data transferred to such computers/laptops for processing will be deleted once processing has been completed.

When not in use the removable storage devices will be kept in a secure location and reasonably protected against accidental damage, loss, avoidable theft or other misuse by persons other than the Data Processors.

The Data Controller & Data Processors will keep a register of

  1. (a) the location of all removable devices used for the storage and processing of personal data;

  2. (b) each occasion when the data on each device were accessed or modified and by whom.

The Charity’s removable storage devices shall not be used for the storage of any data which are unrelated to the Charity’s processing of personal data.

  1. Data Processing Location

Data Processors shall only process the Charity’s personal data in a secure location, and not in any public place, e.g.: locations whether the data could be overlooked by others, or the removable data storage devices would be susceptible to loss or theft.

Computers/laptops in use for data processing will not be left unattended at any time.

  1. Data Backups

To protect against loss of data by accidental corruption of the data or malfunction of a removable data storage device (including by physical damage), all the Charity’s personal data shall be backed up periodically and whenever any significant changes (additions, amendments, deletions) are made to the data.

Backup copies of the data shall be held in separate secure locations which are not susceptible to common risks (e.g.: fire, flood, theft).

As far as is reasonably practical, all files containing personal data covered by the GDPR will be encrypted by the use of HNC-Meo, Kaspersky Vault or other comparable software.
The encryption keys will be held securely in a location which is separate from the data storage media.

  1. Obsolete or Dysfunctional Equipment (Disposal of Removable Storage Media)

Equipment used to hold personal data, whether permanently or as interim working copies, which come to the end of their useful working life, or become dysfunctional, shall be disposed of in a manner which ensures that any residual personal data held on the equipment cannot be recovered by unauthorised persons.

Inasmuch as:

  1. this will be a relatively infrequent occurrence

  2. techniques for data recovery and destruction are constantly evolving

  3. none of the Trustees have relevant up-to-date expert knowledge of data cleansing

equipment which becomes obsolete or dysfunctional shall not be disposed immediately.   Instead, it will be stored securely while up-to-date expert advice on the most appropriate methods for its data cleansing and disposal can be sought and implemented.

  1. Data Subjects

  1. The Rights of Data Subjects

In compliance with the GDPR the Charity will give data subjects the following rights.
These rights will be made clear in the relevant Data Privacy Notice provided to data subjects:

  • the right to be informed

  • the right of access

  • the right to rectification

  • the right of erasure Also referred to as “The right to be forgotten”

  • the right to restrict processing

  • the right to data portability

  • the right to object

  • the right not to be subjected to automated decision making, including profiling.

The above rights are not available to data subjects when the legal basis on which the Charity is holding & processing their data are: Subject Consent;  Contractual obligation  Legal Obligation;  Legitimate Interest

  1. Rights of Access, Rectification and Erasure

Data subjects will be clearly informed of their right to access their personal data and to request that any errors or omissions be corrected expediently.

Such access shall be given, and the correction of errors or omissions shall be made free of charge provided that such requests are reasonable and not trivial or vexatious.
There is no prescribed format for making such requests provided that:

  1. the request is made in writing, signed & dated by the data subject (or their legal representative);

  2. the data claimed to be in error or missing are clearly and unambiguously identified

  3. the corrected or added data are clear and declared by the subject to be complete and accurate.

It will be explained to subjects who make a request to access their data and/or to have errors or omissions corrected, or that their data be erased, that, while their requests will be actioned as soon as is practical there may be delays where the appropriate volunteers or staff to deal with the request do not work on every normal weekday.

Where a data subject requests that their data be rectified or erased the Data Controller and Data Processor will ensure that the rectifications or erasure will be applied to all copies of the subject’s personal data including those copies which are in the hands of a Third Party for authorised data processing.

  1. Right of Portability

The Charity will only provide copies of personal data to the subject (or the subject’s legal representative) on written request.

The Charity reserves the right either:

  1. to decline requests for portable copies of the subject’s personal data when such requests are unreasonable (ie: excessively frequent) or vexatious;
      or

  2. to make a reasonable charge for providing the copy.

  1. Data Retention Policy

Personal data shall not be retained for longer than:

  1. In the case of data held by subject consent:
    the period for which the subject consented to the Charity holding their data;

  2. in the case of data held by legitimate interest of the charity:
    the period for which that legitimate interest applies.   For example: in the case of data subjects who held a role, such as a volunteer, with the Charity the retention period is that for which the Charity reasonably has a legitimate interest in being able to identify that individual’s role in the event of any retrospective query about it;

  3. in the case of data held by legal obligation:
    the period for which the Charity is legally obliged to retain those data.

The Charity shall regularly – not less than every 6 months – review the personal data which it holds and remove any data where retention is no longer justified.   Such removal shall be made as soon as is reasonably practical, and in any case no longer than 20 working days (of the relevant Data Processor) after retention of the data was identified as no longer justified.

