Australia
Answer ... (a),(b),(c) There is no concept of “data processing” under the Privacy Act. The Privacy Act regulates the collection, holding, use, disclosure and destruction or de-identification of personal information. Each – APP entity that undertakes any of these activities is regulated in the same way. As a consequence, there is no concept of “data processor” or “data controller” under the Privacy Act.
(d) There is no concept of “data subject” under the Privacy Act. The Privacy Act applies to personal information of living natural persons.
(e) There is no definition of “personal data” in the Privacy Act. Instead “personal information” is information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether or not the information is true or recorded in a material form.
(f) There is no definition of “sensitive personal data” in the Privacy Act. Instead “sensitive information” is a subset of personal information and includes:
- information or an opinion about a person’s race, political stance, religion, trade union and other professional memberships, sexual preferences and criminal record provided this is also personal information;
- health and genetic information about a person; and
- biometric information used for verification or identification and biometric templates of a person.
(g) In the Privacy Act “consent” is defined to mean express or implied consent. The Office of the Australian Information Commissioner (OAIC) Guidelines require that an individual is adequately informed before giving consent, that consent is voluntary, current and specific and that the individual has the capacity to understand and communicate his or her consent. Consent is required only in limited cases under the Privacy Act, such as for the collection and use of sensitive information.
India
Answer ... (a) Data processing
The IT Act and the Privacy Rules do not define ‘data processing’.
(b) Data processor
The IT Act and the Privacy Rules do not define ‘data processor’. However, the government distinguishes between:
- an entity that merely processes personal information and sensitive personal data or information (SPDI) on behalf of another body corporate, on the one hand; and
- an entity that actually collects personal information and SPDI from a data subject, on the other.
Please see question 2.2 for more details.
(c) Data controller
The IT Act and the Privacy Rules do not define ‘data controller’. However, the government distinguishes between:
- an entity that merely processes personal information and sensitive personal data or information (SPDI) on behalf of another body corporate, on the one hand; and
- an entity that actually collects personal information and SPDI from a data subject, on the other.
Please see question 2.2 for more details
(d) Data subject
The IT Act and the Privacy Rules do not define ‘data subject’. Instead, the Privacy Rules refer to the concept of ‘provider of information’. A ‘provider of information’ is a natural person who provides sensitive personal data or information to a body corporate.
(e) Personal data
The Privacy Rules define ‘personal data’ or ‘personal information’ as any information that relates to a natural person and that either directly or indirectly, in combination with other information available or likely to be available to a body corporate, is capable of identifying that person.
(f) Sensitive personal data
The Privacy Rules define ‘sensitive personal data or information’ (SPDI) as personal information relating to a data subject’s:
- password;
- financial information, such as bank account, credit card, debit card or other payment instrument details;
- physical, physiological and mental health conditions;
- sexual orientation;
- medical records and history; or
- biometric information.
(g) Consent
There is no specific definition of ‘consent’ under the IT Act and Privacy Rules.
Liechtenstein
Answer ... (a) Data processing
The gathering, processing or use of personal data by a processor in accordance with the instructions of the controller based on a contract.
(b) Data processor
Pursuant to Article 4 of the General Data Protection Regulation, a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
(c) Data controller
A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by EU or member state law, the controller or the specific criteria for its nomination may be provided for by EU or member state law.
(d) Data subject
An identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly – in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
(e) Personal data
Any information relating to an identified or identifiable natural person.
(f) Sensitive personal data
Personal data revealing an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership; genetic data; biometric data for the purpose of uniquely identifying a natural person; data concerning health; and data concerning a natural person’s sex life or sexual orientation.
Luxembourg
Answer ... (a) Data processing
Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
(b) Data processor
A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
(c) Data controller
A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by EU or member state law, the controller or the specific criteria for its nomination may be provided for by EU or member state law.
(d) Data subject
An identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
(e) Personal data
Any information relating to an identified or identifiable natural person.
(f) Sensitive personal data
Personal data regarding racial or ethnic origin, political opinion, religious or philosophical beliefs, trade union membership, data concerning health, sex life or sexual orientation, genetic data and biometric data.
(g) Consent
Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him/her.
Pakistan
Answer ... (a) Data processing
Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
(b) Data processor
A natural or legal person, or the government, which alone or in conjunction with others processes data on behalf of the data controller.
(c) Data controller
A natural or legal person, or the government, which either alone or jointly with others has the authority to make a decision on the collection, obtaining, usage or disclosure of personal data.
(d) Data subject
A natural person who is the subject of the personal data.
(e) Personal data
Any information that relates directly or indirectly to a data subject who is identified or identifiable from that information, or from that and other information in the possession of a data controller, including any sensitive personal data. Anonymised, encrypted or pseudonymised data which is incapable of identifying an individual is not personal data.
(f) Sensitive personal data
This includes:
- data relating to access control (username and/or password);
- financial information such as details of bank accounts, credit cards, debit cards or other payment instruments;
- passport information;
- biometric data;
- information on the data subject’s physical, psychological or mental health conditions;
- medical records;
- details pertaining to an individual’s ethnicity or religious beliefs; and
- any other information for the purposes of the Pakistan Personal Data Protection Bill, 2020 and rules issued thereunder.
(g) Consent
Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, through a statement or a clear affirmative action, signifies agreement to the collection, obtaining and processing of his or her personal data.
Portugal
Answer ... (a) Data processing
Any operation or set of operations which is performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
(b) Data processor
A natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.
(c) Data controller
A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by EU or member state law, the controller or the specific criteria for its nomination may be provided for by EU or member state law.
(d) Data subject
An identifiable natural person who can be identified, directly or indirectly – in particular, by reference to an identifier such as a name, an identification number, location data or online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
(e) Personal data
Any information relating to an identified or identifiable natural person (‘data subject’).
(f) Sensitive personal data
Personal data that reveals a data subject’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying that person, data concerning his or her health or data concerning his or her sex life or sexual orientation.
(g) Consent
Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, through a statement or a clear affirmative action, signifies agreement to the processing of his or her personal data.
Switzerland
Answer ... (a) Data processing
Any operation with personal data, irrespective of the means applied and the procedure, and in particular the collection, storage, use, revision, disclosure, archiving or destruction of data.
(b) Data processor
The DPA does not explicitly use this term and accordingly, there is no statutory definition. The Federal Data Protection and Information Commissioner (FDPIC) defines a ‘data processor’ or ‘data importer’ as a natural or legal person, public authority, agency or any other body (established in another country) that agrees to receive personal data from the ‘data exporter’/‘data controller’ for the purpose of processing such data on behalf of the latter after the transfer in accordance with its instructions.
(c) Data controller
The DPA does not explicitly use this term and accordingly, there is no statutory definition. The FDPIC defines a ‘data controller’ or ‘data exporter’ as a natural or legal person, public authority, agency or any other body established in Switzerland which, individually or together with others, determines the purpose and means of the processing of personal data and which transfers such data for the purpose of its processing on their behalf.
(d) Data subject
A natural or legal persons whose data is processed.
(e) Personal data
All information relating to an identified or identifiable person.
(f) Sensitive personal data
Data relating to:
- religious, ideological, political or trade union-related views or activities;
- health, one’s intimate life or racial origin;
- social security measures; and
- administrative or criminal proceedings and sanctions.
(g) Consent
Consent must be given voluntarily, based on the provision of adequate information. Additionally, consent must be given expressly in the case of processing of sensitive personal data or personality profiles
Taiwan
Answer ... (a) Data processing
The term ‘processing’ under the Personal Data Protection Act (PDPA) covers two activities: ‘processing’ and ‘use’. Under the PDPA, ‘processing’ refers to the act of recording, inputting, storing, compiling/editing, correcting, duplicating, retrieving, deleting, outputting, connecting or internally transferring data for the purpose of establishing or using a personal data file. ‘Use’ refers to the act of using personal data through any method other than processing.
(b) Data processor
The PDPA does not specifically adopt any of the terms used in European countries – such as ‘data controller’, ‘data processor’ or ‘data owner’ – to refer to the relevant parties involved in personal data-related activity, although these concepts are embedded in the PDPA. Under the PDPA, a ‘data processor’ is a person or entity that is retained by another to perform data processing activities.
(c) Data controller
Again, the PDPA does not explicitly adopt this term in its text; it simply subjects ‘government agencies’ and ‘non-government agencies’ to two different sets of rules in regard to personal data related activities.
(d) Data subject
Under the PDPA, the term ‘data subject’ refers to an individual whose personal data is collected, processed or used.
(e) Personal data
The PDPA defines ‘personal data’ as a natural person’s name, date of birth, identity card number, passport number, features, fingerprints, marital status, family information, education background, occupation, medical records, healthcare data, genetic data, details of his or her sex life, records of physical examination, criminal records, contact information, financial conditions, data concerning his or her social activities and any other information that may be used to directly or indirectly identify that person.
(f) Sensitive personal data
Personal data pertaining to an individual’s medical records, healthcare, genetics, sex life, physical examination and criminal records is categorised as ‘sensitive personal data’ and is subject to special protection.
(g) Consent
Pursuant to the PDPA, consent must be informed and express, with only one exception. This applies where, at the time the data is collected, the data subject is advised of the notification matters required under the PDPA and surrenders his or her data to the data controller without objection after being duly informed.
