Data Protection in Albania

Definitions

Change countries

Change country

Data protection laws in Albania

On 19 December 2024, the Parliament of the Republic of Albania passed Law No. 124/2024, titled “On Personal Data Protection” (the “Data Protection Law”) (Official Gazette of the Republic of Albania No. 9, dated 17 January 2025). This legislation aims to align Albania’s legal framework with the European Union’s standards, particularly by incorporating Regulation (EU) 2016/679 (the General Data Protection Regulation, or GDPR) and Directive (EU) 2016/680, both of which address the protection of personal data in various contexts, including criminal law enforcement.

The adoption of this law marks the culmination of an extensive process, with the Office of the Information and Data Protection Commissioner pursuing the alignment of Albanian data protection laws with the GDPR since 2018.

The Data Protection Law establishes the rules for safeguarding individuals’ personal data and aims to protect fundamental human rights and freedoms, particularly the right to personal data protection.

Scope

The Data Protection Law applies when personal data are processed in whole or in part by automatic means, as well as to the processing of personal data which are part of a filing system or are intended to become part of a filing system where the processing is not carried out by automatic means; however, the law does not cover data processing by natural persons for purely personal or family purposes (Article 3).

Territorial Scope

The Data Protection Law shall apply:

in the framework of the activities of a controller or processor established in the Republic of Albania, regardless of whether the processing takes place in the Republic of Albania or not;
of data subjects, who are located in the Republic of Albania, by a controller who is not established in the Republic of Albania, but the processing operations relate to:

1. the offering of goods or services, whether for payment or not, to data subjects in the Republic of Albania; or
2. the monitoring the behaviour of data subjects, as long as such behaviour takes place in the Republic of Albania;

by a controller or processor, who is not established in the Republic of Albania, but in a territory where Albanian law applies on the basis of public international law (Article 4).

Related resources

Definitions

Definitions in Albania

Definition of Personal Data

Data Protection Law defines personal data as any information relating to a data subject (Article 5(3)).

A “data subject” refers to any identified or identifiable natural person. A person is identifiable if he or she can be identified, directly or indirectly, by reference to one or more specific identifiers, such as a name, an identification number, location data, an online identifier or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity (Article 5(23)).

Definition of Sensitive Personal Data

Data Protection Law defines sensitive data as special categories of personal data that reveal racial or ethnic origin, political opinions, religious beliefs or philosophical views, trade union membership, genetic data, biometric data, data concerning a person’s health, life or sexual orientation (Article 5(28)).

“Genetic data” means personal data relating to the inherited or acquired genetic characteristics of a person which provide unique information concerning his or her physiology or health and which are obtained, in particular, because of the analysis of a biological sample taken from that person (Article 5(25)).

“Biometric data” means personal data resulting from specific technical processing of the physical, physiological or behavioural characteristics of a person which enable or confirm the unique identification of that person, such as facial images or fingerprints (Article 5(24)).

“Data concerning health” means personal data relating to the physical or mental health of a person, including the provision of healthcare services, which indicates information relating to his or her state of health (Article 5(26)).

Authority

National data protection authority in Albania

The Commissioner for the Right to Information and Personal Data Protection (the “Commissioner”) is the Albanian authority in charge of overseeing and ensuring the implementation of the applicable legislation on data protection, with the primary goal of protecting the fundamental rights and freedoms of individuals in relation to the processing of personal data. The Commissioner is an independent authority, elected by a majority of the Parliament members, based on a proposal from the Council of Ministers, for a seven-year term, with the possibility of re-election.

In carrying out their duties and exercising their powers under the Data Protection Law, the Commissioner operates independently, free from any direct or indirect influence, and does not seek or accept instructions. During the Commissioner’s term, they are prohibited from engaging in any activities or professions that may conflict with their duties, whether paid or unpaid.

The Commissioner is supported by the Office of the Commissioner, which is provided with the necessary human, technical, financial, and infrastructural resources to effectively perform its functions. The staff operates under the exclusive direction of the Commissioner and reports to them regularly. To fulfil the mission and objectives of the office, the Commissioner may also consult with external advisors on specific matters. The Commissioner has the authority to approve the organizational structure of the Office of the Commissioner.

The Commissioner is seated at:

Rr. “Abdi Toptani”, Nd. 5
Postal Code 1001
Tirana
Albania

Registration

Registration in Albania

A data controller or processor must notify the Commissioner of the contact details of the Data Protection Officer.

If a data controller or processor is not established in the Republic of Albania but engages in processing activities related to data subjects in Albania, the controller or processor must appoint a representative and notify the Commissioner. This notification must include the identity of the representative appointed in the Republic of Albania. The notification must be provided in writing (Article 25).

This requirement applies when processing involves:

the offering of goods or services, whether for payment or not, to data subjects in the Republic of Albania; or
the monitoring of the behaviour of data subjects, as long as such behaviour takes place in the Republic of Albania.

This requirement shall not apply:

to processing, which is incidental, does not involve the processing of sensitive data or criminal data on a large scale and is not likely to result in a risk to the fundamental rights and freedoms of natural persons, taking into account the nature, context, object and purposes of the processing; or
to public authorities.

Data protection officers

Data protection officers in Albania

Obligation to designate a Data Protection Officer (“DPO”) (Article 33)

The controller and the processor must designate a DPO if:

The processing is carried out by a public authority or body, excluding courts, in the course of judicial activities;
The core activities of the controller or processor involve processing operations that, due to their nature, scope, or purpose, require regular and systematic monitoring of data subjects on a large scale;
The core activities of the controller or processor involve processing sensitive data or criminal data on a large scale.

A group of companies may appoint a single DPO, who should be easily accessible to each member of the group. In the case of a public authority, one DPO may be designated to cover multiple authorities, considering their organizational structure and size.

In situations not covered by the first paragraph above, the controller, processor, associations, or other bodies representing a category of controllers or processors may, or in some cases must, designate a DPO, as required by law.

Duties and position of the DPO (Article 34)

The DPO has the following duties:

Provides advice, upon request, to the management bodies of the controller or processor on all matters related to data protection;
Participates in data protection impact assessments;
Informs and advises the staff of the controller or processor on data protection, including raising awareness and training staff involved in processing operations;
Monitors compliance with the Data Protection Law, other applicable data protection provisions, and the policies of the controller or processor, including the assignment of responsibilities, awareness-raising, staff training, and relevant audits;
Cooperates with and serves as a point of contact for the Commissioner;
Gives due attention to the risks of infringing fundamental rights and freedoms that may arise from personal data processing, considering the nature, context, circumstances, and purposes of the processing.

The DPO must be appointed based on certified professional qualifications, particularly with sound knowledge of data protection law and practices, and the ability to perform the tasks outlined in the paragraph above.

The DPO may be an employee of the controller or processor, or someone under a service contract. The DPO may hold other responsibilities, but the controller or processor must ensure these duties do not conflict with the role of the DPO.

The controller and processor must ensure the DPO is involved in a timely manner in all matters related to data protection and has the necessary resources to carry out their duties. The DPO must also maintain confidentiality regarding their duties.

The controller and processor must ensure the DPO is not given instructions regarding the performance of their duties and cannot be dismissed or penalized for carrying out their responsibilities. The DPO reports directly to the highest level of management of the controller or processor.

Collection and processing

Collection and processing in Albania

The Data Protection Law provides the following definitions:

A “controller” means the natural or legal person and any public authority which, alone or jointly with others, determines the purposes and means of the processing of personal data (Article 5(8)).

A “processor” means the natural or legal person and any public authority which processes personal data on behalf of the controller (Article 5(18)).

Principles for the lawful processing of personal data (Article 6)

Personal data shall be:

processed lawfully, fairly and in a transparent manner (the “lawfulness, fairness and transparency principle”);
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (the “purpose limitation principle”);
adequate, relevant and limited to what is necessary in relation to the purpose(s) (the “data minimization principle”);
accurate and where necessary kept up to date (the “accuracy principle”);
kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which the data are processed (the “storage limitation principle”); and
processed in a manner that ensures appropriate security of the personal data, using appropriate technical and organizational measures (the “integrity and confidentiality principle”).

The controller is responsible for and must be able to demonstrate compliance with the above principles (the “accountability principle”).

Lawfulness of processing of personal data (Article 7)

Processing shall be lawful only if and to the extent that at least one of the following applies:

the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
processing is necessary for compliance with a legal obligation to which the controller is subject;
processing is necessary in order to protect the vital interests of the data subject or of another natural person;
processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Lawfulness of processing of sensitive data (Article 9)

Processing of sensitive data is prohibited.

The processing of sensitive data is permitted if appropriate measures are implemented to protect the fundamental rights and interests of data subjects and only in cases where:

the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where the applicable legislation provides that the prohibition on processing sensitive data cannot be waived by consent from the data subject;
processing is necessary for the fulfilment of a specific obligation or right of the controller or of the data subject in the field of employment, social security and social protection, including obligations and rights arising from a collective agreement, in accordance with the applicable legislation in these areas, provided that the fundamental rights and interests of the data subject are guaranteed;
processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is incapable of giving consent due to his / her health condition or when his / her right to act has been removed or restricted;
processing is carried out in the course of the lawful activity of a not-for-profit political, philosophical, religious or trade union organization, provided that the processing relates only to members or former members of the organization or to persons who have regular contact with it in the context of its activity, and that the personal data are not disseminated outside the organization without the consent of the data subjects;
processing relates to personal data which are manifestly made public by the data subject and the processing is necessary for the pursuit of a legitimate interest;
processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
procesecessary for archiving purposes in the public interest, for historical, research, scientific or statistical purposes, subject to legal provisions.

