Article 3*

Article 3 – Definitions

Commission Proposal

Go down to proposed amendment

For the purposes of this Directive:
1. ‘data subject’ means an identified natural person or a natural person who can be identified, directly or indirectly, by means reasonably likely to be used by the controller or by any other natural or legal person, in particular by reference to an identification number, location data, online identifiers or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person;

2. ‘personal data’ means any information relating to a data subject;

3. ‘processing’ means any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

4. ‘restriction of processing’ means the marking of stored personal data with the aim of limiting their processing in the future;

5. ‘filing system’ means any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis;

6. ‘controller’ means the competent public authority which alone or jointly with others determines the purposes, conditions and means of the processing of personal data; where the purposes, conditions and means of processing are determined by Union law or Member State law, the controller or the specific criteria for his nomination may be designated by Union law or by Member State law;

7. ‘processor’ means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;

8. ‘recipient’ means a natural or legal person, public authority, agency or any other body to which the personal data are disclosed;

9. ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

10. ‘genetic data’ means all data, of whatever type, concerning the characteristics of an individual which are inherited or acquired during early prenatal development;

11. ‘biometric data’ means any data relating to the physical, physiological or behavioural characteristics of an individual which allow their unique identification, such as facial images, or dactyloscopic data;

12. ‘data concerning health’ means any information which relates to the physical or mental health of an individual, or to the provision of health services to the individual;

13. ‘child’ means any person below the age of 18 years;

14. ‘competent authorities’ means any public authority competent for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties;

15. ‘supervisory authority’ means a public authority which is established by a Member State in accordance with Article 39.

EDRi’s proposed amendment

For the purposes of this Regulation:
1.  ‘data subject’ means an identified natural person or a natural person who can be identified or singled out, directly or indirectly, by means reasonably likely to be used by the controller or by any other natural or legal person, in particular by reference to an identification number or other unique identifier, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person;

2. ‘personal data’ means any information relating to a data subject;

3. ‘processing’ means any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, erasure or destruction;

4. ‘restriction of processing’ means the marking of stored personal data with the aim of limiting their processing in the future;

4a. ‘profiling’ means any form of automated processing intended to evaluate certain personal aspects relating to this natural person or to analyse or predict in particular the natural person’s economic situation, location, health, personal preferences, reliability or behaviour;

5. ‘filing system’ means any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis;

6. ‘controller’ means the competent public authority which alone or jointly with others determines the purposes, conditions and means of the processing of personal data; where the purposes, conditions and means of processing are determined by Union law or Member State law, the controller or the specific criteria for his nomination may be designated by Union law or by Member State law;

7. ‘processor’ means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;

8. ‘recipient’ means a natural or legal person, public authority, agency or any other body to which the personal data are disclosed;

9. ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

10. ‘genetic data’ means all data, of whatever type, concerning the characteristics of an individual which are inherited or acquired during early prenatal development;

11. ‘biometric data’ means any data relating to the physical, physiological or behavioural characteristics of an individual which allow their unique identification, such as facial images, or dactyloscopic data;

12. ‘data concerning health’ means any information which relates to the physical or mental health of an individual, or to the provision of health services to the individual;

13. ‘child’ means any person below the age of 18 years;

14. ‘competent authorities’ means any public authority competent for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties;

15. ‘supervisory authority’ means a public authority which is established by a Member State in accordance with Article 39.

Justification:

This amendment aligns the wording with EDRi’s proposed amendments to Art. 4 (Definitions) of the proposed General Data Protection Regulation.

In many applications, identifying a natural person is not needed to have an adverse effect on the person, “singling out”, i.e. the possibility to distinguish the person from other persons in a group, is sometimes enough. See also the opinion of the Article 29 Working Party on the concept of personal data (WP136).

It is also advisable to define profiling in this Article. This distinguishes the act of profiling from the measures taken based on the results of such profiling, on which further rules are set out in Article 9.

For a personal data breach to occur, the decisive element is not the breach of security measures, but rather the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise  processed. Consider a case in which no security measures are in place, and so unauthorised access to personal data can happen without breaching such measures.

  • eu logo The launch and upkeep (until December 31, 2013) of this website received financial support from the EU's Fundamental Rights and Citizenship Programme.
Follow

Get every new post delivered to your Inbox.

%d bloggers like this: