Personal data: ‘any information relating to an identified or identifiable natural person’. An ‘identifiable natural person’, or ‘data subject’, is ‘one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’ (Article 4(1) GDPR).
Data processing: ‘any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction’ (Article 4(2) GDPR).
Data minimisation: personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed’ (art. 5 (1c) GDPR)Profiling : ‘any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements(Article 4(4) GDPR).
Pseudonymisation :‘the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person (Article 4(5) GDPR).
Anonymisated data : ‘information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable’ (recital 26 GDPR) .
Examples of privacy intrusive techniques/technologies include : covert observation, surveillance, tracking or deception of individuals); the use of camera systems to monitor behaviour or record sensitive information; “data-mining” (including data collected from social media networks), “web-crawling” or “social network analysis”; the profiling of individuals or groups (particularly behavioural or psychological profiling); the use of “artificial intelligence” to analyse personal data; or the use of automated decision-making which has a significant impact on the data subjects
Non-EU countries, not recognised as providing adequate level of protection : The European Commission has the power to determine, on the basis of article 45 of Regulation (EU) 2016/679 whether a country outside the EU offers an adequate level of data protection. The effect of such a decision is that personal data can flow from the EU (and Norway, Liechtenstein and Iceland) to that third country without any further safeguard being necessary. In other words, transfers to the country in question will be assimilated to intra-EU transmissions of data. The list of the countries, recognized as providing adequate protection is published at: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en
High ethics risks: see Guidance Note on Ethics and Data Protection for examples