Lawfulness of processing of data related to criminal offences and convictions (Article 10)

Processing of personal data relating to criminal convictions and offences or security measures related thereto is carried out only under the control of competent authority or when the processing is authorised by law providing for appropriate safeguards for the rights and freedoms of data subjects. The judicial status register is maintained under the control and supervision of the Ministry of Justice, in accordance with the legislation in force.

Processing of data for specific purposes:

Processing of personal data and freedom of expression (Article 43)

To balance data protection with freedom of expression and information, exceptions to the Data Protection Law can be applied for journalistic, academic, artistic, and literary purposes, provided:

The data is necessary for preparing journalistic, academic, literary or artistic materials for publication;
The data is only used for the specified purpose;
The publication serves the public interest;
Applying the Data Protection Law would hinder the purpose;
The processing does not harm the fundamental rights of data subjects.

If these exceptions are applied, personal data should only be retained for as long as needed for the publication and can be shared with those involved in its creation, other potential publishers, or for legal purposes.

Additionally, when publishing, the controller must ensure minors, crime victims, or individuals claiming harm are not identifiable without consent or court approval, except when the victim is a public figure related to their role

Exceptions do not apply to processing data about minors or certain other legal provisions.

Processing of personal data and access to information in the public sector (Article 44)

The right to personal data protection is balanced with the right of access to official documents and information, as outlined in the applicable legislation. Public access to information, is not restricted by personal data protection laws for public authorities or individuals exercising state functions, unless other fundamental rights (such as the right to life or physical integrity) require specific protection of their data.

Processing of personal data for archiving, research, and statistical purposes (Article 45)

The processing of personal data, including sensitive and criminal data, for archiving in the public interest, or for historical, research, scientific, or statistical purposes, is considered a legitimate interest of the controller, unless the data subject’s interests or fundamental rights and freedoms, which require protection of their personal data, take precedence.

Personal data collected for any purpose may be further processed for archiving purposes, historical research, or scientific and statistical purposes.

This processing must be carried out with appropriate safeguards to protect the rights and freedoms of the data subject. These safeguards include, but are not limited to:

Technical and organizational measures taken by the controller in compliance with Data Protection Law, especially principles of data minimization or pseudonymization, to achieve the processing purpose. If the purpose can be achieved by processing anonymized or pseudonymized data, that method should be used;
Pseudonymization of data, and where possible, anonymization before transferring data for further processing;
Specific safeguards to ensure that data is not used for decisions or actions concerning the data subject, unless the data subject has expressly given consent.

Exemptions from certain data subject rights may apply if exercising those rights would significantly hinder or prevent the achievement of the processing purpose. The controller bears the burden of proving that the exercise of these rights would cause such an obstacle to the purpose.

Processing of personal data and direct marketing (Article 46)

See Electronic marketing.

Related resources

Transfer

Transfer in Albania

General principles (Article 39)

Personal data that is being processed or will be processed after transfer may only be transferred to a foreign country or international organization or further transferred from one foreign country or international organization to another, if adequate protection for the data is guaranteed at the destination, or if specific safeguards are in place specifically for such transfer.

Transfers required by foreign court or administrative authority decisions will only be recognized or enforced if they are based on an international agreement, such as a mutual legal assistance treaty, in effect between the requesting third country and Albania, and without violating the other transfer criteria outlined in the Data Protection Law.

Transfer of data based on an adequacy decision (Article 40)

Personal data may be transferred to foreign countries or international organizations if the recipient is located in a country, territory, or sector within a foreign country, or belongs to an international organization that ensures an adequate level of data protection. The adequacy of the data protection level for a country, territory, sector, or international organization is determined by a decision of the Commissioner.

Pursuant to the Decision of the Commissioner No. 8, dated 31 October 2016 the following states have an adequate level of data protection:

European Union member states;
European Economic Area states;
Parties to the Convention No. 108 of the Council of Europe “For the Protection of Individuals with regard to Automatic Processing of Personal Data”, as well as its 1981 Protocol, which have approved a special law and set up a supervisory authority that operates in complete independence, providing appropriate legal mechanisms, including handling complaints, investigating and ensuring the transparency of personal data processing;
States where personal data may be transferred, pursuant to a decision of the European Commission.

Transfer of data in the absence of an adequacy decision (Article 41)

In the absence of an adequacy decision, a controller or processor may transfer personal data to a third country or international organization only if appropriate safeguards are in place, and if enforceable data subject rights and effective legal remedies are available for the data subjects.

If appropriate safeguards are not in place, the transfer may only occur if one of the following conditions is met:

the data subject has explicitly consented to the proposed international transfer, after having been clearly informed of the possible risks of such transfer;
the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request, or the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party;
the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically incapable of giving consent, or their right to act has been removed or restricted;
the transfer is necessary for important reasons of public interest;
the processing is necessary for the establishment, exercise or defence of a right, obligation or legitimate interest before a court or public authority;
the transfer is made from a register that is open for consultation by law and provides information to the general public, provided that the transfer includes only certain information and not entire sections of the register.

Where a transfer could not be based on any of the above, a transfer may take place only if the transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject, and the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data. The controller shall inform the Commissioner and the data subject of the transfer and on the compelling legitimate interests pursued.

Related resources

Security

Security in Albania

General responsibility of the controller (Article 22)

The Data Protection Law requires controllers to implement appropriate technical and organizational measures, based on the nature, scope, context, and purposes of the processing, as well as the potential risks to individuals’ rights and freedoms. These measures must be regularly reviewed and updated as necessary.

Data protection by design and by default (Article 23)

Controllers should consider technological developments, implementation costs, and the specific circumstances of the processing when determining safeguards, such as pseudonymization, to protect data subjects’ rights.

Controllers must ensure that, in a predetermined manner, only the personal data necessary for each specific purpose is processed, including limiting the data collected, its accessibility, and storage period. Security measures must prevent unauthorized access to personal data and maintain the confidentiality, integrity, availability, and resilience of processing systems and services.

Measures to ensure the security of processing (Article 28)

The controller and the processor implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, inter alia, where applicable:

Pseudonymization and encryption of personal data;
The ability to ensure the confidentiality, integrity, availability, and resilience of the processing systems and services;
The ability to restore the availability and access to personal data within a reasonable time in the event of a physical or technical incident;
A process for regularly testing, reviewing, and assessing the effectiveness of the technical and organizational measures to ensure the security of the processing.

The level of security shall be in compliance with the nature of personal data processing. The Commissioner has established additional rules for personal data security by means of Decision No. 6, dated 05 August 2013 “On the Determination of Detailed Rules for the Security of Personal Data”.

Related resources

Breach notification

Breach notification in Albania

Controller’s notification to the Commissioner (Article 29)

In the event of a personal data breach, the controller must notify the Commissioner as soon as possible, and no later than 72 hours after becoming aware of the breach. Notification is not required if the breach is unlikely to result in a risk to the rights and freedoms of data subjects. If the notification is not made within the 72-hour timeframe, the controller must provide an explanation for the delay.

The notification to the Commissioner must include, at a minimum:

A description of the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects affected, as well as the categories and approximate number of personal data records involved;
The name and contact details of the DPO or another relevant contact point;
A description of the likely consequences of the personal data breach;
A description of the measures taken or proposed to address the breach, including, where applicable, measures to mitigate its potential adverse effects.

If all of the required information is not available at once, it may be provided in stages, as soon as possible.

The controller must document all personal data breaches, including the details, impact, and corrective actions taken, to enable the Commissioner to verify compliance. The Commissioner shall respond to the notification in line with their authority. The Commissioner may also instruct the controller to notify the affected data subjects of the personal data breach if the breach is likely to pose a high risk to their rights and freedoms, and if the controller has not already done so, as outlined in the section below.

Controller’s notification to the data subjects (Article 29)

The controller must inform data subjects if the risks to their rights and freedoms resulting from the data breach are likely to be high, by providing the information as outlined in the notification to the Commissioner above. However, notification to data subjects is not required in the following cases:

The controller has implemented appropriate technical and organizational protective measures, such as encryption, which were applied to the personal data affected by the breach;
The controller has taken additional steps to reduce the risk of harm to the rights and freedoms of data subjects;
The controller publishes the notice or takes other similar actions to notify data subjects of the breach in a uniform and effective manner, where notifying each individual data subject would impose a disproportionate burden on the controller.

Processor’s notification to the controller (Article 29)

The processor shall notify the controller immediately after becoming aware of any personal data breach.

Related resources

Enforcement

Enforcement in Albania

The Commissioner is the competent authority for the supervision and enforcement of Data Protection Law. The Commissioner is responsible, inter alia, for:

Ensuring that data subjects can exercise their rights, including providing them with information and advice on these rights;
Investigating the compliance of personal data processing activities with the Data Protection Law, either proactively or in response to a complaint;
Reviewing complaints filed by individuals or non-profit entities, organizations, or associations representing individuals, in cases of alleged violations of the Data Protection Law;
Evaluating the responses provided by competent authorities to data subjects’ requests regarding their rights of access, rectification, or erasure;
Imposing administrative sanctions and penalties, and overseeing their enforcement.

Administrative offenses related to the processing of personal data may result in a fine of up to ALL 2,000,000,000 (approximately EUR 20,300,000), or, in the case of a company, up to 4% of its total annual global turnover from the previous financial year, whichever amount is greater.

The Commissioner shall issue a directive outlining the rules regarding the imposition of administrative sanctions, which will be based on the guidelines established by the European Data Protection Board.

The sanctioned subject may appeal the fine in court within the deadlines and according to the procedures that regulate the administrative trials.

Electronic marketing

Electronic marketing in Albania

Electronic and direct marketing under the Data Protection Law

The Data Protection Law does not explicitly refer to electronic marketing; nevertheless, it will apply to most electronic marketing activities since they typically involve personal data, like an email address that includes the recipient’s name.

