What is Privacy?

Privacy can be explained as a state where you are free from interference or intrusion. Information privacy is the right to have control over your information. This includes who has your information, why do they have your information, how do they use your information, as well as such rights to have your information erased, corrected, and secured.

What are some of the Privacy Regulations?

Most countries have some form of regulations concerning privacy. But most prominent among them is Council of Europe’s Convention 108 (superseded by Convention 223), European Unions’ General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), UK Data Protection Act 2018, and others.

What constitutes Personal Data?

Though the definition varies, the Council of Europe defined “personal data” to be any information relating to an identified or identifiable individual (Data Subject). This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier. Personal data can be a piece of information which by itself can identify a person (e.g. government ID numbers, bank account numbers) or multiple data sources which, when combined, can identify a person (e.g. name and current organization of work).

Are online identifiers personal data?

Yes, in the digital world data subjects are increasingly associated with online identifiers provided by their devices, applications, tools, and protocols. When combined with unique identifiers and other information received by servers, they may be used to identify data subjects and create profiles; in this case, they qualify as personal data under the GDPR. Some examples are IP addresses, cookies and RFID tags, Advertising IDs.

What are special categories of personal data?

Special categories of personal data vary by different regulators. Council of Europe lists the following:

• Genetic data;
• personal data relating to offenses, criminal proceedings and convictions, and related security measures;
• biometric data uniquely identifying a person; and
• personal data for the information they reveal relating to racial or ethnic origin, political opinions, trade-union membership, religious or other beliefs, health or sexual life.

Who is a Data Controller, Processor, Recipient, and Joint Controller?

“Controller” means the natural or legal person, public authority, service, agency or any other body which, alone or jointly with others, has decision-making power with respect to data processing.

“Processor” means a natural or legal person, public authority, service, agency or any other body which processes personal data on behalf of the controller.

“Recipient” means a natural or legal person, public authority, service, agency or any other body to whom data are disclosed or made available.

Where two or more controllers jointly determine the purposes and means of processing, they shall be Joint Controllers. They shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation.