Introduction to Data Protection Concepts
The core data protection concepts pre-date the GDPR: they were set by the 1995 Data Protection Directive and remain essentially unchanged in the GDPR, with only limited clarifying amendments. Technology keeps testing the flexibility of these definitions. Two flashpoints: whether and are personal data (now clarified - the definition expressly includes online identifiers), and where the boundary between controller and processor sits (left unchanged despite the debate). This chapter covers personal data, special-category data, controller, processor, processing and data subject.
Data protection law has existed for decades, yet some of its most fundamental concepts are still under debate, because technology and changing business models keep testing the limits of the definitions. Crucially, the concepts in the GDPR are essentially the same as those set by the 1995 Data Protection Directive - legislators chose to keep them and only added limited clarifications.
- The use of and to profile online behaviour triggered debate over whether they are personal data - now resolved, as the definition expressly includes online identifiers.
- The growth of outsourcing and more autonomous service providers blurred the controller/processor boundary - yet these definitions were left unchanged.
The GDPR did not reinvent these concepts. Older guidance, such as the Article 29 Working Party's Opinion 4/2007 on personal data, remains relevant because the building blocks did not change.