Personal data may be processed for direct marketing purposes as a means of communicating with identifiable individuals to promote goods or services. This includes advertising membership in organizations, soliciting donations, and any direct marketing activities, which also cover any preparatory actions taken by the advertiser or a third party to facilitate such communication (Article 46(1)).

The most common legal grounds for the processing of data for direct marketing are:

The legitimate interests of the controller

Processing for direct marketing purposes, whether carried out by the controller or by third parties, may be based on legitimate interests, provided that the interests of the protection of data subjects are not overridden. This also applies to the use of data obtained from publicly accessible sources for direct marketing purposes.

The consent of the data subject

When relying on consent, it is essential to adhere to the requirements set by Data Protection Law. Notably, when personal data is processed for direct marketing purposes, the data subject has the right to object at any time, without needing to provide a reason, to the processing of their personal data for such purposes, including profiling insofar as it relates to them (Article 19(2) and Article 46(4)).

Furthermore, the controller must be able to demonstrate that the data subject has given consent for the processing of their personal data. If consent is provided in the context of a written statement that includes other matters, the request for consent must be clearly distinguishable from the other information. It should be presented in an intelligible and easily accessible format, using clear and plain language (Article 8(2)). In the context of direct marketing, marketing consent forms should include clear opt-in mechanisms, such as checking an unchecked consent box or signing a statement, rather than just accepting terms and conditions or assuming consent based on actions like visiting a website.

The processing of a minor’s personal data based on consent, in the context of online goods or services directly offered to them, is lawful only if the minor is at least 16 years old. If the minor is under 16, the processing is lawful only if consent is given or authorised by the minor’s parent or legal guardian, and only to the extent that it is given or authorised by them (Article 8(6)).

The processing of sensitive data for direct marketing purposes is carried out with the explicit consent of the data subject (Article 46(3)).

The Commissioner has issued an Instruction no. 06, dated 28 May 2010 “On the correct use of SMSs for promotional purposes, advertising, information, direct sales, via mobile phone”. This instruction emphasizes the importance of the prior consent given by the data subject.

Electronic and direct marketing under the Electronic Communications Law

According to Law 54/2024 “On electronic communications in the Republic of Albania” (“Electronic Communications Law”), natural or legal persons who possess the email addresses of their customers for their products or services may use these addresses for direct marketing of similar products or services only if they have obtained the explicit consent of the customers to be contacted for marketing purposes. Additionally, they are required to provide customers with a simple and free way to opt out of the use of their email address for marketing purposes at any time. It is also prohibited to send SMS or email messages for direct marketing purposes if the sender’s identity is concealed or if a valid address is not provided, through which the recipient can request the cessation of such communications (Article 165 “Unsolicited communications”).

Online privacy

Online privacy in Albania

Online privacy under the Data Protection Law

The Data Protection Law does not include specific regulations for cookies or location data. However, location data and online identifiers (which include cookies) are considered identifying factors for data subjects. As such, the general data protection provisions outlined in the Data Protection Law also apply to online privacy.

Apart from the general data protection principles applied mutatis mutandis, the Data Protection Law contains few specific provisions regarding online privacy. These include:

Right to rectification and erasure (Article 15(2)(dh))

The data subject has the right to request the erasure of personal data relating to them from the controller. The controller is required to erase the personal data as soon as possible, and in any case, no later than 30 days from the receipt of the request, if the data was collected in the context of online provision of goods or services.

The right to be forgotten (Article 16)

When the controller has made personal data public and is required to erase it, they must take reasonable steps, including technical measures, to notify other controllers processing those data that the data subject has requested the removal of any link, copy, or reproduction of the personal data, considering the applicable technology and implementation costs. Additionally, at the data subject’s request, operators of internet search engines must remove outdated information from search results based on the data subject’s name if that information, although no longer current, significantly harms the data subject’s reputation.

In order to provide some clarifications on the notion of cookies and their use, the Commissioner has defined the cookies in an online dictionary as some data stored on the computer, which contain specific information. This rudimentary definition is further complemented by a short explanation which states that cookies allow any server to know what pages have been visited recently, just by reading them.

The Commissioner has also released an opinion (which is somewhat outdated and non-binding for data controllers) regarding the protection of personal data on the websites of both public and private entities. In this opinion, the Commissioner highlights the obligations of data controllers under the Data Protection Law, as well as the rights of data subjects, which must also be observed in the context of online personal data collection:

The right to be fully informed and to give their approval if a website (or an application) processes their data;
The right to keep their online communications secret (including email, the computer’s IP or modem No.);
The right to be notified if their personal data are compromised (data has been lost or stolen, or if their online privacy is likely to be negatively affected);
The right to request that their personal data to be excluded from data processing for direct marketing if they have not given their consent.

Additionally, in this opinion, the Commissioner stresses the importance of public and private controllers drafting and publishing privacy policies on their websites, including, among other things:

The identity of the controller;
The information collected from the users, specifying the category of personal data;
Specific policies regarding cookies and other technologies that allow data controllers to gather information on the users that use the website and to notify the latter about their use.

Online privacy under the Electronic Communications Law

The Electronic Communications Law defines “location data” as any data processed in an electronic communications network, indicating the geographical position of the terminal equipment of a user of the electronic communications network.

Location data may only be processed when they are made anonymous or with the consent of the users or subscribers to the extent and for the duration necessary for the provision of a value added service.

The service provider must inform the users or subscribers, prior to obtaining their consent, of the type of location data which will be processed, of the purposes and duration of the processing and whether the data will be transmitted to a third party for the purpose of providing the value added service.

Users or subscribers shall be given the possibility to withdraw their consent for the processing of location data other than traffic data at any time. Users or subscribers must continue to have the possibility, using a simple means and free of charge, of temporarily refusing the processing of such data for each connection to the network or for each transmission of a communication.

Processing of location data must be restricted to persons acting under the authority of the provider of the public communications network or publicly available communications service or of the third party providing the value added service, and must be restricted to what is necessary for the purposes of providing the value added service (Article 163 of the Electronic Communications Law).

Related resources

Key contacts

Data protection lawyers in Albania

Flonia Tashko

Partner

Tashko Pustina

Tirana

Email Full bio

Alban Shanaj

Partner

Tashko Pustina

Tirana

Definition of Personal Data

Data Protection Law defines personal data as any information relating to a data subject (Article 5(3)).

Definition of Sensitive Personal Data

Last modified 28 January 2025

Definition of personal data

Any information, regardless of the medium, relating to an identified or identifiable person, hereinafter referred to as "data subject", directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, genetic, biometric, mental, economic, cultural or social identity.

Definition of sensitive personal data

Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership of the data subject or relating to health, including genetic data.

Last modified 20 January 2025

Definition of personal data

The Data Protection Law defines personal data as any given information, regardless of its nature, including images and sounds related to a specific or identifiable individual.

An identifiable person is an individual directly or indirectly identified, notably, by reference to his or her identification number or to the combination of specific elements of his or her physical, physiological, mental, economic, cultural or social identity.

Definition of sensitive personal data

The Data Protection Law defines sensitive personal data as personal data related to:

Philosophical or political beliefs
Political affiliations or trade union membership
Religion
Private life
Racial or ethnic origin
Health or sex life (including genetic data)

Last modified 30 December 2021

Definition of personal data

Personal data is defined as information of any type referred to individuals or legal entities, determined or which may be determined.

Definition of sensitive personal data

Sensitive data includes personal data which reveal racial or ethnic origin, political opinions, religious, philosophical or moral convictions, trade union affiliation and information related to health and sexual activities.

Last modified 28 January 2025

Personal Data is defined as any information related to an individual that allows or may allow directly or indirectly identifying a person.

Definition of sensitive personal data

Special Category is defined as any information related to a person's։

race;
nationality or ethnicity;
political views;
religious or philosophical beliefs;
membership in a professional union;
health status; and
sexual life.

Definition of personal life data

Data on personal life is defined as any information on a person’s:

personal life;
family life;
the physical, physiological, mental, or social condition of a person; or
other similar information.

Definition of biometric personal data

Biometric personal data is defined as any information characterizing person’s

the physical characteristics;
physiological characteristics; and / or
biological characteristics of a person.

Definition of publicly available personal data

Publicly available personal data shall mean information, which, by the data subject's consent or by conscious operations aimed at making his or her personal data publicly available, becomes publicly available for a certain scope of persons or the public at large, as well as information, which is provided for by law as publicly available information.

Last modified 20 January 2025

Definition of Personal Data

National Ordinance Person Registration

According to the Explanatory Memorandum on the National Ordinance Person Registration the term personal data has a broad meaning. This does not only concern data that can identify a person, but concerns any data that can be associated with a particular person; it is foreseeable that under certain circumstances data can be traced to one person through systematic comparison and lengthy investigations. Personal identifiable confidential data is therefore not only limited to home address, email address, telephone number, membership number and/or identity number.

GDPR

Personal data means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Definition of Sensitive Personal Data

National Ordinance Person Registration

Religion or belief, race, political opinion, sexuality, as well as personal data of a medical, psychological or disciplinary nature, and personal data concerning the trade union membership.

GDPR

Data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation.

Last modified 10 February 2025

Definition of personal data

Personal data (referred to as "personal information" in Australia) means information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not, and whether the information or opinion is recorded in material form or not.

The Privacy Act currently contains an exemption for “employee records”, such that any records containing personal information which an employer makes in connection with a current or former employment relationship are exempt from the Privacy Act. However there are some further carve outs to this (for example, the exemption does not apply to contractors or unsuccessful applicants), and it is widely anticipated that the employee records exemption will be removed from the Privacy Act as a result of the ongoing review of the Privacy Act (see Enforcement).

