Article 4 GDPR (Definitions)

Understanding Article 4 of GDPR

Article 4 of GDPR lists the definition of several key terms used throughout the regulation.

Here are the defined terms in GDPR along with a quick description for each:

Binding corporate rules (Article 4(20) GDPR)

Binding corporate rules are data protection policies for the transfer of personal data outside of Europe but within a group of undertakings or group of enterprises engaged in a joint economic activity.

Consider the scenario of a parent company’s relationship with its subsidiaries and affiliates all part of the same group of entities.

Biometric data (Article 4(14) GDPR)

Biometric data is any type of personal data derived from the physical, physiological or behavioural characteristics of a person allowing the unique identification of a person.

Examples are facial images or dactyloscopic data.

Consent (Article 4(11) GDPR)

The definition of consent under GDPR is very clear and specific.

Consent must be expressly given under GDPR. 

For consent to be expressly given, data subjects must give their consent freely, in a specific and informed way and in no unambiguous terms.

Also, GDPR requires that consent be expressed through affirmative action or a statement clearly conveying the person’s consent.

Controller (Article 4(7) GDPR)

The following persons and entities can potentially be controllers under GDPR:

  1. A person
  2. A company
  3. A public authority, agency or body

When a person or entity determines the purpose and means of personal data processing, it is considered a data controller.

This role can be jointly held with others.

Cross-border processing (Article 4(23) GDPR)

You can have cross-border processing of personal data when:

  1. When personal data is processed in different establishments located in more than one Europen member country or they are established in more than one European country
  2. When data processing takes place for a single establishment of a controller or processor potentially affecting data subjects in one or more European countries

Data concerning health (Article 4(15) GDPR)

Data concerning health relates to any personal data having to do with someone’s physical or mental health.

Enterprise (Article 4(18) GDPR)

Enterprise is when a person or company engages in an economic activity regardless of its legal form or structure.

Filing system (Article 4(6) GDPR)

A filing system refers to the manner personal data is structured and accessible based on a defined standard or criteria.

Genetic data (Article 4(13) GDPR)

Genetic data is a unique genetic characteristic about someone’s physiology or health resulting from an analysis of a biological sample.

Group of undertakings (Article 4(20) GDPR)

Group of undertakings means a controlling company including the companies under its control.

Information society services (Article 4(25) GDPR)

Refers to service as defined in Article 1(1)(b) of Directive (EU) 2015/1535.

International organisation (Article 4(26) GDPR)

International organisation means an organisation governed by public international law.

Main establishment (Article 4(16) GDPR)

The main establishment for a data controller is the place of its head office or central administration.

If the controller has many establishments in Europe and the data processing activities happened at another establishment having the power to make decisions about the personal data processing, then that establishment can be considered as the main establishment.

The main establishment for a data processor means the place of its head office or central administration.

If the processor does not have a central administration in Europe, then its main establishment will be where the main processing activities take palace to the extent the processor is subject to GDPR.

Personal data (Article 4(1) GDPR)

Personal data is defined broadly under GDPR.

It’s any information relating to an identified or identifiable person or data subject allowing the person to be directly or indirectly be identified.

GDPR includes some examples of what can be personal data and they include:

  1. Name
  2. Identification number
  3. Location data
  4. Online identifiers
  5. Physical factors
  6. Physiological factors
  7. Genetic factors
  8. Mental factors
  9. Economic factors
  10. Cultural factors
  11. Social identity 

Personal data breach (Article 4(12) GDPR)

Personal data breach is defined as any breach of security leading to the accidental or illegal destruction, loss or access to personal data.

Processing (Article 4(2) GDPR)

GDPR defines processing as any operation performed on personal data either automated or not.

GDPR gives some examples and they are:

  1. Collection
  2. Recording
  3. Organisation
  4. Structuring
  5. Storage
  6. Adaptation
  7. Alteration
  8. Retrieval
  9. Consultation
  10. Use
  11. Transmissions
  12. Dissemination
  13. Making available
  14. Alignment
  15. Combining
  16. Restrictions
  17. Erasure
  18. destruction

Processor (Article 4(8) GDPR)

The processor is any person or company processing personal data for the data controller.

Profiling (Article 4(4) GDPR)

Profiling means automated processing of personal data allowing to a person or company to analyse or predict aspects about that person.

The aspects can be:

  1. Work 
  2. Economic situation
  3. Health
  4. Personal preferences
  5. Personal interests
  6. Reliability 
  7. Behaviour
  8. Location
  9. Movements 

Pseudonymisation (Article 4(5) GDPR)

Pseudonymisation is a process to ensure personal data cannot be attributed to a specific person without the use of additional information kept separately and subject to technical and organizational measures.

Recipient (Article 4(9) GDPR)

A recipient is a person or company that receives personal data by a controller, processor or a third party.

Relevant and reasoned objection (Article 4(24) GDPR)

Relevant and reasoned objection means an objection raised against the draft decision as to whether or not there was an infringement to GDPR.

Representative (Article 4(17) GDPR)

A representative is a company or a person representing the controller or processor designed in writing.

Restriction of processing (Article 4(3) GDPR)

Restriction of processing is the manner personal data is stored to limit is processing in the future.

Supervisory authority (Article 4(21) GDPR)

The supervisory authority is an independent public authority established by each of the European countries.

Supervisory authority concerned (Article 4(22) GDPR)

The supervisory authority concerned is the one concerned with personal data processing when:

  1. The controller or processor is established its territory 
  2. Data subjects residing in its territory are substantially affected by the data processing
  3. A complaint has been logged with it

Third party (Article 4(10) GDPR)

A third party is a person or company other than the data subject, controller, processor or persons under their authority authorized to process personal data.

Recitals applicable to Article 4 of GDPR

Relevant Recitals: 15, 24, 26, 28, 29, 30, 31, 34, 35, 36, 37

GDPR Regulation article-by-article overview

Read our comprehensive overview of the GDPR Regulation, article by article, where we summarize each of the 99 articles contained in GDPR to give you a complete understanding of its content.

Cited Legislation

Directive (EU) 2015/1535

Directive 2011/24/EU

GDPR Text: Article 4 of GDPR and relevant recitals

GDPR Text Source: EUR-Lex

Official GDPR Text: General Data Protection Regulation 

Official GDPR Title: REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), corrected by Corrigendum, OJ L 127, 23.5.2018, p. 2 ((EU) 2016/679)