• Twitter
  • LinkedIn
  • Like Dunwell Data Protection on Facebook
Dunwell Data Protection logo

FAQs

Providing data protection services for peace of mind

GDPR controller FAQs – Dunwell Data Protection

Who does GDPR apply to? Who is a GDPR controller? What is personal data? Here are our answers, based on 15 years’ plus of dealing with data management, compliance and protection:

What is GDPR?

GDPR stands for General Data Protection Regulation. In 2016 it replaced the Data Protection Act and is one of the biggest changes in UK data protection law for decades.

Find out more in our article GDPR – what is it? [open link to https://dunwelldataprotection.co.uk/gdpr-what-is-it/]

Who does GDPR apply to?

Do you gather and use the personal data of UK citizens? Then GDPR will apply to you. Examples include customers, clients, suppliers or staff. It applies to both “controllers” and “processors” of personal data. 

Who is a GDPR controller?

A controller is someone who determines why and how personal data is used.

Who is a GDPR processor?

A processor is someone who acts on the controller’s behalf. GDPR sets out new requirements for processors and places specific legal obligations on them in relation to keeping records of personal data processing activities and data breach handling.

What information does GDPR apply to?

GDPR applies to the processing of personal data done by a fully automated, partially automated or manual process. The manual processing relates to personal data held in manual filing systems. It also includes personal data intended to form part of a manual filing system.

What is personal data?

GDPR defines personal data as:

“any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.

This definition is very broad. Unsure whether data is personal data or not? It’s better to be safe than sorry and assume it is personal data.

In-depth advice and tips

What is special category personal data?

Special category personal data is personal data that needs more protection because it is sensitive. GDPR defines special category personal data as:

  • personal data revealing racial or ethnic origin
  • personal data revealing political opinions
  • personal data revealing religious or philosophical beliefs
  • personal data revealing trade union membership
  • genetic data
  • biometric data when used for identification purposes
  • data concerning health
  • data concerning a person’s sex life
  • data concerning a person’s sexual orientation

Find out more in our What is special category personal data? article.

What is the lawful basis for processing personal data?

Before you begin to process someone’s personal data, you must first identify a lawful basis to allow you to undertake the processing. And then document this.  If you don’t have a lawful basis, under GPDR the processing is illegal.

There are six lawful bases you can rely on:

  1. Consent – the individual has given you their consent to process their personal data.
  2. Contract – the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
  3. Legal obligation – the processing is necessary for you to comply with the law. This doesn’t include contractual obligations.
  4. Vital interests – the processing is necessary to protect someone’s life.
  5. Public task – the processing is necessary for you to perform a task in the public interest or for your official functions. And the task or function has a clear basis in law.
  6. Legitimate interests – the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. This cannot apply if you are a public authority processing data to perform your official tasks.

You need to include the lawful basis and purpose of processing in your privacy notice.

Why do I need a privacy notice?

Having a privacy notice fulfils your transparency obligations under GDPR. It also provides an individual with all the information they are entitled to under their right to be informed.

We delve deeper into this in our Privacy Notice – Part 1 article.

Do your prices include VAT?

Yes, our prices include VAT.

Do you offer any free advice or tips?

Yes, we have written many blogs with practical tips and advice. Popular ones include An introduction to email direct marketing and Understanding GDPR & PECR terminology

How can we get in contact?

Either email us at info@dunwelldataprotection.co.uk or call 07534 258800. We may be in a client meeting, but will reply as soon as possible.

© Dunwell Data Protection. Website created by Sane Design