Skip to main content

GDPR: Key Terms

For the purposes of the GDPR, the University of Warwick is classified as a Data Controller.

Personal Data

'Personal Data' is any information relating to an identified or identifiable natural person (‘data subject’). For more information please feel free to download our Personal Data PDF, which includes a number of examples but is not an exhaustive list.

An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier (such as a name, an identification number, location data, an online identifier), or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

Special Category Data

'Special Category Data', previously called 'Sensitive Personal Data', is subject to greater controls around processing; it refers to data regarding:

  • racial or ethnic origin,
  • political opinions,
  • religious or philosophical beliefs, or trade union membership,
  • genetic data,
  • biometric data (for the purpose of identifying a natural person),
  • data concerning health or
  • data concerning a natural person's sex life or sexual orientation

Processing

Any operation performed on the data, for example: collecting, using, disclosing, retaining or disposing of personal data.

GDPR General Principles

A data controller must comply with all six general principles (which are similar in nature to the 8 principles under the current DPA) when processing personal data:

  1. Lawfulness, fairness and transparency - Personal data must be processed lawfully, fairly and in a transparent manner.
  2. Purpose limitation - Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (with exceptions for public interest, scientific, historical or statistical purposes).
  3. Data minimisation - Personal data must be adequate, relevant and limited to what is necessary in relation to purposes for which they are processed.
  4. Accuracy - Personal data must be accurate and, where necessary, kept up to date. Inaccurate personal data should be corrected or deleted.
  5. Retention - Personal data should be kept in an identifiable format for no longer than is necessary (with exceptions for public interest, scientific, historical or statistical purposes).
  6. Integrity and confidentiality - Personal data must be kept securely.

Conditions for Processing (Article 6(1))

To legally process personal data at least one of the following conditions must be met (processing of special category data requires that additional conditions are met):

  1. Consent - The individual has given consent to the processing for one or more specific purposes. Consent will be much harder to obtain under the Regulation (further information here).
  2. Necessary for performance of a contract - The processing is necessary for the performance of a contract with the individual or in order to take steps at the request of the individual prior to entering into a contract.
  3. Legal obligation - The processing is necessary for compliance with a legal obligation to which the data controller is subject. Only legal obligations under Union or Member State law will satisfy this condition. However, that law need not be statutory (e.g. common law obligations are sufficient).
  4. Vital interests - The processing is necessary in order to protect the vital interests of the individual or of another natural person. This is typically limited to processing needed for medical emergencies.
  5. Public functions - The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. Those functions must arise under Member State or EU law.
  6. Legitimate interests - The processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. Controllers should undertake a legitimate interests test which involves a “careful assessment of” the underlying processing to ensure it properly balances the interest of the controller against any potential intrusion to the individual’s privacy. In particular, would the individual “reasonably expect” that processing for that purpose will take place.

Public authorities like the University can only rely on Legitimate Interests when performing non-public tasks (and where the processing activity passes the legitimate interests test).

Processing Condition - Special category data (Article 9(2))

The Regulation places much stronger controls on the processing of special category data. Where sensitive personal data is processed, it must also satisfy at least one of the following special category personal data processing conditions:

  1. Explicit consent - The individual has given explicit consent. However, Union or Member State law may limit the circumstances in which consent is available.
  2. Legal obligation related to employment - The processing is necessary for a legal obligation in the field of employment and social security law or for a collective agreement.
  3. Vital interests - The processing is necessary in order to protect the vital interests of the individual or of another natural person. This is typically limited to processing needed for medical emergencies.
  4. Not for profit bodies - The processing is carried out in the course of the legitimate activities of a not-for-profit body and only relates to members or related persons and the personal data is not disclosed outside that body without consent.
  5. Public information - The processing relates to personal data which is manifestly made public by the data subject.
  6. Legal claims - The processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.
  7. Substantial public interest - The processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law.
  8. Healthcare - The processing is necessary for healthcare purposes and is subject to suitable safeguards.
  9. Public health - The processing is necessary for public health purposes and is based on Union or Member State law.
  10. Archive - The processing is necessary for archiving, scientific or historical research purposes, or statistical purposes and is based on Union or Member State law. Member States can introduce additional conditions in relation to health, genetic, or biometric data.

Consent

Consent is a freely given, specific, informed, and unambiguous indication of the individual’s wishes. The controller must keep records so it can demonstrate that consent has been given by the relevant individual. In addition, the following principles apply:

  • Plain language - A request for consent must be in an intelligible and accessible form in clear and plain language and in accordance with the Directive on unfair terms in consumer contracts.
  • Separate - where the request for consent is part of a written form, it must be clearly distinguishable from other matters.
  • Affirmative action - The consent must consist of a clear affirmative action. Inactivity or silence is not enough and the use of “pre-ticked boxes” is not permitted. However, consent through a course of conduct remains valid.
  • Consent to all purposes - If the relevant processing has multiple purposes, consent must be given for all of them. The meaning of this provision is not clear. At one extreme it might prevent mixed justifications for different activities. For example, it would not be possible to rely on performance of a contract when providing services to an individual and obtain a separate ancillary consent for direct marketing. You would need a (valid) consent for them all.
  • No detriment - Consent will not be valid if the individual does not have a genuine free choice or if there is a detriment if they refuse or withdraw consent.
  • No power imbalance - Consent might not be valid if there is a clear imbalance of power between the individual and the controller, particularly where the controller is a public authority.
  • Unbundled consent - You cannot “bundle consent”. Where different processing activities are taking place, consent is presumed not valid unless the individual can consent to them separately.
  • Not tied to contract - Consent is presumed not valid if it is a condition of performance of a contract.
  • Withdrawable - The individual can withdraw consent at any time and must be told of that right prior to giving consent. It should be as easy to withdraw consent as it is to give it.
  • Finally, consent must be explicit if you are processing sensitive personal data or transferring personal data outside the Union. This entails a degree of formality, for example the individual ticking a box containing the express word “consent”. Explicit consent cannot be obtained through a course of conduct.