Definition of sensitive personal data

Sensitive personal data (referred to as "sensitive information" in Australia) means information or an opinion about:

Racial or ethnic origin;
Political opinions;
Membership of a political association;
Religious beliefs or affiliations;
Philosophical beliefs;
Membership of a professional or trade association;
Membership of a trade union;
Sexual orientation or practices;
Criminal record that is also personal information;
Health information about an individual;
Genetic information about an individual that is not otherwise health information;
Biometric information that is to be used for the purpose of automated biometric identification or verification; and / or
Biometric templates.

Last modified 20 January 2025

EU regulation

"Personal data" is defined as "any information relating to an identified or identifiable natural person" (Article 4). A low bar is set for "identifiable" – if the natural person can be identified using “all means reasonably likely to be used” (Recital 26) the information is personal data. A name is not necessary either – any identifier will do, such as an identification number, phone number, location data or other factors which may identify that natural person.

Online identifiers are expressly referred to in Recital 30, with IP addresses, cookies and RFID tags listed as examples.

The GDPR creates more restrictive rules for the processing of "special categories" (Article 9) of personal data (including data relating to race, religion, sexual life, data pertaining to health, genetics and biometrics) and personal data relating to criminal convictions and offences (Article 10).

The GDPR concerns the " processing" of personal data. Processing has a broad meaning, and includes any set of operations performed on data, including mere storage, hosting, consultation or deletion.

Personal data may be processed by either a "controller" or a "processor". The controller is the decision maker, the person who "alone or jointly with others, determines the purposes and means of the processing of personal data" (Article 4). The processor "processes personal data on behalf of the controller", acting on the instructions of the controller. In contrast to former legislation, the GDPR imposes direct obligations on both the controller and the processor, although fewer obligations are imposed on the processor.

The "data subject" is a living, natural person whose personal data are processed by either a controller or a processor.

Austria regulation

The DSG does not include any additional definitions or derogations to the GDPR. However, Section 1 DSG, which provides a constitutional (human) right to data privacy, does not use the definition of "data subject" of the GDPR, but rather uses the term "everyone" which is currently interpreted to include legal entities and other organizations too. Consequently, the constitutional (human) right to data privacy, as well as some basic data subject rights, as regulated in Section 1 DSG, also apply to legal entities and other organizations.

Last modified 20 January 2025

Definition of Personal Data

Any information allowing to identify a person, directly or indirectly, is considered personal data.

Definition of Sensitive Personal Data

Personal data of special category includes information relating to race or nationality of an individual, his/her family life, religion and belief, health or conviction.

Last modified 15 February 2022

Definition of Personal Data

Section 2 DPA defines ‘personal data’ as data relating to a living individual who can be identified either from the data or from the data in conjunction with other information in the possession of the data controller.

Definition of Sensitive Personal Data

‘Sensitive personal data’ is further defined in Section 2 DPA as personal data relating to: racial origin; political opinions or religious or other beliefs; physical or mental health (other than any such data reasonably kept by them in relation to the physical or mental health of their employees in the ordinary course of personnel administration and not used or disclosed for any other person); trade union involvement or activities; sexual life; or criminal convictions, the commission or alleged commission of any offence, or any proceedings for any offence committed, the disposal of such proceedings or the sentence of any court in such proceedings.

It should be noted that although sensitive personal data (‘SPD’) is distinguished from personal data under DPA in its specificity of certain categories of data, SPD does not otherwise receive any special treatment compared to general personal data. While DPA provides that the relevant Minister responsible for data protection may create regulations that would provide safeguards for such data under the Act, such a regulation has never materialized.

Last modified 28 January 2025

Definition of personal data

Personal data is defined under the PDPL as any information of any form related to an identifiable individual, or an individual who can be identified, directly or indirectly, particularly through their personal identification number, or one or more of their physical, physiological, intellectual, cultural or economic characteristics or social identity.

Definition of sensitive personal data

Sensitive personal data is a subset of personal data. It is personal data which reveals, directly or indirectly, the individual's race, ethnicity, political or philosophical views, religious beliefs, union affiliation, criminal record or any data related to their health or sexual life. Sensitive personal data requires more rigorous treatment by data controllers.

Last modified 20 January 2025

Definition of personal data

Section 26 of the CA 2023 defines the term "identity information" as "any external, biological or physical information or any other information which singly or jointly can identify a person or a system, such as name, photograph, address, date of birth, mother's name, father's name, signature, national identity card, birth and death registration number, finger print, passport number, bank account number, driving license, e-TIN number [Tax identification Number], electronic or digital signature, username, credit or debit card number, voice print, retina image, iris image, DNA profile, security related question or any other identification which are available for advance technology".

Definition of sensitive personal data

The CA 2023 does not define the term "Sensitive Personal Data" or any similar or equivalent term.

Last modified 3 January 2024

Definition of Personal Data

"Personal data" means data which relates to an individual who can be identified:

from that data; or
from that data together with other information which is in the possession of or is likely to come into the possession of the data controller.

Definition of Sensitive Personal Data

"Sensitive personal data" means personal data consisting of information on a data subject's:

racial or ethnic origin;
political opinions;
religious beliefs or other beliefs of a similar nature;
membership of a political body;
membership of a trade union;
genetic data;
biometric data;
sexual orientation or sexual life;
financial record or position;
criminal record; or
proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court of competent jurisdiction in such proceedings.

Last modified 28 January 2024

Definition of personal data

Data Protection Law defines “personal data” as any information relating to an identified or identifiable natural person.

In its turn, “individual who can be identified” means an individual who can be directly or indirectly determined, in particular through the surname, proper name, patronymic, date of birth, identification number, or through one or more of characteristic features of her / his physical, psychological, mental, economic, cultural or social identity.

The Law also defines “special personal data”, “biometric personal data”, “genetic personal data” and “publicly available personal data”.

Definition of sensitive personal data

Data Protection Law defines “special personal data” which include information about race, nationality, political, religious and other convictions, health and sexual activity; criminal conviction records; biometric and genetic personal data.

“Biometric personal data” means information describing the physiological and biological characteristics of a person, which is used for her / his unique identification (fingerprints, palms, iris, characteristics of the face and its image, etc.), while “genetic personal data” is defined as information related to the inherited or acquired genetic characteristics of a person, which contain unique data on her / his physiology or health and can be identified, in particular, during the study of her / his biological sample.

Last modified 20 January 2025

EU regulation

Online identifiers are expressly called out in Recital 30, with IP addresses, cookies and RFID tags all listed as examples.

The GDPR is concerned with the "processing" of personal data. Processing has an extremely wide meaning, and includes any set of operations performed on data, including the mere storage, hosting, consultation or deletion of the data.

Personal data may be processed by either a "controller" or a "processor". The controller is the decision maker, the person who "alone or jointly with others, determines the purposes and means of the processing of personal data" (Article 4). The processor "processes personal data on behalf of the controller", acting on the instructions of the controller. In contrast to the previous law, the GDPR imposes direct obligations on both the controller and the processor, although fewer obligations are imposed on the processor.

The "data subject" is a living, natural person whose personal data are processed by either a controller or a processor.

Belgium regulation

The Data Protection Act builds on the definitions contained in the GDPR and further clarifies some notions, such as the notion of 'public authority'¹. It further adds the definitions of a ‘trusted third party’, ‘disclosure of personal data’ and ‘distribution of personal data’ in the context of the research and statistical purposes exception. The Data Protection Act also clarifies certain concepts such as 'processing in the substantial public interest'², the 'processing for journalistic purposes'³ and introduces new concepts such as 'a joint database'⁴.

Footnotes

1. Art. 5 Data Protection Act.
2. Article 8 para. 1 Data Protection Act.
3. Art. 24 para. 1 Data Protection Act.
4. Article 48 Data Protection Act.

Last modified 31 December 2024

Definition of Personal Data

The personal data is defined as any information relating to an identified or identifiable natural person. It makes a direct reference to sound and image (Article 1 of the Digital Code).

Definition of Sensitive Personal Data

Pursuant to Article 1 of the Digital Code, the following personal data is considered 'sensitive' and is subject to specific processing conditions: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs; trade union membership; genetic data; and health-related data; data concerning a person's sex life or sexual orientation, prosecution to criminal and administrative penalties.

Last modified 20 January 2025

Definition of use

PIPA applies to the "use" of personal information, and defines "use" as carrying out any operation on personal information, including collecting, obtaining, recording, holding, storing, organising, adapting, altering, retrieving, transferring, consulting, disclosing, disseminating or otherwise making available, combining, blocking, erasing or destroying it.

Definition of personal data

PIPA provides for a definition of "personal information" as meaning "any information about an identified or identifiable individual".

At common law, information is generally to be regarded as 'confidential' if it has a necessary quality of confidentiality and has been communicated or has become known in such circumstances as give rise to a reasonable expectation of confidence; for example if obtained in connection with certain professional relationships, if obtained by improper means, or if received from another party who is subject to a duty of confidentiality.

Definition of sensitive personal data

PIPA provides for a definition of "sensitive personal information" as meaning "any personal information relating to an individual’s place of origin, race, colour, national or ethnic origin, sex, sexual orientation, sexual life, marital status, physical or mental disability, physical or mental health, family status, religious beliefs, political opinions, trade union membership, biometric information or genetic information".

Last modified 28 January 2024

There are no official definitions of personal data or sensitive personal data.

Last modified 24 January 2022

Definition of Personal Data

Personal Data Protection Act BES

Article 1 paragraph 2 of the Personal Data Protection Act BES stipulates personal data as any data concerning an identified or identifiable natural person.

GDPR

Definition of Sensitive Personal Data

Personal Data Protection Act BES

A person’s religion or belief, race, political views, health, sexual life as well as personal data concerning membership of a trade union.

