According to Article 2 (a) of Regulation (EC) No 45/2001: "Any information relating to an identified or identifiable natural person, referred to as "data subject" - an identifiable person is someone who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity".
The name and the social security number are two examples of personal data which relate directly to a person. But the definition also extends further and also encompasses for instance e-mail addresses and the office phone number of an employee. Other examples of personal data can be found in information on physical disabilities, in medical records and in an employee's evaluation.
Personal data which is processed in relation to the work of the data subject remain personal/individual in the sense that they continue to be protected by the relevant data protection legislation, which strives to protect the privacy and integrity of natural persons. As a consequence, data protection legislation does not address the situation of legal persons (apart from the exceptional cases where information on a legal person also relates to a physical person).
► More about "personal data"
Personal data filing system
According to Article 2 sub (c) of Regulation (EC) No 45/2001, personal data filing system refers to "any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis."
The definition is independent of the size of the filing system, which may vary according to the circumstances. In some cases, such as for instance the case of disciplinary files for a small sized EU-body, the filing system can comprise just a handful of entries.
The acronym 'PETs' stands for "Privacy Enhancing Technologies". It refers to a coherent system of information and communication technology (ICT) measures that protect privacy by eliminating or reducing personal data or by preventing unnecessary and/or undesired processing of personal data, all without losing the functionality of the information system.
The use of PETs can help to design information and communication systems and services in a way that minimizes the collection and use of personal data and facilitates compliance with data protection rules. It should result in making breaches of certain data protection rules more difficult and/or helping to detect them.
PETs can be stand-alone tools requiring positive action by consumers (who must purchase and install them in their computers) or be built into the very architecture of information systems.
PNR is the acronym for "Passenger Name Record".
This information is collected by airlines or travel agencies at the time a passenger makes a reservation, before travelling. It differs from Advanced Passenger Information (API), which is collected later at the time of boarding.
In addition to the name of the passenger, PNR includes all information necessary for the reservation, such as:
- the travel agency responsible for the booking;
- the itinerary (including connections);
- the flights (number, date, time);
- groups of persons registered under the same booking;
- the passenger's contact details (telephone number, address, etc);
- payment/billing information;
- hotel or car booking;
- special service requests (such as seat number, special meal, medical assistance);
- "frequent flyer" information.
Enforcement authorities have shown interest in the collection of PNR data, with a view to fighting terrorism and other forms of crimes. The European Union has concluded agreements with third countries requesting such information, in order to establish minimal data protection safeguards on the use of this information. The Article 29 Working Party and the EDPS have adopted official opinions on these agreements.
Processing operations by Community institutions or bodies likely to present specific risks to the rights and freedoms of data subjects must be declared to the EDPS prior to the processing of the data (Article 27 of Regulation (EC) 45/2001).
The EDPS will examine whether the processing respects the Regulation and will deliver an opinion within a period of two months.
In his opinion, the EDPS may make recommendations to the institution or body concerned so as to ensure compliance.
Ex-post prior check
Prior checks concern not only operations not yet in progress (see "Proper prior checks") but also processing operations which started before the EDPS was appointed or before the Regulation (EC) 45/2001 came into force. In such situations a prior-check could not be "prior" in a strict sense but must be dealt with on an "ex post" basis. The EDPS has been absorbing the backlog in ex-post cases.
Proper prior check
The EDPS should give his opinion prior to the start of a processing operation so as to guarantee the rights and freedoms of the data subjects from the start (Article 27 of Regulation (EC) 45/2001). The term "proper prior checks" has been used to distinguish these cases from "ex-post" prior checks (see "Ex-post prior checks").
Privacy is the ability of an individual to be left alone, out of public view, and in control of information about oneself.
One can distinguish the ability to prevent intrusion in one's physical space ("physical privacy", for example with regard to the protection of the private home) and the ability to control the collection and sharing of information about oneself ("informational privacy").
The concept of privacy therefore overlaps, but does not coincide, with the concept of data protection.
The right to privacy is enshrined in the Universal Declaration of Human Rights (Article 12) as well as in the European Convention of Human Rights (Article 8).
Privacy by design
Privacy by design aims at building privacy and data protection up front, into the design specifications and architecture of information and communication systems and technologies, in order to facilitate compliance with privacy and data protection principles.
Processing (of personal data)
According to Article 2 (b) of Regulation (EC) No 45/2001, processing of personal data refers to "any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction."
Personal data may be processed in many activities which relate to the professional life of a data subject. Examples from within the EU institutions and bodies include: the procedures relating to staff appraisals and to the billing of an office phone number, lists of participants at a meeting, the handling of disciplinary and medical files, as well as compiling and making available on-line a list of officials and their respective field of responsibilities.
Personal data relating to other natural persons than staff may also be processed. Such examples may concern visitors, contractors, petitioners, etc.
According to Article 2 (e) of Regulation (EC) No 45/2001, a processor shall mean "a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller."
The essential element is therefore that the processor only acts "on behalf of the controller" and thus only subject to his instructions.
For example, a security company monitoring the entries into an institution's building is not processing personal data of the persons entering a building for its own purpose, but on behalf of the institution concerned.
In some cases, the processor may choose not to process the data himself, but may have recourse to a subcontractor who processes the data on his behalf. In practice, this will depend upon the processor agreement entered into with the controller.
Transfers of personal data from a data controller to a data processor must be secured by a data processor agreement. It must meet certain minimum requirements, as set forth by Article 17 of the Data Protection Directive and Article 23 of Regulation (EC) No 45/2001.
The contract must stipulate that the data processor shall act only on instructions from the data controller. The data processor must provide sufficient guarantees in respect of the technical security measures and organisational measure governing the processing to be carried out, and must ensure compliance with such measures.
The Prüm Treaty is an international agreement signed on 27 May 2005 by Belgium, Germany, Spain, France, Luxembourg, Netherlands and Austria in order to improve cross-border cooperation in combating terrorism, cross-border crime and illegal immigration.
In June 2008 the Council adopted two decisions bringing the main provisions of this agreement into EU law, thus extending it to all EU Member States. These decisions focus on the exchange of biometric data (DNA and fingerprints) between police and judicial authorities, and requires Member States to set up DNA databases.
The EDPS issued two opinions (one on the initiative itself (pdf), one on its implementing rules (pdf)), recommending a step-by-step approach and highlighting that the specific provisions on data protection contained in the initiative are not stand-alone and should therefore be complemented by other general data protection rules.