UK GDPR Blog

Processing of which Individual’s personal data is regulated by UK GDPR?

1. What does UK GDPR refer to?
UK GDPR refers to UK legislation (originating from the EU), in particular EU General Data Protection Regulation No.2016/679, supplemented by the Data Protection Act 2018.

2. Which data is considered ‘personal data’ by UK GDPR?
According to UK GDPR, ‘personal data’ means any information relating to an identified or identifiable natural person.

For example;

  • a name,
  • an identification number,
  • location data,
  • an online identifier.

‘Special categories of personal data’, or ‘sensitive’ information consist of peculiar and specific information about an Individual, such as data on physical, physiological, genetic, mental, economic, cultural, or social identity.


3. How is ‘processing’ defined by UK GDPR?
Before answering the question asked by the third paragraph of this publication, let’s clarify meanings of ‘processing’ and ‘operation’, as well as their interconnection.

3.1. What does ‘processing’ mean?
Processing (or a ‘processing operation’) of private data means an operation or a combination of operations that are performed by using personal data or units of personal data, whether or not they are obtained by automated means.

3.2. Which operations does private data processing include?
An operation or combination of operations that are performed by using personal data or by using units of personal data, they include the following actions;

  • collection of personal data,
  • recording of personal data,
  • organisation of personal data,
  • structuring of personal data,
  • storage of personal data,
  • adaptation or alteration of personal data,,
  • retrieval of personal data,
  • consultation using personal data,
  • use of personal data,
  • disclosure by transmission of personal data,
  • dissemination of personal data, or otherwise making personal data available,
  • alignment or combination of personal data,
  • restriction of personal data,
  • erasure or destruction of personal data.

Generally, processing sensitive information of personal data is prohibited. However, an entity can process a special category of personal data if processing can satisfy one of conditions defined by UK GDPR.

Legal grounds for processing sensitive information are more demanding than those for processing private data of other identifiable types of personal information. A Controller must be able to demonstrate that the processing of sensitive information is strictly necessary and satisfy one of the conditions in Schedule 8 of the Data Protection Act 2018, or is based on explicit consent.

3.3. What is the interconnection between ‘processing’ and ‘operation’?
An operation or a combination of operations shall mean processing. An operation can include defined actions using personal data that are specified by UK GDPR.

4. Conclusion

  1. UK GDPR regulates processing of any information relating to an identified or identifiable natural person that comprise personal data.
  2. Processing is an operation or a combination of operations that include certain actions using personal data that are specified by UK GDPR.
  3. UK GDPR prohibits processing ‘sensitive’ information unless it is subject to processing in specific circumstances or for specific purposes defined by UK GDPR, and Schedule 8 of the Data Protection Act 2018.
  4. Processing sensitive data requires a high level of protection. It demands extra care from controllers. So, it is advised to address information security responsibly, protecting sensitive personal data regarding legal and regulatory requirements.

Date: 8 June 2021
Author: Dr. Elizabeth Sushko
ElsushkoLawyersTM

What is the correlation between ‘data subject’, ‘controller’, and ‘processing’?

1. How can ‘data subject’, ‘controller’, and ‘processing’ be explained?
To answer this question, let’s clarify how ‘data subject’, ‘controller’ and ‘processing’ are defined by UK GDPR.

1.1. What is a ‘data subject’?
A ‘data subject’ is an individual (a natural person) who is identified or who is identifiable.
An identifiable individual is someone who can be identified either directly or indirectly.
An identifiable individual can be identified by reference to an identifier such as;

  • a name,
  • an identification number,
  • location data,
  • an online identifier.

An individual can be also identified when referring to their physical, physiological, genetic, mental, economic, cultural, or social identity that would constitute ‘sensitive’ information.

1.2. What is a ‘controller’?
A ‘controller’ means either a natural or a legal person, public authority, agency, or other entity.
A ‘controller’ solely or jointly with another controller or controllers, determines purposes and means of personal data processing.

1.3. How should be ‘processing’ understood?
1.3.1. What does ‘processing’ mean under UK GDPR?
‘Processing’ refers to an operation or a combination of operations that are performed over personal data or on sets of personal data, whether or not by automated means. It can be also called as a ‘processing operation’.

1.3.2. What does ‘processing’ include?
Processing of private data includes the following actions on private data;

  • collection,
  • recording,
  • organisation,
  • structuring,
  • storage,
  • adaptation or alteration,
  • retrieval,
  • consultation,
  • use,
  • disclosure by transmission,
  • dissemination or otherwise making available,
  • alignment or combination,
  • restriction,
  • erasure or destruction.

2. How are ‘data subject’, ‘controller’, and ‘processing’ interconnected?
Processing of personal data is exercised by a controller or jointly by controllers that define purposes and means of such processing.
A controller is connected with a data subject through an operation of processing, where a controller processes private data of a data subject.

3. Conclusion

  1. An individual who is identified or who is identifiable shall mean a ‘data subject’ under UK GDPR. Purposes and means of personal data processing are determined by a controller. ‘Processing’ refers to an operation or a combination of operations that are performed over personal data or sets of personal data as outlined in UK GDPR.
  2. The correlation between ‘data subject’, ‘controller’, and ‘processing’ can be visualised in the following way:

Date: 31 May 2021
Author: Dr. Elizabeth Sushko
ElsushkoLawyersTM

What is the difference between “GDPR” and “UK GDPR”?
1. What does “GDPR” mean?
“GDPR” means General Data Protection Regulations.
The General Data Protection Regulation No.679 was adopted by the European Parliament and the Council of the European Union on 27 April 2016.
The European Data Protection Regulations became applicable as of 25 May, 2018.
A regulation is a legal act of the European Union that becomes immediately enforceable as law in all EU member states simultaneously (Article 288 of the Treaty on the Functioning of the European Union).
This General Data Protection Regulation repealed Directive 95/46/EC (General Data Protection Regulation) on data protection and privacy in the European Union (EU) and the European Economic Area (EEA).
This General Data Protection Regulation is focused on the protection of individuals with regard to the processing of personal data. It also regulates the transfer of personal data outside of the EU and the EEA.
The purpose of Regulation No. 679 is to give individuals control over the processing of their personal data. It also unifies relevant regulations within the EU and makes clear standards and requirements for international data transactions.
With reference to article 2 of the GDPR, “This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where a Member State’s law applies by virtue of public international law.”

2. What does “UK GDPR” mean?
“UK GDPR” is referred to as the UK General Data Protection Regulations.
The United Kingdom joined the EU on 1 January 1973.
After 47 years, the UK became the first and only country that officially left the EU. After long-term negotiations, a final deal was agreed between the UK and the EU that defined their future relationships, that took effect at 23.00 GMT on 31 December 2020.
At the time of UK membership in the EU, organisations in the UK complied with General Data Protection Regulation No.679 alongside with the Data Protection Act 2018.
After 23.00GMT on 31 December 2020, the UK officially left the EU. However, the GDPR was retained in UK law and became the UK GDPR. In the UK it is referred to as “UK legislation (originating from the EU).”
UK GDPR is supplemented by the Data Protection Act 2018.
Together, these laws form the data protection regime in the UK.

3. Conclusions
  1. “GDPR” means General Data Protection Regulations.
  2. The General Data Protection Regulation No.679 is a legal act of the European Union that became enforceable as law in all EU member states. The European Data Protection Regulation entered into force in 2018.
  3. After the UK officially left the EU on the last calendar day of 2020, the GDPR has been retained in UK law as the UK GDPR referring to it as UK legislation (originating from the EU), supplemented by the Data Protection Act 2018.
  4. In order to avoid confusion in “GDPR” terminology, GDPR of the EU can be referred to as the “EU GDPR”, whereas “UK GDPR” implies that this GDPR is part of UK legislation.

Date: 21 May 2021
Author: Dr. Elizabeth Sushko
ElsushkoLawyersTM

PRACTICE

  • Company registration in China
  • Representative office registration in China
  • Foreign investment in the banking sphere in China
  • Employment of foreigners in China
X

Right Click

No right click