Turkey
Answer ... (a) Data processing
Any operation which is performed on personal data, wholly or partially by automated means or non-automated means, which forms part of a data filing system, such as collection, recording, storage, protection, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorisation or restriction.
(b) Data processor
A natural or legal person that processes personal data on behalf of the data controller and with its authorisation.
(c) Data controller
A natural or legal person that determines the purposes and means of the data processing and is responsible for the establishment and management of the data filing system.
(d) Data subject
A natural person whose personal data is processed.
(e) Personal data
Any information relating to an identified or identifiable natural person.
(f) Sensitive personal data
Known as ‘special categories of personal data’ in Turkey: that is, personal data relating to an individual’s race, ethnic origin, political opinions, philosophical beliefs, religious or other beliefs, appearance, membership of associations, foundations or trade unions, health, sexual life, criminal convictions or security measures; and biometric and genetic data.
(g) Consent
Consent in Turkey is ‘explicit’ when it is freely given, specific and informed consent.
UK
Answer ... (a) Data processing
‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (Article 4(2) of the General Data Protection Regulation (GDPR)).
(b) Data processor
‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller (Article 4(8) of the GDPR).
(c) Data controller
‘Controller’ means a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by EU or member state law, the controller or the specific criteria for its nomination may be provided for by EU or member state law (Article 4(7) of the GDPR).
(d) Data subject
‘Data subject’ means an identifiable natural person.
(e) Personal data
‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier – such as a name, an identification number, location data or an online identifier – or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (Article 4(1) of the GDPR).
(f) Sensitive personal data
Under the GDPR, special categories of data are subject to a higher threshold for protection. Article 9(1) of the GDPR defines ‘special category data’ as the following:
- personal data revealing racial or ethnic origin;
- personal data revealing political opinions;
- personal data revealing religious or philosophical beliefs;
- personal data revealing trade union membership;
- genetic data;
- biometric data (where used for identification purposes);
- data concerning health;
- data concerning a person’s sex life; and
- data concerning a person’s sexual orientation.
(g) Consent
The ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her (Article 4(11) of the GDPR).
United States
Answer ... As the protections afforded by state statutes vary from one state to another, there is no uniform set of definitions across all states or all regulations. Under the California Consumer Privacy Act (CCPA), the most comprehensive state privacy law which has served as a model for other state privacy laws, the terms are defined as follows.
(a) Data processing
Under the CCPA, ‘processing’: Any operation or set of operations that is performed on personal data or on sets of personal data, whether or not by automated means.
(b) Data processor
Under the CCPA, a ‘service provider’: Any for-profit entity that processes personal information on behalf of a covered business.
(c) Data controller
Under the CCPA, a covered ‘business’: Any for-profit entity that:
- does business in California;
- collects (or has collected on its behalf) personal information of California residents and determines the purposes and means of the processing of that personal information; and
- meets certain thresholds of gross revenue or amount of personal information collected.
(d) Data subject
Under the CCPA, ‘consumer’: All California residents, even if they are temporarily outside of the state (eg, on vacation). This definition does not cover visitors to California.
(e) Personal data
Under the CCPA, ‘personal information’: Information that identifies, relates to, describes or is reasonably capable of being associated with a particular consumer or household, including (but not limited to):
- personal identifiers (eg, name, postal address, email address, online IP address, social security number);
- internet activity information; and
- employment, educational and commercial information.
(f) Sensitive personal data
The CCPA does not distinguish sensitive personal data from personal information. The protection of specific classes of sensitive personal information (eg, health data, financial data and data of children) is governed by sector-specific state and federal laws.
(g) Consent
‘Consent’ is not defined under the CCPA and requires further guidance from the attorney general.
Australia
Answer ... The application of the Privacy Act is triggered when an APP entity first ‘collects’ personal information, irrespective of how personal information is collected (or the purpose of the collection). ‘Collect’ means collect for inclusion in a record (whether a paper or electronic record) or a generally available publication (eg, a magazine or newspaper).
To be ‘de-identified’, information must be modified so that it no longer identifies a person or is reasonably likely to identify them. Additional protections may be required to prevent re-identification.
‘Disclosure’ is not defined in the Privacy Act. The OAIC interprets this in the OAIC Guidelines to mean providing access or visibility to an external person where the subsequent handling of the personal information is outside the discloser’s control.
To ‘hold’ means to possess or control a record (either physical or electronic) that contains personal information. ‘Control’ refers to the right or power to deal with the record.