GDPR

Last modified 10 February 2025

Definition of personal data

The DP Law defines personal data as any information relating to an identified or identifiable natural person. Data subjects are natural persons whose identity can be determined or identified, directly or indirectly, in particular by reference to a personal identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity.

Definition of sensitive personal data

The DP Law defines sensitive personal data as any data relating to any of the following:

Racial, national or ethnic origin;
Political opinion, party affiliation, or trade union affiliation;
Religious, philosophical or other belief;
Health;
Genetic code;
Sexual life;
Criminal convictions; and
Biometric data.

Definitions of sensitive personal data stipulated by Draft Data Protection Law correspond to the definitions prescribed by GDPR.

Last modified 20 January 2025

Definition of personal data

Under the DPA, personal data means information relating to an identified or identifiable individual, which the individual can be identified directly or indirectly, in particular by reference to an identification number, or to one or more factors specific to the individual’s physical, physiological, mental, economic, cultural or social identity.

Definition of sensitive personal data

Sensitive Personal Data is defined to mean personal data which reveals a data subject’s:

racial or ethnic origin;
political opinions;
religious beliefs or philosophical beliefs;
membership of a trade union;
physical or mental health or condition;
sexual life; or
filiation,

and includes:

any commission or alleged commission by him or her of any offence;
any proceedings for any offence committed or alleged to have been committed by him or her, the disposal of such proceedings, or the sentence of any Court in such proceedings; or
genetic data, biometric data and the personal data of minors.

Last modified 20 January 2025

Definition of personal data

The LGPD defines personal data as any information related to an identified or identifiable natural person.

Anonymized data is not considered personal data, except when the process of anonymization has been reversed or if it can be reversed applying reasonable efforts.

Definition of sensitive personal data

The LGPD defines sensitive personal data as any personal data concerning:

Racial or ethnic origin
Religious belief
Political opinion
Trade union
Religious, philosophical or political organization membership
Health or sex life
Genetic or biometric data

Last modified 28 January 2024

Definition of personal data

Personal data means any information in respect of commercial transactions which: (i) is being processed wholly or partly by means of equipment operating automatically in response to instructions given for that purpose; (ii) is recorded with the intention that it should wholly or partly be processed by means of such equipment; or (iii) is recorded as part of a relevant filing system or with the intention, and in each case, that it should form part of a relevant filing system, that relates directly or indirectly to a data subject, who is identified or identifiable from that information, or from that or other information in the possession of a data user, including any sensitive personal data and expression of opinion about the data subject

Definition of sensitive personal data

Sensitive personal data means any personal data about a data subject’s:

physical or mental health;
sexual orientation;
political opinions;
religious beliefs or other beliefs of a similar nature;
criminal convictions, the commission or alleged commission of, an offence; or
any other personal data that may be prescribed as such under the DPA, from time to time.

Other key definitions

commercial transactions means any transaction of a commercial nature, whether contractual or not, which includes any matters relating to the supply or exchange of goods or services, agency, investments, financing, banking, and insurance
data processor, in relation to personal data, means a person who processes data on behalf of a data controller but does not include an employee of the data controller
data subject means a natural person, whether living or deceased
data controller means a person who, either alone or jointly, or in common with other persons, processes any personal data, or has control over, or authorises the processing of any personal data, but does not include a data processor
processing, in relation to personal data, means collecting, recording, holding, or storing the personal data or carrying out any operation or set of operations on the personal data, including the: (i) organisation, adaptation, or alteration of personal data; (ii) retrieval, consultation or use of personal data; (iii) disclosure of personal data by transmission, transfer, dissemination or otherwise making available; or (iv) alignment, combination, correction, erasure or destruction of personal data, and

Last modified 28 January 2025

Definition of personal data

At present there is no legal definition.

It is anticipated that under the PDPO "personal data" will refer to data, whether true or not, about an individual who can be identified (a) from that data; or (b) from that data and other information to which the organization has or is likely to have access. Premised on such a definition of “personal data” it is envisaged that if a data subject cannot be identified by that data and other information to which the organization has or may have access to, such data would not come within the meaning of “personal data” under PDPO and this would remain the situation regardless of any anonymisation technique having been applied to the data. Noting that there are complexities surrounding the concept of anonymisation, AITI have expressed their intentions to provide guidance on anonymisation in due course.

Definition of sensitive personal data

At present there is no legal definition.

It is anticipated that the PDPO will not make a distinction between sensitive and non-sensitive personal data or define a category of “sensitive personal data”.

Last modified 3 January 2024

EU regulation

Online identifiers are expressly called out in Recital 30, with IP addresses, cookies and RFID tags all listed as examples.

Personal data may be processed by either a "controller" or a "processor". The controller is the decision maker, the person who "alone or jointly with others, determines the purposes and means of the processing of personal data" (Article 4). The processor "processes personal data on behalf of the controller", acting on the instructions of the controller. In contrast to the previous law, the GDPR imposes direct obligations on both the controller and the processor, although fewer obligations are imposed on the processor.

The "data subject" is a living, natural person whose personal data are processed by either a controller or a processor.

Bulgaria regulation

Definition of personal data

The definition of personal data set forth before by the Personal Data Protection Act was repealed following the implementation of the GDPR and it explicitly refers to the definition of personal data under art. 4 of the GDPR (§1 of the Supplementary provisions of the Personal Data Protection Act).

Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Definition of sensitive personal data

The Personal Data Protection Act refers explicitly to the definition under the GDPR which applies following its direct effect in all EU member states.

Last modified 27 December 2024

Definition of Personal Data

Any information that allows, in any form whatsoever, directly, or indirectly, the identification of natural persons, in particular by reference to an identification number or to several characteristics specific to their physical, psychological, mental, economic, cultural or social identity (Article 5 of the Law).

Definition of Sensitive Personal Data

Any personal data relating to the data subject's health or that reveal racial or ethnic origins, political, philosophical or religious opinions, union membership, morals, investigation and prosecution of offenders, criminal or administrative penalties, related security measures or other measures of a similar nature (Article 5 of the Law).

Last modified 20 January 2025

Definition of personal data

Not specifically defined.

Definition of sensitive personal data

Not specifically defined.

Last modified 17 January 2024

Definition of Personal Data

Cambodian law does not specifically define the term "personal data," or discuss what specific information constitutes personal data.

The E-commerce Law defines the term "data" as "a group of numbers, characters, symbols, messages, images, sounds, videos, information or electronic programs that are prepared in a form suitable for use in a database or an electronic system".

According to the Draft Law on Personal Data Protection, personal data is defined as information pertaining to an individual that can directly or indirectly identify them. This information includes, but is not limited to, names, identification numbers, location data, and online identifiers. As the Law on Personal Data Protection has not yet been implemented, this definition should not be regarded as official.

Therefore, due to the absence of a definition of "personal data", it remains plausible that any data of a data subject may be viewed by the regulatory and enforcement authorities as personal data of that data subject. As such, conventional data, such as full names, national identification numbers, passport numbers, photographs, video, images, phone numbers, personal email addresses, biometric data, IP addresses, and other network identifiers, etc., may arguably constitute personal data.

Definition of Sensitive Personal Data

There is no express definition of what constitutes sensitive personal data. That said, based on laws applicable to persons and entities in other sectors (such as healthcare and banking), the types of data below are generally considered to be of a more sensitive nature, and thus should be handled with more stringent data protection mechanisms:

medical data;
financial data;
personal data of children; and
personal identifiers (e.g. national identification cards and passport details).

As there is no clear limit as to the scope of what may be considered sensitive data, any data of a data subject should be prudently treated as sensitive data to the greatest extent possible.

Last modified 20 January 2025

Definition of personal data

Information relating to a person enabling that person to be identified directly or indirectly, in particular by reference to any form of identifier or to one or more elements specific to their physical, psychological, genetic, psychological, cultural, socio-professional or economic identity, in particular a name, a photograph, a fingerprint, a postal address, an e-mail address, a telephone number, a social security number, an internal personnel number, a digital identifier, an IP address, a computer connection identifier or a voice recording. (Article 5 of the Data Protection Act)

Definition of sensitive personal data

Information relating in particular to religious, philosophical, political or trade union opinions and activities, banking transactions, racial or ethnic origin, linguistic or regional origin, sex life, genetics, biometrics, health, legal proceedings and criminal sanctions (Article 5 of the Law).

Last modified 6 January 2025

Definition of personal data

‘Personal information’ includes any information about an identifiable individual (business contact information is expressly “carved out” of the definition of ‘personal information’ in some Canadian privacy statutes).

The Quebec Private Sector Act, as modified by Bill 64, has broadened the definition of “personal information” to include any information that allows an individual to be identified indirectly as well as directly. In Quebec, business contact information is included in the definition of “personal information”, however it is considered a less sensitive form of data to which many of the requirements of the Quebec Private Sector Act do not apply.

Definition of sensitive personal data

Not specifically defined in Canadian Privacy Statutes, except for the Quebec Private Sector Act.

The Quebec Private Sector Act, as modified by Bill 64, defines ‎‎“sensitive personal information” as any information ‎that, by virtue of its nature (e.g. biometric or medical), or because of the context in which it is used or communicated, warrants a high expectation of privacy. The Quebec Privacy Act has stricter consent requirements in certain situations for the use and communication of personal information qualified as sensitive.

Definition of anonymized information

The Quebec Private Sector Act, as modified by Bill 64, defines “anonymized information” as information concerning an individual which irreversibly no longer allows such individual to be identified, whether directly or indirectly. Quebec recently adopted a regulation which prescribes certain criteria and procedures which must be followed when anonymizing data.

Definition of de-identified information

The Quebec Private Sector Act, as modified by Bill 64, defines “de-identified information” as any information which no longer allows the concerned individual to be identified directly. “De-identified” information is still considered to be a form of personal information, to which most of the protections set out in the Quebec Private Sector Act continue to apply.

