Basic terms

Learn the basic terms of personal data protection

What is personal data?

Personal data means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, surname, an identification number, etc,. or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

For example, personal data includes:
  • A natural person’s address
  • Telephone number
  • E-mail address
  • Personal photograph
  • Identification number/PIN (OIB)
  • Passport number
  • Biometric data (fingerprints, iris scans)
  • Data on education and professional qualifications
  • Data on the salary
  • Data on loan debt
  • Data on bank accounts
  • Location data
  • Online identifiers.

Special categories of personal data: personal data which pertains to racial or ethnic origin, political opinions, religion or other beliefs, trade union membership, health or sex life, personal data on criminal and misdemeanour proceedings, genetic data, biometric data (e.g. fingerprints).
 
What is a data subject?
An individual (data subject) is a natural person who can be identified, directly or indirectly, in particular by reference to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
 
What is personal data processing?
Processing includes activities such as collecting, recording, using, storing, consulting, disclosing to third parties, transmitting or destroying personal data. 
 
Who processes your personal data?

Data controller
A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Examples of data controllers: companies or trade businesses which process data of their employees and/or clients; i.e. users of their services; financial institutions which process personal data of their customers/clients; associations which process data of their members; schools or universities which process personal data of their students or teachers/employees; hospitals which process personal data of their patients; public authorities or authorities of units of local and regional self-government which process citizens’ personal data.

Data processor
A natural or legal person, public authority, company, organisation, enterprise or other body which processes personal data on behalf of the controller. Processing by a data processor is governed by a contract or other legal act.

Examples of data processors: 

an accounting company which processes data on salaries of employees of an employer; companies authorised to provide private security services; an agency collecting claims pursuant to a concluded business cooperation agreement. 
What is consent?
Any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
 
What is personal data breach?
Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
 
What is the role of the data protection officer?
The data protection officer helps the data controller or data processor with all matters pertaining to personal data protection. The most important role of the data protection officer is to inform and advise the controller or processor and the employees of this controller or processor of their obligations pursuant to the data protection act and to monitor the organisation’s compliance with data protection provisions.