Definitions from Data Protection (Bailiwick of Guernsey) Law, 2017

 

A B C D E F G H I J K L M
N O P Q R S T U V W X Y Z

 

A

Anonymised

Personal data is manipulated or treated in a such manner that the controller is not capable of identifying the data subject.

 

Adequacy decision

A decision made by the European Commission that a relevant country, sector or international organisation ensures an adequate level of protection within the meaning of Article 45(2) of the GDPR.

 

Administrative fine

A fine ordered by the Data Protection Authority

 

Authorised jurisdiction

  • The Bailiwick of Guernsey
  • A Member State of the European Union
  • Any country, any sector within a country, or any international organisation that the (European) Commission has determined ensures an adequate level of protection within the meaning of Article 45(2) of the GDPR and for which the determination is still in force.
  • A designated jurisdiction (by Ordinance)

B

Biometric data

Personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of an individual, which allows and confirms the unique identification of that individual, such as facial images or dactyloscopic (fingerprint) data.

C

Child

An individual under 18 years of age. (specific guidance relating to processing of children’s data in some circumstances can be found here).

 

Consent

Specific, informed and unambiguous indication of the data subject’s wishes by which the data subject, by a clear statement or by clear affirmative action, signified agreement to the processing of personal data relating to the data subject.

 

Controller

A person (individual or legal) that, alone or jointly with others, determines the purposes and means of the processing of any personal data.

 

Criminal data

Personal data relating to the commission or alleged commission of a criminal offence by an individual or proceedings for a criminal offence committed or alleged to have been committed by an individual, the disposal of such proceedings or the sentence of a court in such proceedings

D

Data Protection Impact Assessment

As assessment of the impact of proposed processing by the controller on the protection of personal data.

 

Data subject

An identified or identifiable individual to whom personal data relates

Data subject rights

Means a right conferred on a data subject by or under Part III –

  • Right to information for personal data collected directly or indirectly from data subject (section 12 & 13)
  • Right to data portability (section 14)
  • Right of access (section 15)
  • Right to object to processing (sections 17,18 & 19)
  • Right to rectification (section 20)
  • Right to erasure (section 21)
  • Right to restriction of processing (section 22)
  • Right to be notified (section 23)
  • Right not to be subject to automated decisions (section 24)

F

Filing system

Any structured set of personal data which is accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.

 

G

Genetic data

Personal data relating to the inherited or acquired genetic characteristics of an individual which gives unique information about the physiology or the health of that individual, including as a result of an analysis of a biological sample from the individual.

H

Health data

Personal data relating to the health of an individual, including the provision of health care services, which reveals information about the individual’s health (physical or mental) status.

 

Health or social care purpose

Includes the purpose of preventative or occupational medicine, the assessment of the working capacity of an employee or worker, medical diagnosis, the provision of medical, health or social care or treatment, or the management of medical, health or social care systems and services.

 

High risk

Processing of personal data is deemed to be likely to pose a high risk to the significant interests of data subjects where it involves –

  • A systematic and extensive evaluation of personal aspects relating to data subjects based on automated processing, and decisions are based on the evaluation that affect the significant interests of the data subjects,
  • Large scale processing of special category data,
  • Large scale and systemic monitoring of a public place, or
  • Any other prescribed kind or description of processing.

 

High-risk processing

Any processing of personal data that is likely to pose a high risk to the significant interests of data subjects. This should be determined by considering the nature, scope, context and purpose of the processing as well as the technology, mechanism or procedure used to process the data in question.

Processing of personal data will be considered as posing a high risk where it involves –

  • a systematic and extensive evaluation of personal aspects relating to data subjects based on automated processing, and decisions are based on the evaluation that affect the significant interests of data subjects,
  • large-scale processing of special category data,
  • large-scale and systematic monitoring of a public place, or
  • any other prescribed kind or description of processing.

I

Identifiable individual

An individual is identifiable from any information where the individual can be directly or indirectly identified from the information, including –

  • by reference to a name or an identifier
  • by reference to one or more factors specific to the person’s physical, physiological, genetic, mental, economic, cultural or social identity,
  • where, despite pseudonymisation, that information is capable of being attributed to that individual by the use of additional information, or
  • by any other means reasonably likely to be used, taking into account objective factors such as technological factors and the cost and amount of time required for identification in the light of the available technology at the time of processing.

 

Identifier

A number or code that is assigned to an individual by a controller or processor and that uniquely identifies that individual. It includes location data and number or code issued to an individual by a public authority but excludes an individual’s name.

O

One month

The Law requires controllers to comply with a request to exercise data subject rights within the designated period which is specified as one month.

The Interpretation (Guernsey) Law, 1948 provides that one month shall mean calendar month.

P

Personal data

Any information relating to an identified or identifiable individual.

 

An individual is identifiable from any information where the individual can be directly or indirectly identified from the information, including –

(a)  by reference to a name or an identifier,

(b)  by reference to one or more factors specific to the person’s physical, physiological, genetic, mental, economic, cultural or social identity,

(c)  where, despite pseudonymisation, that information is capable of being attributed to that individual by the use of additional information, or

(d)  by any other means reasonably likely to be used, taking into account objective factors such as technological factors and the cost and amount of time required for identification in the light of the available technology at the time of processing.

 

Personal data breach

A breach of security leading to accidental or unlawful destruction, loss, or alteration of, or unauthorised disclosure of, or access to personal data.  Guidance explaining the mandatory breach reporting can be found here.

 

Processing

Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means.

 

Processor

An individual or other person that processes personal data on behalf of a controller and includes a secondary processor (another processor engaged by the primary processor).

 

Profiling

Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to an individual, including aspects concerning that individual’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

 

Pseudonymisation

The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, where that additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable individual.

 

Public authority

The following are public authorities for the purposes of the Law.

(a)  the States,

(b)  a public committee,

(c)  a holder of a public office,

(d)  a statutory body,

(e) a court or tribunal of the Bailiwick,

(f)  any person hearing or determining an appeal, or conducting a public inquiry, under any enactment,

(g)  the salaried police force of the Island of Guernsey or any police force which may be established by the States of Alderney or Chief Pleas of Sark,

(h)  a parish Douzaine of the Island of Guernsey or the Douzaine of the Island of Sark,

(i)   any person exercising or performing functions or holding any office similar or comparable to any of the persons described in paragraphs (a) to (h) in respect of any country other than the Bailiwick, or

(j)   any other person that exercises or performs any function that is of a public nature in respect of the Bailiwick or any other country.

S

Special category data

Personal data revealing an individual’s racial or ethnic origin, political opinion, religious or philosophical belief, trade union membership, genetic data, biometric data, health data, data concerning an individual’s sex life or orientation, criminal data.