Definition of biometric information

The Quebec privacy regulator, the Commission d’accès à l’information (CAI), defines “biometric information” as information measured from a person’s unique physical, behavioural or biological characteristics. Biometric information is, by definition, sensitive information.

Last modified 26 January 2023

Definition of personal data

Personal data is defined as any information, regardless of its nature or the media on which it is stored, relating to an identifiable natural person (referred to as 'the data subject'). Natural persons are deemed to be identifiable whenever they can be directly or indirectly identified through such information.

Definition of sensitive personal data

Sensitive data is defined as personal data that refers to a person’s:

philosophical or political convictions
party or union affiliation
religious faith
private life
ethnic origin
health
sex life
genetic information and biometric data.

Last modified 16 January 2025

The DPA defines 'personal data' as data relating to a living individual who can be identified, including data such as:

the living individual's location data or online identifier;
factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the living individual;
an expression of opinion about the living individual; and
any indications of the intentions of the data controller or any other person in respect of the living individual.

The DPA creates more restrictive rules for the processing of 'sensitive personal data', which includes personal data consisting of a data subject's racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, physical or mental health or condition, medical data, sex life or commission or alleged commission of an offence or related proceedings.

Under the DPA the 'processing' of personal data has an extremely broad meaning and includes obtaining, recording or holding data, or carrying out any operation on personal data.

Personal data may be processed by either a data controller or a data processor. The data controller is the decision maker, the person who 'alone or jointly with others determines the purposes, conditions and manner in which any personal data are, or are to be, processed'. The data processor 'processes personal data on behalf of a data controller'. The obligations under the DPA are imposed almost exclusively on the data controller.

A 'data subject' is an identified living individual or a living individual who can be identified directly or indirectly by means reasonably likely to be used by the data controller or by any other person.

Last modified 28 January 2025

Definition of personal data

Any information relating to a natural person, identified or identifiable directly or indirectly, by reference to an identification number or to one or more elements specific to his or her physical, physiological, genetic, psychological, cultural, social, and economic identity (Article 5 of the Act).

Definition of sensitive personal data

Data relating to religious, philosophical, political, trade union opinions or activities, sex or racial life, health, social measures, prosecutions, and criminal or administrative charges (Article 5 of the Act).

Last modified 6 January 2025

Definition of personal data

The PDPL defines personal data as any information concerning identified or identifiable natural persons.

Definition of sensitive data

Sensitive data are defined very broadly as personal data relating to the physical or moral characteristics of persons or to facts or circumstances of their private or intimate life, such as personal habits, racial origin, ideologies or political opinions, religious beliefs or convictions, physical or mental health conditions, and sexual life.

Definition of controller and data processing

The PDLP defines the controller ('responsible for the register or database') as the private individual or legal entity, or the respective public body, which is responsible for decisions related to the processing of personal data.

Data processing is defined as any operation or complex of operations or technical procedures, of automated or non-automated nature, that allow to collect, store, record, organize, elaborate, select, extract, confront, interconnect, dissociate, communicate, assign, transfer, transmit or cancel personal data, or use them in any other way.

Last modified 28 January 2023

Definition of personal information

The PIPL defines personal information as any kind of information relating to an identified or identifiable natural person, either electronically or otherwise recorded, but excluding information that has been anonymized.

Definition of sensitive personal information

The PIPL defines sensitive personal information as information that, once leaked or illegally used, will easily lead to infringement of human dignity or harm to the personal or property safety of a natural person, including (but not limited to):

biometric data;
religion;
specific social status;
medical health information;
financial accounts;
tracking / location information; and
minors' data.

That said, under the new "Guide for Sensitive Personal Information Identification" (published by the National Standardization Technical Committee for Information Security), which became effective on September 18, 2024, when assessing whether certain personal information constitutes sensitive personal information, data controllers must now focus more on the processing context, and the impact of the processing activities on data subjects, rather than referring to any prescribed lists of sensitive personal information. As such, going forward a case-by-case analysis may be required to identify sensitive personal information.

Definition of network data

The Network Data Regulation governs electronic data processed and generated via networks (“network data”) and applies to all processing of network data within Mainland China. A “network” means a system composed of computers or other information terminals and related equipment that collects, stores, transmits, exchanges and processes information according to certain rules and procedures. So, in practice, this captures all electronic data processed or generated online (including personal information and non-personal information).

Last modified 20 January 2025

The Colombian data protection regime distinguishes between personal data and a sub-category of sensitive personal data, depending on the information and the harmful effects caused by its unlawful use. Law 1266 and Law 1581 contain particular rules related to sensitive personal data.

Definition of personal data

Under Law 1266, personal data is defined as any information related to or that may be associated with one or several determined or determinable natural or legal persons. Personal data may also be regarded as public, private or semi-private data. Public data is available to the public based on a legal or constitutional mandate. Private or semi-private data is data that does not have a public purpose, is intimate in nature and the disclosure of which concerns only the data subject.

Under Law 1581, personal data is defined as any information related to, or that may be related to, one or several determined or determinable individuals, meaning natural persons only.

Definition of sensitive personal data

Under Law 1266, sensitive personal data is defined as data that due to its sensitivity is only relevant to its owner.

Under Law 1581, sensitive personal data is any data that affects its owner’s intimacy or whose improper use might cause discrimination. Data that reveals any of the below information is considered sensitive data and its processing is prohibited by law:

Ethnic or racial origin
Political orientation
Religious or philosophic convictions
Membership in labor unions, human right groups or social organizations
Membership in any group that promotes any political interest or that promotes the rights of opposition parties
Information regarding health and sexual life, and
Biometrics

Sensitive personal data shall only be processed:

With the Data Subject's special and specific consent
If necessary to preserve the data subject’s life, or a vital interest and the Data Subject is physically or legally unable to provide consent
If used for a legitimate activity and with all necessary security measures, by an NGO, an association or any kind of nonprofit entity, in which case, the entity will need the Data Subject's consent to provide the sensitve personal data to third parties
If such data is related to or fundamental to exercising a right in the context of a trial or any judicial procedure, or
If such data has a historic, statistical or scientific purpose, in which case the Data Subject's identity may not be disclosed

Last modified 28 January 2024

Definition of personal data

According to Article 1 of the 2013-450 law on the protection of personal data, personal data is defined as:

'any information of any kind whatsoever and regardless of its medium, including sound and image relating to a natural person identified or identifiable directly or indirectly, by reference to an identification number or to one or more factors specific to his physical, physiological, genetic, mental, cultural, social or economic identification'.

Definition of sensitive personal data

Article 1 of the 2013-450 law on the protection of personal data defines sensitive data as:

'any data relating to religious, philosophical, political or trade union opinions or activities, sexual or racial life, health, social measures, prosecutions or criminal or administrative sanctions.'

Last modified 6 January 2025

Definition of personal data

Personal information contained in public or private registries (eg, medical records) that identifies or could be used to identify a natural person. Personal information can only be disclosed to persons or entities with a need to know such information.

Definition of sensitive personal data

Personal information related to the personal sphere of an individual, including racial origin, political opinion, religious or spiritual convictions, socioeconomic condition, biomedical or genetic information, sex life and sexual orientation, among others. Sensitive personal data cannot be disclosed without express prior authorization from the data subject.

Last modified 28 January 2025

EU regulation

Online identifiers are expressly called out in Recital 30, with IP addresses, cookies and RFID tags all listed as examples.

Personal data may be processed by either a "controller" or a "processor". The controller is the decision maker, the person who "alone or jointly with others, determines the purposes and means of the processing of personal data" (Article 4). The processor "processes personal data on behalf of the controller", acting on the instructions of the controller. In contrast to the previous law, the GDPR imposes direct obligations on both the controller and the processor, although fewer obligations are imposed on the processor.

The "data subject" is a living, natural person whose personal data are processed by either a controller or a processor.

Croatia regulation

The Act refers to all definitions as stated in the GDPR.

Last modified 16 January 2025

Definition of personal data

In the regulatory order, the information is approached in a general sense oriented to the preservation of the confidentiality, integrity and availability of the same, and focuses on establishing rules that regulate the management and treatment of information in general, especially related to cybersecurity issues.

Definition of sensitive personal data

Cuban rules do not provide for an express definition of sensitive personal data.

Last modified 16 February 2022

Definition of Personal Data

National Ordinance Personal Data Protection

According to the Explanatory Memorandum on the National Ordinance Personal Data Protection the term personal data has a broad meaning. This does not only concern data that can identify a person, but concerns any data that can be associated with a particular person; it is foreseeable that under certain circumstances data can be traced to one person through systematic comparison and lengthy investigations. Personal identifiable confidential data is therefore not only limited to home address, email address, telephone number, membership number and/or identity number.

GDPR

Definition of Sensitive Personal Data

National Ordinance Personal Data Protection

A person’s religion or belief, race, political views, health, sexual life as well as personal data concerning membership of a trade union.

GDPR

Last modified 10 February 2025

EU regulation

Online identifiers are expressly called out in Recital 30, with IP addresses, cookies and RFID tags all listed as examples.

Personal data may be processed by either a "controller" or a "processor". The controller is the decision maker, the person who "alone or jointly with others, determines the purposes and means of the processing of personal data" (Article 4). The processor "processes personal data on behalf of the controller", acting on the instructions of the controller. In contrast to the previous law, the GDPR imposes direct obligations on both the controller and the processor, although fewer obligations are imposed on the processor.

The "data subject" is a living, natural person whose personal data are processed by either a controller or a processor.

Cyprus regulation

The Law uses the definitions provided under the GDPR without any derogation.