  1. Privacy Impact Assessment

  1. Trustees’ Data

The volume of personal data is very low – being less than 10 in number
The sensitivity of the data is low-moderate:   the most sensitive data being email address and telephone number;
The risk of data breach is small as the data are rarely used, with the majority of the data being held for a combination of legal obligation and legitimate interest.

Overall impact:   LOW

  1. Volunteers’/Members’ Data

The volume of personal data is low – less than 100 individuals
The sensitivity of the data is low:   the most sensitive data being an e-mail address;
The risk of data breach is small – primarily the accidental disclosure of names & e-mail addresses.

Overall impact:   LOW

  1. Supporters’ & Enquirers’ Data

The volume of personal data is low-moderate.

The sensitivity of the data is low:   the most sensitive data being an e-mail address;
The risk of data breach is small – primarily the accidental disclosure of names & e-mail addresses.

Overall impact:   LOW

 

11.4 Employees’ Data

The volume of personal data is very low – being less than 5 in number
The sensitivity of the data is low-moderate:   the most sensitive data being email address and telephone number;
The risk of data breach is small as the data are rarely used, with the majority of the data being held for a combination of legal obligation and legitimate interest.

Overall impact:   LOW



 

  1. Third Party Access to Data

Under no circumstance will the Charity share with, sell or otherwise make available to Third Parties any personal data except where it is necessary and unavoidable to do so in pursuit of its charitable objects as authorised by the Data Controller.

Whenever possible, data subjects will be informed in advance of the necessity to share their personal data with a Third Party in pursuit of the Charity’s objects.

Before sharing personal data with a Third Party the Charity will take all reasonable steps to verify that the Third Party is, itself, compliant with the provisions of the GDPR and confirmed in a written contract.   The contract will specify that:

  • The Charity is the owner of the data

  • The Third Party will hold and process all data shared with it exclusively as specified by the instructions of the Data Controller

  • The Third Party will not use the data for its own purposes

  • The Third Party will adopt prevailing industry standard best practice to ensure that the data are held securely and protected from theft, corruption or loss

  • The Third Party will be responsible for the consequences of any theft, breach, corruption or loss of the Charity’s data (including any fines or other penalties imposed by the Information Commissioner’s Office) unless such theft, breach, corruption or loss was a direct and unavoidable consequence of the Third Party complying with the data processing instructions of the Data Controller

  • The Third Party will not share the data, or the results of any analysis or other processing of the data with any other party without the explicit written permission of the Data Controller

  • The Third Party will securely delete all data that it holds on behalf of the Charity once the purpose of processing the data has been accomplished.

  • The Charity does not, and will not, transfer personal data out of the EU

  1. Data Breach

In the event of any data breach coming to the attention of the Data Controller the Trustees will immediately notify the Information Commission’s Office.

In the event that full details of the nature and consequences of the data breach are not immediately accessible (eg: because Data Processors do not work on every normal weekday) the Trustees will bring that to the attention of the Information Commissioner’s Office and undertake to forward the relevant information as soon as it becomes available.

  1. Privacy Policy & Privacy Notices

The Charity will have a Privacy Policy and appropriate Privacy Notices which it will make available to everyone on whom it holds and processes personal data, in accordance with 5.1.

In the case of data obtained directly from the data subject, the Privacy Notice will be provided at the time the data are obtained.

In the case that the data are not obtained directly from the data subject, the Privacy Notice will be provided within a reasonable period of the Charity having obtained the data (within one month), or,
if the data are used to communicate with the data subject, at the latest, when the first communication takes place; or
if disclosure to another recipient is envisaged, at the latest, before the data are disclosed.


 

Change Record

Date of Change:

Changed By:

Comments:

21/09/2022

LHA

Policy approved by the Trustees



 



 



 

 

Appendix
Extracts of Relevant Articles from the GDPR

  1. Article-4: Definitions

For the purposes of this Regulation:

  1. ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

  2. ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

  3. ‘restriction of processing’ means the marking of stored personal data with the aim of limiting their processing in the future;

  4. ‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

  5. ‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;

  6. ‘filing system’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;

  7. ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

  8. ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

  9. ‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;

  10. ‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;

  11. ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

  12. ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

  13. ‘genetic data’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;

  14. ‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;

  15. ‘data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;

  16. ‘main establishment’ means: 

  1. as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;

  2. as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;

  1. ‘representative’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation;

  2. ‘enterprise’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;

  3. ‘group of undertakings’ means a controlling undertaking and its controlled undertakings;

  4. ‘binding corporate rules’ means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity;

  5. ‘supervisory authority’ means an independent public authority which is established by a Member State pursuant to Article 51;

  6. ‘supervisory authority concerned’ means a supervisory authority which is concerned by the processing of personal data because: 

  1. the controller or processor is established on the territory of the Member State of that supervisory authority;

  2. data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or

  3. a complaint has been lodged with that supervisory authority;

  1. ‘cross-border processing’ means either: 

  1. processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or

  2. processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.

  1. ‘relevant and reasoned objection’ means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union;

  2. ‘information society service’ means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council (¹);

  3. ‘international organisation’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.

