Art. 4 medium Severity GDPR European Union

GDPR Article 4 — Definitions

Enforced by: ICO (UK) / National DPAs
Current as of May 25, 2018
Plain Language Summary
Core definitions. "Personal data" is broad — any information that can identify a person. "Controller" decides the why/how; "processor" acts on controller's behalf.

(1) "personal data" means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier.

(2) "processing" means any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, restriction, erasure or destruction.

(7) "controller" means the natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Related Enforcement Cases

British Airways — GDPR Data Breach Fine (£20M) £20M
Marriott International — GDPR Fine (£18.4M) £18.4M