Last modified 21 February 2022

Online identifiers are expressly called out in Recital 30, with IP addresses, cookies and RFID tags all listed as examples.

Personal data may be processed by either a "controller" or a "processor". The controller is the decision maker, the person who "alone or jointly with others, determines the purposes and means of the processing of personal data" (Article 4). The processor "processes personal data on behalf of the controller", acting on the instructions of the controller. In contrast to the previous law, the GDPR imposes direct obligations on both the controller and the processor, although fewer obligations are imposed on the processor.

The "data subject" is a living, natural person whose personal data are processed by either a controller or a processor.

Last modified 16 January 2024

Definition of Personal Data

Personal data is defined in Article 183 of the Digital Code Law and listed in eight different categories:

Personal identification data, in particular: first name, surname, middle name, date and place of birth, age, marital status, national identification number, valid official identity document or any other biometric data, in particular photographs, sound recordings, images, fingerprints and iris scans;
Correspondence data: telephone numbers, physical, postal and e-mail addresses;
Professional data: status, job held, employer, remuneration;
Billing and payment data: invoice amounts and history, payment status, reminders, payment balances, direct debit date;
Bank details: bank code, account and credit card number, bank name / address / contact details, transaction references;
Data on legal entities under public or private law showing personal data;
Data on family circumstances; and
Data concerning court decisions.

Definition of Sensitive Personal Data

There is no separate definition of sensitive data, but the Digital Code prohibits, as a matter of principle, the processing of certain data which can be considered as sensitive, such as personal data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, the status of refugees or stateless persons, trade union membership, sex life or, more generally, data relating to the state of health.

For the purposes of this definition, “processing” is to be understood as the operation or set of operations which is performed upon personal data, whether by means of wholly or partly automated processes, such as collection, recording, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.

There are several exceptions to this principle stated in the Digital Code. The processing of such data will be admissible should, for instance, one consents to such processing for a well determined purpose. The processing of such data for statistical analysis or health reasons will usually, and within the boundaries of the Law, be equally accepted.

Last modified 6 January 2025

EU regulation

Online identifiers are expressly called out in Recital 30, with IP addresses, cookies and RFID tags all listed as examples.

Personal data may be processed by either a "controller" or a "processor". The controller is the decision maker, the person who "alone or jointly with others, determines the purposes and means of the processing of personal data" (Article 4). The processor "processes personal data on behalf of the controller", acting on the instructions of the controller. In contrast to the previous law, the GDPR imposes direct obligations on both the controller and the processor, although fewer obligations are imposed on the processor.

The "data subject" is a living, natural person whose personal data are processed by either a controller or a processor.

Denmark regulation

The definitions used in the Danish Data Protection Act correspond to the definitions as set out in the GDPR. However, the Danish Data Protection Act stipulates that data about dead persons are still personal data for 10 years from the person’s death. Therefore, in Denmark , a ”data subject” is a natural person who is still alive or has been alive within the past 10 years, and whose personal data are processed by either a controller or a processor.

Last modified 16 January 2025

Definition of personal data

Personal data consists of any information, whether numerical, alphabetical, graphic, photographic, or acoustic, or any other type of data which concerns individuals that are identified or identifiable.

Definition of sensitive personal data

The term 'sensitive data' refers to personal data that reveals its subject´s:

Political opinions
Religious, philosophical or moral convictions
Racial or ethnic origin
Affiliation to labor unions or trade union membership, and
Information concerning health or sex life

Personal data concerning the health of an individual encompasses any information concerning their past, present or future physical or mental health.

Affected or interested party

Any natural person whose information is the object of data processing, as well as any creditor, whether a natural or legal person, who has or has had a commercial or contractual relationship with a natural person for the exchange of goods and services, where the natural person is the creditor's debtor. As well as any natural or legal person who has had, has or requests to have a good or service of an economic, financial, banking, commercial, industrial, or any other nature, with a financial intermediation institution or with an economic agent.

Data processing

Systematic operations and procedures that allow the collection, conservation, ordering, storage, modification, relation, evaluation, blocking, destruction and, in general, the processing of personal data, as well as its transfer to third parties through communications, consultations, interconnections or transfers.

Data Processor

The natural or legal person, public or private, who carries out the processing of personal data on behalf of the controller.

Last modified 28 January 2025

Definition of Personal Data

The Ecuadorian data protection regime distinguishes between personal data and a sub-category of sensitive personal data, depending on the information and the harmful effects caused by its unlawful use.

Article 4 of the Organic Law on Personal Data Protection defines personal information as the information that identifies or makes identifiable a specific individual, directly or indirectly.

Definition of Sensitive Personal Data

Article 4 of the Organic Law on Personal Data Protection defines sensitive personal data as information related to: ethnicity, gender identity, cultural identity, religion, ideology, political affiliation, judicial background, immigration status, sexual orientation, health, biometric data, genetic data and those whose improper processing may give rise to discrimination, infringe or may infringe fundamental rights and freedoms.

In application of article 26 of the Organic Law for the Protection of Personal Data, the processing of sensitive personal data is prohibited unless one of the following circumstances applies:

The owner has given his explicit consent to the processing of his personal data, clearly specifying its purposes.
The processing is necessary for the fulfilment of obligations and the exercise of specific rights of the controller or the holder in the field of labor law and social security and protection.
The processing is necessary to protect the vital interests of the data owner or another individual, in the event that the data owner is physically or legally incapable of giving his/her consent.
The processing relates to personal data which the data owner has manifestly made public.
The processing is carried out by order of a judicial authority.
The processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, which must be proportionate to the aim pursued, respect in substance the right to data protection and provide for adequate and specific measures to protect the interests and fundamental rights of the owner.
When the processing of health data is subject to the provisions contained in this Law.

Definition of Large-Scale Data Processing

Article 4 of the Regulation to the Organic Law on Personal Data Protection defines large-scale data processing activities as the following:

The processing of patients’ data in the normal course of activity of a hospital or health institution.
The processing of travel data of persons using public transportation systems.
The processing of real-time geolocation data of customers by a data controller specialized in the provision of these services.
The processing of customer data in the normal course of business of an insurance company, brokers, agent or financial institution.
The processing of personal data for behavioral advertising by a search engine.
The processing of data (content, traffic, location) by telephone or Internet service providers.

Definition of Joint Controllers

Article 37 of the Regulation to the Organic Law on Personal Data Protection specifies that when two or more controllers jointly determine the same purposes of and means for the processing of personal data, they shall be considered joint controllers, who shall define their respective tasks and responsibilities regarding data protection in a transparent manner by means of a contract, insofar as these are not already defined by the law.

Last modified 28 January 2025

Definition of Personal Data

Pursuant to Article (1) of the Law, personal data shall mean any data relating to an identified natural person, or one who can be identified directly or indirectly by way of linking such personal data and other data such as name, voice, picture, identification number, online identifier, or any data which determines the psychological, medical, economic, cultural or social identity of a natural person.

Definition of Sensitive Personal Data

Pursuant to Article (1) of the Law, sensitive data shall mean data which discloses psychological, mental or physical health, or genetic, biometric or financial data, religious beliefs, political views, or criminal records. In all cases, data relating to children is considered to be sensitive personal data.

Last modified 19 January 2024

Definition of Personal Data

“Information concerning a natural/moral person who is identified or identifiable.”

Definition as contained Personal Data Protection Act on Apr. 22, 2021

Definition of Sensitive Personal Data

“Personal data that affects the most intimate sphere of its owner and whose misuse may give rise to discrimination, seriously affect the right to honour, personal and family privacy and self-image. They are generally those that reveal aspects such as creed, religion, ethnic origin, political affiliation or ideologies, union membership, sexual preferences, physical and mental health, biometric information, genetics, moral and family situation, and other intimate information of a similar nature.”

Definition as contained Personal Data Protection Act on Apr. 22, 2021

Last modified 28 January 2024

Definition of Personal Data

The Personal Data Protection Law under art.4 defines personal data as "any information, testimony or review concerning a person specifically identified or identifiable".

Definition of Sensitive Personal Data

The law does not provide a definition of sensitive personal data. However, art.41(d) consider as a mayor infringement the treatment or given out of personal data in relating to conscience liberty, affiliation or political ideology, health, sex life, race, tribe, religion or any other discrimination form without the express authorization of the owner.

Last modified 6 March 2025

EU regulation

Online identifiers are expressly called out in Recital 30, with IP addresses, cookies and RFID tags all listed as examples.

Personal data may be processed by either a "controller" or a "processor". The controller is the decision maker, the person who "alone or jointly with others, determines the purposes and means of the processing of personal data" (Article 4). The processor "processes personal data on behalf of the controller", acting on the instructions of the controller. In contrast to the previous law, the GDPR imposes direct obligations on both the controller and the processor, although fewer obligations are imposed on the processor.

The "data subject" is a living, natural person whose personal data are processed by either a controller or a processor.

Estonia regulation

The PDPA and the Implementation Act use the same definitions as the GDPR and do not foresee any new terms or terms defined differently from the GDPR.

Last modified 16 January 2025

Definition of Personal Data

No specific definition is generally applicable.

The Freedom of the Mass Media and Access to Information Proclamation No. 590/2008, applicable to government entities, is understood to generally define personal data as information about an identifiable individual that relates, but is not limited, to:

medical, education, academic, employment, financial transaction, professional or criminal history
ethnic, national or social origin, age, pregnancy, marital status, color, sexual orientation, physical or mental health, well-being, disability, religion, belief, conscience, culture, language or birth
an identification number, symbol or other identifier assigned to the individual, address, fingerprints or blood type
personal opinions, views or preferences, except as relate to another individual
views or opinions on grant proposals, awards, or prizes granted to another individual, provided such views or opinions are not associated with the other individual’s name
views or opinions of others about the individual, or
an individual’s name, in combination with other personal data, or alone, if could reasonably be linked to personal data (exception applies for persons deceased for more than 20 years).