¹ Directive (EU) 2015/1535 of the European Parliament and of the Council of 9 September 2015 laying down a procedure for the provision of information in the field of technical regulations and of rules on Information Society services (OJ L 241, 17.9.2015, p. 1).

  1. Article 6: Lawfulness of processing

    1. Processing shall be lawful only if and to the extent that at least one of the following applies: 

  1. the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

  2. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

  3. processing is necessary for compliance with a legal obligation to which the controller is subject;

  4. processing is necessary in order to protect the vital interests of the data subject or of another natural person;

  5. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

  6. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.

  1. Member States may maintain or introduce more specific provisions to adapt the application of the rules of this Regulation with regard to processing for compliance with points (c) and (e) of paragraph 1 by determining more precisely specific requirements for the processing and other measures to ensure lawful and fair processing including for other specific processing situations as provided for in Chapter IX.

  1. The basis for the processing referred to in point (c) and (e) of paragraph 1 shall be laid down by: 

  1. Union law; or

  2. Member State law to which the controller is subject.

The purpose of the processing shall be determined in that legal basis or, as regards the processing referred to in point (e) of paragraph 1, shall be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.   That legal basis may contain specific provisions to adapt the application of rules of this Regulation, inter alia: the general conditions governing the lawfulness of processing by the controller; the types of data which are subject to the processing; the data subjects concerned; the entities to, and the purposes for which, the personal data may be disclosed; the purpose limitation; storage periods; and processing operations and processing procedures, including measures to ensure lawful and fair processing such as those for other specific processing situations as provided for in Chapter IX.   The Union or the Member State law shall meet an objective of public interest and be proportionate to the legitimate aim pursued.

  1. Where the processing for a purpose other than that for which the personal data have been collected is not based on the data subject’s consent or on a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1), the controller shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected, take into account, inter alia: 

  1. any link between the purposes for which the personal data have been collected and the purposes of the intended further processing;

  2. the context in which the personal data have been collected, in particular regarding the relationship between data subjects and the controller;

  3. the nature of the personal data, in particular whether special categories of personal data are processed, pursuant to Article 9, or whether personal data related to criminal convictions and offences are processed, pursuant to Article 10;

  4. the possible consequences of the intended further processing for data subjects;

  5. the existence of appropriate safeguards, which may include encryption or pseudonymisation.

  1. Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject

    1. The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child.   The information shall be provided in writing, or by other means, including, where appropriate, by electronic means.   When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.

    2. The controller shall facilitate the exercise of data subject rights under Articles 15 to 22.   In the cases referred to in Article 11(2), the controller shall not refuse to act on the request of the data subject for exercising his or her rights under Articles 15 to 22, unless the controller demonstrates that it is not in a position to identify the data subject.

    3. The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request.   That period may be extended by two further months where necessary, taking into account the complexity and number of the requests.   The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay.   Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.

    4. If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

    5. Information provided under Articles 13 and 14 and any communication and any actions taken under Articles 15 to 22 and 34 shall be provided free of charge.   Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either: 

  1. charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or

  2. refuse to act on the request.

  1. The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.

  2. Without prejudice to Article 11, where the controller has reasonable doubts concerning the identity of the natural person making the request referred to in Articles 15 to 21, the controller may request the provision of additional information necessary to confirm the identity of the data subject.

  3. The information to be provided to data subjects pursuant to Articles 13 and 14 may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner a meaningful overview of the intended processing.   Where the icons are presented electronically they shall be machine-readable.

  4. The Commission shall be empowered to adopt delegated acts in accordance with Article 92 for the purpose of determining the information to be presented by the icons and the procedures for providing standardised icons.

  1. Article 13: Information to be provided where personal data are collected from the data subject

    1. Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information: 

  1. the identity and the contact details of the controller and, where applicable, of the controller’s representative;

  2. the contact details of the data protection officer, where applicable;

  3. the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;

  4. where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;

  5. the recipients or categories of recipients of the personal data, if any;

  6. where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.

  1. In addition to the information referred to in paragraph 1, the controller shall, at the time when personal data are obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing: 

the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;

  1. the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;

  2. where the processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;

  3. the right to lodge a complaint with a supervisory authority;

  4. whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;

  5. the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

  1. Where the controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 2.

  2. Paragraphs 1, 2 and 3 shall not apply where and insofar as the data subject already has the information.

  1. Article 24: Responsibility of the Controller

    1. Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation.   Those measures shall be reviewed and updated where necessary.

    2. Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller.

    3. Adherence to approved codes of conduct as referred to in Article 40 or approved certification mechanisms as referred to in Article 42 may be used as an element by which to demonstrate compliance with the obligations of the controller.

  1. Article 25: Data protection by design and by default

    1. Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.

    2. The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.   That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility.   In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.

    3. An approved certification mechanism pursuant to Article 42 may be used as an element to demonstrate compliance with the requirements set out in paragraphs 1 and 2 of this Article.

bottom of page