Data Protection Act 2018

69.

Interpretation ( Part 5)

69. (1) In this Part—

“biometric data” means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of an individual that allow or confirm the unique identification of the individual, including facial images or dactyloscopic data;

“competent authority”, subject to subsection (2), means—

(a) a public authority competent for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties in the State, including the safeguarding against, and the prevention of, threats to public security, or

(b) any other body or entity authorised by law to exercise public authority and public powers for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties in the State, including the safeguarding against, and the prevention of, threats to public security;

“controller”, subject to subsection (2), means—

(a) a competent authority that, whether alone or jointly with others, determines the purposes and means of the processing of personal data, or

(b) where the purposes and means of the processing of personal data are determined by the law of the European Union or otherwise by the law of the State, a controller nominated—

(i) by that law, or

(ii) in accordance with criteria specified in that law;

“data concerning health” means personal data relating to the physical or mental health of an individual, including the provision of health care services to the individual, that reveal information about the status of his or her health;

“data protection impact assessment” has the meaning assigned to it by section 84(1) ;

“data protection officer” has the meaning assigned to it by section 88(1) ;

“data subject” means an individual to whom personal data relate;

“genetic data” means personal data relating to the inherited or acquired genetic characteristics of an individual that give unique information about the physiology or the health of the individual and that result, in particular, from an analysis of a biological sample from the individual in question;

“international organisation” means—

(a) an organisation, and subordinate bodies of an organisation, governed by public international law, or

(b) any other body that is established by, or on the basis of, an agreement between two or more states;

“joint controller” has the meaning assigned to it by section 79(1) ;

“online identifier” includes an internet protocol address, a cookie identifier or other identifier such as a radio frequency identification tag;

“personal data” means information relating to—

(a) an identified living individual, or

(b) a living individual who can be identified from the data, directly or indirectly, in particular by reference to—

(i) an identifier such as a name, an identification number, location data or an online identifier, or

(ii) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual;

“personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration or unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

“processing”, of or in relation to personal data, means an operation or a set of operations that is performed on personal data or on sets of personal data, whether or not by automated means, including—

(a) the collection, recording, organisation, structuring or storing of the data,

(b) the adaptation or alteration of the data,

(c) the retrieval, consultation or use of the data,

(d) the disclosure of the data by their transmission, dissemination or otherwise making the data available,

(e) the alignment or combination of the data, or

(f) the restriction, erasure or destruction of the data;

“processor” means an individual who, or a legal person, public authority, agency or other body that, processes personal data on behalf of a controller, but does not include an employee of a controller who processes such data in the course of his or her employment;

“profiling” means any form of automated processing of personal data consisting of the use of the data to evaluate certain personal aspects relating to an individual, including to analyse or predict aspects concerning the individual’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

“pseudonymisation” means the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, provided that—

(a) such additional information is kept separately from the data, and

(b) is subject to technical and organisational measures to ensure that the data are not attributed to an identified or identifiable individual;

“rectification”, of or in relation to personal data, includes, where the data concerned are incomplete, the completion of the data, whether by means of a supplementary statement or otherwise;

“recipient”, of or in relation to personal data, means an individual to whom, or a legal person, public authority, agency or other body to which, the data are disclosed, and includes a third party;

“relevant filing system” means a set of personal data, whether centralised, decentralised or dispersed on a functional or geographical basis, where the set is structured according to specific criteria in such a way that the data are readily accessible according to those criteria;

“restrict”—

(a) in relation to the exercise of the right of a data subject—

(i) under section 87(1) to be notified of a personal data breach,

(ii) under section 92(10) to be notified of the restriction of the processing of personal data under subsection (9) of that section, or

(iii) under section 92(11) to be notified of a decision not to rectify or erase data pursuant to a request under subsection (1) or (3) of that section, as the case may be,

means—

(I) to delay the notification concerned,

(II) to limit the information contained in the notification concerned, or

(III) not to make the notification concerned,

and

(b) in relation to the exercise of the right of a data subject—

(i) under section 90(1) in so far as relates to the provision to the data subject of information specified in subsection (2)(f) of that section, or

(ii) under section 91(1)(a) or (b),

means—

(I) to delay the provision of the information concerned,

(II) to limit the information concerned provided to the data subject, or

(III) not to provide the information concerned;

“restriction of processing” means the marking, by or on behalf of a controller, of personal data for which the controller is responsible for the purpose of limiting their processing in the future;

“special categories of personal data” means—

(a) personal data revealing—

(i) the racial or ethnic origin of the data subject,

(ii) the political opinions or the religious or philosophical beliefs of the data subject, or

(iii) whether the data subject is a member of a trade union,

(b) genetic data,

(c) biometric data for the purposes of uniquely identifying an individual,

(d) data concerning health, or

(e) personal data concerning an individual’s sex life or sexual orientation.

(2) Where a reference is made in this Part—

(a) to a controller in a Member State other than the State, for the purposes of that reference—

(i) in the definition of “competent authority” in subsection (1), the references to “in the State” shall be construed as meaning “in the Member State concerned”, and

(ii) in the definition of “controller” in subsection (1), the reference to “the law of the State” shall be construed as meaning “the law of the Member State concerned”,

or

(b) to a controller in a third country, for the purposes of that reference—

(i) in the definition of “competent authority” in subsection (1), the references to “in the State” shall be construed as meaning “in the state concerned”, and

(ii) in the definition of “controller” in subsection (1), the reference to “the law of the European Union or the law of the State” shall be construed as meaning “the law of the state concerned”.

(3) A word or expression that is used in this Part and is also used in the Directive has, unless the context otherwise requires, the same meaning in this Part as it has in the Directive.