GDPR : Article 4-Definitions

by avinash v


In accordance with this Regulation:

1.Personal Data

The term ‘personal data’ is defined in the GDPR as any information relating to an identifiable natural person. This broad definition includes a wide range of information, such as a person’s name, address, date of birth, gender, IP address, genetic data, biometric data, etc.

The GDPR applies to any company that processes or intends to process the personal data of individuals in the EU. This includes companies outside the EU that offer goods or services to individuals in the EU.

article 4- definitions


Under the GDPR, ‘processing’ refers to any operation or set of operations which is performed on personal data or sets of personal data. This could be anything from collecting, recording, storing, modifying, or deleting data.

The GDPR applies to any company that processes personal data of EU citizens, regardless of its location. If your company processes the personal data of EU citizens, then you need to comply with the GDPR.

3.Restriction of Processing

Under the General Data Protection Regulation (GDPR), there are certain conditions under which data controllers must stop processing personal data. This is known as the ‘restriction of processing’.

There are three situations in which the restriction of processing can be applied:

  1. If the data subject has objected to the processing of their data.
  2. If the data controller must delete the data (known as the ‘right to be forgotten).
  3. If the data processing is unlawful.

The restriction of processing does not mean that the data must be deleted. It simply means that the data must not be processed any further.


The GDPR defines profiling as “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular, to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.”

Profiling under the GDPR covers a wide range of activities. It is not limited to solely automated activities but also to semi-automated activities, such as those involving human intervention.

Some common examples of profiling activities include targeted advertising, credit scoring, and fraud detection. Profiling can be used for both marketing and non-marketing purposes.


Under the GDPR, pseudonymization is the processing of personal data in such a way that it can no longer be attributed to a specific data subject without the use of additional information, provided that this additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.

Pseudonymization is a key data protection measure under the GDPR. By pseudonymizing personal data, data controllers can reduce the risks to the data subjects’ rights and freedoms and better protect their personal data.

GDPR Implementation Toolkit


'Controller’ under the GDPR is any natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. The GDPR applies the concept of ‘joint controllers’ to cases where two or more controllers jointly determine the purpose and means of the processing of personal data.

In determining whether two or more controllers are joint controllers, regard should be had to the contract between them, as well as to any other relevant factors such as the nature of the data processing operation, the specific context in which the data is processed and the relationship between the controllers.


Under GDPR, a processor is defined as a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.


The term “recipient” under the GDPR refers to the natural or legal person, public authority, agency, or any other body to whom the personal data is disclosed, whether a third party or not.

When personal data is transferred to a third country or an international organization, the GDPR requires that the data exporter ensures that the recipient has provided appropriate safeguards for data protection.

9.Third Party

Under the GDPR, a ‘third party’ is defined as any natural or legal person, public authority, agency, or body other than the data subject, controller, processor, and persons who are directly under the control of the controller or processor.


GDPR defines consent as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.

11.Personal Data Breach

Under GDPR, personal data is defined as any information that can be used to identify an individual. This includes, but is not limited to, name, address, date of birth, and email address.

A personal data breach is any unauthorized access, use, disclosure, or destruction of personal data.

12.Genetic Data

Genetic data is defined as ‘information relating to the inherited or acquired characteristics of an individual’. This can include information about an individual’s DNA, RNA, or chromosomes. It also includes information about an individual’s genes, as well as any mutations or variations.

GDPR Implementation Toolkit

13.Biometric Data

The term “biometric data” under the GDPR refers to data relating to physical or behavioral characteristics that can be used to uniquely identify an individual. This data can be used for authentication or identification purposes. Examples of biometric data include fingerprints, DNA, iris scans, and facial recognition data.

14.Data Concerning Health

Health data is particularly sensitive, and so the GDPR provides stronger protections for this type of data. For example, health data can only be processed if it is necessary for the provision of healthcare or health-related services, or if it is required by law.

15.Main Establishment

The main establishment is the place where the day-to-day decisions on the data processing activities are taken. It is also the place where the contact point with the supervisory authority is located. In most cases, the main establishment will be the same as the registered office of the controller or the processor.


Under the GDPR, a representative is an individual or organization established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor about their obligations under this Regulation.


In the General Data Protection Regulation (GDPR), the term ‘enterprise’ refers to any economic entity that processes personal data. This includes sole proprietorships, partnerships, limited liability companies, corporations, not-for-profit organizations, and public authorities.

18.Group of Undertakings

Under the GDPR, a “group of undertakings” is defined as “a parent undertaking and its subsidiary undertakings”. This concept is important because it determines which organizations are subject to the GDPR’s provisions on joint controllers and processor.

19.Binding Corporate Rules

Binding corporate rules (BCRs) are a set of policies or procedures that allow for the transfer of personal data from the European Union (EU) to countries outside of the EU. To qualify as BCRs, the policies or procedures must be approved by the European Commission.

20.Supervisory Authority

The supervisory authority is responsible for monitoring the application of the GDPR in the member state in which it is established. It also has the power to investigate and take enforcement action against controllers and processors who are not in compliance with the GDPR.


The GDPR defines ‘cross-border’ as data transfers that occur between EU member states. This includes transfers from an EU-based company to a non-EU company, as well as transfers from a non-EU company to an EU-based company. Cross-border data transfers are subject to certain restrictions under the GDPR.

22.Relevant and Reasoned Objection

Under the General Data Protection Regulation (GDPR), individuals have the right to object to the processing of their personal data on grounds relating to their situation.

The right to object is not absolute and only applies in certain circumstances. To be successful, an objection must be both relevant and reasoned.

A relevant objection is one that relates to the specific data processing activity that the individual is objecting to. For example, an objection to the use of personal data for direct marketing purposes would be relevant, but an objection to the use of personal data in general would not.

A reasoned objection is one that is based on grounds that are specific to the individual’s particular situation. This could include, for example, that the data processing activity in question would have a negative impact on the individual’s right to privacy or that the personal data is being processed unlawfully.

23.Information Society Service

Information society service (ISS) is defined under Article 2(a) of Directive 98/34/EC as ‘any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.

Under Article 1(2) of the E-Commerce Directive, the term ‘information society service’ includes ‘any service within the field of information and communication, including audiovisual services, which is normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.

24.International Organization

The GDPR applies to international organizations with data processing activities in the EU, regardless of whether they are based inside or outside the EU. This means that, if you are an international organization with EU establishments, you must comply with the GDPR even if your headquarters are in a country outside the EU.

Suitable Recitals

(15) Technology Neutrality (24) Applicable to Controllers/Processors Not Established in the Union if Data Subjects Within the Union are Profiled (26) Not Applicable to Anonymous Data (28) Introduction of Pseudonymization (29) Pseudonymization at the Same Controller (30) Online Identifiers for Profiling and Identification (31) Not Applicable to Public Authorities in Connection with Their Official Tasks (34) Genetic Data (35) Health Data (36) Determination of the Main Establishment (37) Group of undertakings.

GDPR Implementation Toolkit