Child pages
  • Consent White papers and other backgrounders

Consent   “Actors":


consumer / data subject / person     (GDPR)

  • child   /   parent
  • EU citizen
  • data subject ( GDPR:   Data Subject   - a natural person whose personal data is processed by a controller or processor )

data controller (GDPR) -    


" Art.4(7)

"Controller" means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by EU or Member State laws, the controller (or the criteria for nominating the controller) may be designated by those laws.”


  • with / without (direct relationship with consumer)
  • EU / non-EU
  • PISP -   payment initiation Service providers   (PSD2)
  • AISP -   Account Information Service Providers   (PSD2)
  • ASPSP -   Account Servicing Payment Service Provider   (PSD2)


data processor (GDPR)



"Processor" means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.



" A data protection officer (DPO) is a position within a corporation that acts as an independent advocate for the proper care and use of customer’s information. The role of a data protection officer was formally laid out by the European Union as part of its   General Data Protection Regulation   (GDPR). Under the regulation, all businesses that market goods or services to customers within the European Union and collect data as a result must appoint a data protection officer. The data protection officer keeps up on laws and practices around data protection, conducts privacy assessments internally, and ensures that all other matters of compliance pertaining to data are up-to-date. Although the EU legislation is prompting the creation of data protection officer roles, other nations are looking at data privacy issues and may require similar roles through updated regulations.


Read more:   Data Protection Officer (DPO) Definition | Investopedia  


Data Protection Authority   -  

national authorities tasked with the protection of data and privacy as well as monitoring and enforcement of the data protection regulations within the Union


Recipient   - entity to which the personal data are disclosed (GDPR)


Representative   - any person in the Union explicitly designated by the controller to be addressed by the supervisory authorities (GDPR)


Auditor (GDPR ?)


national supervisory authority (GDPR)   Supervisory Authority   - a public authority which is established by a member state in accordance with article 46 (GDPR)


Other definitions:



GDPR - Rec.32; Art.4(11)

"The consent of the data subject" means any freely given, specific, informed   and unambiguous indication of his or her wishes by which the data subject,   either by a statement or by a clear affirmative action , signifies agreement to personal data relating to them being processed.”


data breach

GDPR - Art.4(12)

"Data breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.


Data concerning health

GDPR - Rec. 35, 53-54; Art.4(15)

"Data concerning health" means   personal data relating to the physical or mental health of an individual, including the provision of health care services, which reveal information about his or her health status . It expressly covers both physical and mental health.



GDPR - Art.4(2)

"Processing" means any operation or set of operations performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.


Anonymous data

GDPR - Rec.26

The GDPR does not apply to data that are rendered anonymous in such a way that individuals cannot be identified from the data.


Pseudonymous data

GDPR - Rec.26, 28-29, 75, 78, 156; Art.4(5), 6(4)(e), 25(1), 32(1)(a), 40(2)(d), 89(1)

Pseudonymous data are still treated as personal data because they enable the identification of individuals (albeit via a key). However, provided that the "key" that enables re identification of individuals is kept separate and secure, the risks associated with pseudonymous data are likely to be lower, and so the levels of protection required for those data are likely to be lower .


Personal data

GDPR -   Rec.26; Art.4(1)

"Personal data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to   an identifier such as a name, an identification number,   location data , online identifier or to one or more factors specific to the physical, physiological,   genetic , mental, economic, cultural or social identity of that person.


Sensitive personal data

GDPR - Rec.10, 34, 35, 51; Art.9(1)

"Sensitive Personal Data" are personal data, revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; data concerning health or sex life and sexual orientation;   genetic data or biometric data . Data relating to criminal offences and convictions are addressed separately (as criminal law lies outside the EU's legislative competence).


Data related to criminal offences

GDPR - Rec. 19, 50, 73, 80, 91, 97; Art.10

Data relating to criminal offences and convictions may only be processed by national authorities. National law may provide derogations, subject to suitable safeguards. A comprehensive register of criminal offences may only be kept by the responsible national authority.