10 important concepts within the GDPR!

26 June 2017

The General Data Protection Regulation contributes with a lot of new, and sometimes difficult, concepts that are of course not explaining themselves. We will in this article go through and clarify some of the most important concepts in the regulation which are good to have knowledge about.

Personal data
Any information relating to an identified or “identifiable” natural person (also called data subject in the regulation). An identifiable
natural person is someone who can be identified, directly or indirectly – namely also through a combination of information or by an exclusion method. Examples of personal data: name, identification number, location data, salary, allergies, physical and psychological identifiers, photo, IP-address and so on.

An operation or set of operations which is either by automated means or not and concerns personal data, e.g. collection, organization, structuring, adaption or alteration, use, erasure, restriction and so on.

Data controller
A natural or legal person, public authority, agency or other body which determines the purpose and means of the processing of the personal data, either alone or jointly with others. Regarding legal persons the board is usually the ones that are mainly responsible and not the employees which are processing the personal data.

Data processor
A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. The processor is always located outside the own organization. It could e.g. be an advertising agency which needs access to personal data in the form of addresses to your costumers to be able to send advertisements directly to them.

Third party
A natural or legal person, public authority, agency or other body that is not the data subject, controller, processor and persons who under the direct authority of the controller or processor, are authorized to process personal data. In short, the third party is another data subject that can be affected negatively by your processing of personal data.

Data Protection Officer
The Data Protection Officer (DPO) controls that people within your organization works in accordance with the GDPR through informative measures. The DPO is independent from the controller and the processor. The controller and the processor are not allowed to give instructions to the DPO. Furthermore, the DPO is the contact person between your organization and the data subject and the Data Protection Authority.

The DPO is the person who controls that you, within your organization, follows GDPR through informative measures.

Privacy by design
Measures within the IT-system regarding protection of personal integrity. The Swedish Data Protection Authority (Datainspektionen) states that the integrity questions shall affect the whole lifecycle of the system where you shall focus on minimizing the amount of personal data, limit the access to the data, protect the data subjects and develop user-friendly IT-systems. This is something that will probably be developed by IT-companies, thus it is important to have knowledge about this concept since the person in charge of handling the personal data (that is to say, you as data controller or data processor) is also responsible for GDPR-compliance.

Profiling is automated processing of personal data to evaluate certain personal aspects relating to a natural person. In particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, behavior and so on.

Pseudonymization is processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information. This means that you remove the identifications to natural persons with the purpose to not be able to identify them, e.g. instead of you knowing the identity of your old customers you attribute to them a certain number. The condition for pseudonymization is that the complementing data is stored separately and that not everyone has access to it.

Data breach
A breach of security leading to the accidental or unlawful destruction, loss or alteration of personal data that is being processed. If a breach of security leads to unauthorized disclosure of, or access to, personal data it is also perceived as a personal data breach.

If you have any questions, please contact us at info@gdprhero.se or call us on 046 – 273 17 17. We are here to help you!


Laurita Krisciunaite



The content presented in this blog contains general information and is not to be considered as legal advice.
The content presented in this blog contains general information and is not to be considered as legal advice. Please reach out to us if you have any questions.

Related articles

Data processing agreements

Data processing agreements

Data processing agreements (DPA) are an essential part for organisations which transfers or collects personal data...