‘Purpose’ limits the use and disclosure by an APP entity of personal information. An APP entity must disclose its ‘primary purpose’ – typically in its privacy policy or otherwise – at the time of collection. APP entities may also use and disclose personal information for ‘secondary purposes’. For example, if, notwithstanding that an individual was not informed of a purpose, he or she would reasonably expect the information to be used or disclosed for a particular purpose that is related (or for sensitive information, directly related) to the primary purpose, this will be a permitted secondary purpose.
India
Answer ... As per the Information Technology (Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 issued under the IT Act, a ‘cyber incident’ is any real or suspected adverse event in relation to cybersecurity that violates an explicitly or implicitly applicable security policy, resulting in unauthorised access, denial of service or disruption, unauthorised use of a computer resource for the processing or storage of information or unauthorised changes to data or information.
Liechtenstein
Luxembourg
Answer ... The terms are defined as in the EU General Data Protection Regulation. There are no other key relevant terms in our jurisdiction.
Pakistan
Answer ... Third party: Any person other than:
- a data subject;
- a relevant person in relation to a data subject;
- a data controller;
- a data processor; or
- a person authorised in writing by the data controller to process personal data under the direct control of the data controller.
Relevant person:
- In the case of a data subject who is below the age of 18, the parent or a guardian appointed by a court of competent jurisdiction;
- In the case of a data subject who is incapable of managing his or her own affairs, a person who is appointed by a court to manage those affairs; or
- A person authorised by the data subject to make a data access and/or data correction request.
Vital interests: Matters relating to the life, death or security of a data subject.
Portugal
Answer ... Other key terms, as defined by the General Data Protection Regulation, include the following:
- ‘Profiling: Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person – in particular, to analyse or predict aspects concerning his or her performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
- ‘Recipient’: A natural or legal person, public authority, agency or another body to which personal data is disclosed, whether a third party or not; some exceptions apply.
- ‘Third party’: A natural or legal person, public authority, agency or body other than the data subject, controller, processor or persons under the direct authority of the controller or processor which is authorised to process personal data.
- ‘Personal data breach’: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
- ‘Cross-border processing’: The processing of personal data which takes place in the context of the activities of establishments in more than one member state of a controller or processor in the European Union, where the controller or processor is established in more than one member state; or the processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the European Union, but which substantially affects or is likely to substantially affect data subjects in more than one member state.
Switzerland
Answer ... ‘Personality profile’: A collection of data that permits the assessment of essential characteristics of the personality of a natural person.
‘Data file’: Any set of personal data that is structured in such a way that the data is accessible by the data subject.
Taiwan
Answer ... The PDPA does not include the term ‘data controller’, referring only to ‘government agencies’ and ‘non-government agencies’. In this Q&A, unless otherwise specified, the term ‘data controller’ refers to ‘non-government agencies’ only.
Turkey
Answer ...
- Registry of Data Controllers Information System (VERBIS): The information system through which data controllers submit their applications and conduct other relevant actions in relation to the registry.
- Contact person: A natural person (Turkish citizen) who is designated at the time of registration with VERBIS by the data controller for the purpose of communicating with the Data Protection Authority.
-
Personal data processing inventory: An inventory created and maintained by the data controller on the personal data processing activities that it conducts, including information on:
-
- the purposes of the data processing;
- the data categories;
- the recipient groups;
- the groups of data subjects;
- the storage period;
- any transfers of personal data to foreign countries; and
- the precautions taken in respect of data security.
- Data controller representative: A legal entity which is based in Turkey or a natural person who is a Turkish citizen that is authorised to represent the foreign data controller in Turkey.
UK
Answer ... The GDPR also defines the following terms which form an important part of the UK data privacy regime:
- ‘Personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
- ‘Joint controller’ refers to two or more controllers that jointly determine the purposes and means of processing.
- ‘Pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.
- ‘Biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.
- ‘Genetic data’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which gives unique information about the physiology or health of that natural person and which results, in particular, from an analysis of a biological sample from the natural person in question.
- ‘Profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person – in particular, to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
United States
Answer ... Under the CCPA, consumers have the right to opt-out of the sale of their personal information. A ‘sale’ or ‘selling’ is broadly defined as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration”.
‘Aggregate consumer information’, ‘de-identified’, ‘probabilistic identifier’, ‘pseudonymise’ and ‘pseudonymisation’ are all defined terms under the CCPA, relating to the degree to which data can identify a person.
‘Biometric information’ is expansively defined in the CCPA as “an individuals’ physiological, biological or behavioural characteristics, including an individual’s deoxyribonucleic acid (DNA), that can be used, singly or in combination with each other or with other identifying data, to establish individual identity”. Listed examples include:
- imagery of the iris, retina, fingerprint, face, hand, palm or vein patterns;
- voice recordings;
- keystroke patterns or rhythms;
- gait patterns or rhythms; and
- sleep, health or exercise data that contains identifying information.