Ethiopian Communications Authority’s Consumers Rights and Protection Directive 2020 defines personal information as private information and record relating to consumers leading to identify such consumer such as his identity, address or telephone number and / or traffic and billing data and / or other personal information.

Definition of Sensitive Personal Data

Sensitive personal data is not defined.

Last modified 12 January 2023

None.

Last modified 31 January 2023

Definition of Personal Data

The only actionable rights available to citizens are in s.24 of the Constitution. This creates a right to “personal privacy”, said to include:

“confidentiality of their personal information;
confidentiality of their communications; and
respect for their private and family life”.

These terms are not otherwise defined.

Definition of Sensitive Personal Data

None.

Last modified 3 January 2024

EU regulation

Online identifiers are expressly called out in Recital 30, with IP addresses, cookies and RFID tags all listed as examples.

Personal data may be processed by either a "controller" or a "processor". The controller is the decision maker, the person who "alone or jointly with others, determines the purposes and means of the processing of personal data" (Article 4). The processor "processes personal data on behalf of the controller", acting on the instructions of the controller. In contrast to the previous law, the GDPR imposes direct obligations on both the controller and the processor, although fewer obligations are imposed on the processor.

The "data subject" is a living, natural person whose personal data are processed by either a controller or a processor.

Finland regulation

The definitions in Finland are the same as in the GDPR and no additional local definitions have been included.

Last modified 4 January 2023

EU regulation

Online identifiers are expressly called out in Recital 30, with IP addresses, cookies and RFID tags all listed as examples.

Personal data may be processed by either a "controller" or a "processor". The controller is the decision maker, the person who "alone or jointly with others, determines the purposes and means of the processing of personal data" (Article 4). The processor "processes personal data on behalf of the controller", acting on the instructions of the controller. In contrast to the previous law, the GDPR imposes direct obligations on both the controller and the processor, although fewer obligations are imposed on the processor.

The "data subject" is a living, natural person whose personal data are processed by either a controller or a processor.

France regulation

The definitions under the Law are the same as under the GDPR. Article 2 of the Law makes an express reference to GDPR definitions, thus harmonizing the definitions and concepts of French law with the GDPR.

Last modified 5 January 2025

Definition of Personal Data

Any information relating to an identified or identifiable natural person, directly or indirectly, by reference to an identification number or to one or more elements, specific to his physical, physiological, genetic, psychological, cultural, social or economic identity (Article 6 of the Personal Data Act 2023 and Article 1 of the African Union Convention on Cyber Security And The Protection Of Personal Data).

Definition of Sensitive Personal Data

All personal data relating to religious, philosophical, political or trade union opinions or activities, sex life, health, social race, health, social measures, prosecution, criminal or administrative sanctions (Article 6 Of The Personal Data Act 2023 And Article 1 Of The African Union Convention On Cyber Security And The Protection Of Personal Data).

Last modified 6 January 2025

The Data Protection Law defines personal data as any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, including by his / her name, surname, identification number, location data and electronic communication identifiers, or by physical, physiological, mental, psychological, genetic, economic, cultural or social characteristics.

As for the special categories of data, the Data Protection Law defines sensitive data (special categories of data) as data connected to a person’s racial or ethnic origin, political views, religious, philosophical or other beliefs, membership of professional unions, health, sexual life, status of an accused, convicted or acquitted person or a victim in criminal proceedings, conviction, criminal record, diversion, recognition as a victim of trafficking in human beings or of a crime under the Law of Georgia on the Elimination of Violence against Women and / or Domestic Violence, and the Protection and Support of Victims of Such Violence, detention and enforcement of his / her sentence, or his / her biometric and genetic data that are processed to allow for the unique identification of a natural person.

Furthermore the Law defines health-related data, as data related to the physical or mental health of a data subject, including the provision of health care services, which reveal information about his / her physical or mental health. It defines biometric data as data processed using technical means and related to the physical, physiological or behavioral characteristics of a data subject (such as facial images, voice characteristics or dactyloscopic data), which allow the unique identification or confirm the identity of that data subject. In addition to that, Law states that genetic data is the data relating to the acquired or inherited genetic characteristics of a data subject which, through an analysis of a biological sample from that data subject, give unique information about his / her physiology or health.

The Data Protection Law defines processing as any operation performed on personal data, including collecting, obtaining, accessing, photographing, video monitoring and / or audio monitoring, organizing, grouping, interconnecting, storing, altering, retrieving, requesting for access, using, blocking, erasing or destroying, and disclosing by transmission, publication, dissemination or otherwise making available.

It is to be noted that controllers and processors are allowed to process data, whereas controller is a natural person, a legal person, or a public institution, who individually or in collaboration with others determines the purposes and means of the processing of data, and who directly or through a processor processes data, whilst processor is a natural person, a legal person, or a public institution, which processes data for or on behalf of the controller, furthermore a natural person who is in labor relations with the controller will not be considered a processor.

Data subject is any natural person whose data are being processed by either controller or / and processor.

Last modified 6 January 2025

EU regulation

Online identifiers are expressly called out in Recital 30, with IP addresses, cookies and RFID tags all listed as examples.

Personal data may be processed by either a "controller" or a "processor". The controller is the decision maker, the person who "alone or jointly with others, determines the purposes and means of the processing of personal data" (Article 4). The processor "processes personal data on behalf of the controller", acting on the instructions of the controller. In contrast to the previous law, the GDPR imposes direct obligations on both the controller and the processor, although fewer obligations are imposed on the processor.

The "data subject" is a living, natural person whose personal data are processed by either a controller or a processor.

Germany regulation

The definitions are the same as in Article 4 GDPR. Beyond that, the BDSG contains further definitions for 'public bodies of the Federation', 'public bodies of the Länder' and 'private bodies' in Section 2 BDSG. The TDDDG contains definitions for types of data that are specifically related to the provision of telecommunications services and digital services (so-called inventory data and usage data).

Last modified 16 January 2025

Data means information which (a) is processed by means of equipment operating automatically in response to instructions given for that purpose, (b) is recorded with the intention that it should be processed by means of such equipment, (c) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system, or (d) does not fall within paragraph (a), (b) or (c) but forms part of an accessible record.
Data controller means a person who either alone, jointly with other persons or in common with other persons or as a statutory duty determines the purposes for and the manner in which personal data is processed or is to be processed.
Data processor in relation to personal data means any person other than an employee of the data controller who processes the data on behalf of the data controller
Data subject means an individual who is the subject of personal data.
Data supervisor means a professional appointed by a data controller in accordance with section 58 to monitor the compliance by the data controller in accordance with the provisions of the Act.
Processing means an operation or activity or set of operations by automatic or other means that concerns data or personal data and the:
- collection, organisation, adaptation or alteration of the information or data;
- retrieval, consultation or use of the information or data;
- disclosure of the information or data by transmission, dissemination or other means available, or
- alignment, combination, blocking, erasure or destruction of the information or data.

Definition sensitive personal data

The Data Protection Act does not make provision for 'sensitive personal data'. However 'special personal data', is defined as personal data which relates to:

the race, colour, ethnic or tribal origin of the data subject;
the political opinion of the data subject;
the religious beliefs or other beliefs of a similar nature, of the data subject;
the physical, medical, mental health or mental condition or DNA of the data subject;
the sexual orientation of the data subject;
the commission or alleged commission of an offence by the individual; or
proceedings for an offence committed or alleged to have been committed by the individual, the disposal of such proceedings or the sentence of any court in the proceedings.

Last modified 19 January 2024

Definition of personal data

"Personal data" is defined as "any information relating to an identified or identifiable natural person" (Article 4). A low bar is set for "identifiable" – if the natural person can be identified using “all means reasonably likely to be used” (Recital 26) the information is personal data. A name is not necessary either – any identifier will do, such as an identification number, phone number, location data or other factors which may identify that natural person.

Online identifiers are expressly called out in Recital 30, with IP addresses, cookies and RFID tags all listed as examples.

The Gibraltar GDPR creates more restrictive rules for the processing of "special categories" (Article 9) of personal data (including data relating to race, religion, sexual life, data pertaining to health, genetics and biometrics) and personal data relating to criminal convictions and offences (Article 10).

The Gibraltar GDPR is concerned with the "processing" of personal data. Processing has an extremely wide meaning, and includes any set of operations performed on data, including the mere storage, hosting, consultation or deletion of the data.

Personal data may be processed by either a "controller" or a "processor". The controller is the decision maker, the person who "alone or jointly with others, determines the purposes and means of the processing of personal data" (Article 4). The processor "processes personal data on behalf of the controller", acting on the instructions of the controller. In contrast to the previous law, the Gibraltar GDPR imposes direct obligations on both the controller and the processor, although fewer obligations are imposed on the processor.

The "data subject" is a living, natural person whose personal data are processed by either a controller or a processor.

"Public authority" and "public body" are expressions used in the Gibraltar GDPR. For the purposes of Gibraltar, the DPA04 defines them in S.9.

The DPA04 also clarifies that, where the purpose and means of processing are determined by an enactment of law, then the person on whom the obligation to process the data is imposed by the enactment is the controllerBottom of Form.

Definition of sensitive personal data

Definition of personal data

Any information relating to a Data Subject; and a Data Subject means a natural person who is the subject of Personal Data.

Definition of special category personal data

Information about racial or ethnic origin, religious or philosophical beliefs, trade union membership, health or sex life. The DPA04 also includes a definition on criminal convictions and offences data to include personal data relating to the alleged commission of any offence and information on any proceedings for offences or alleged offences, the disposal of such proceedings and any sentence given.

Last modified 19 January 2024

EU regulation

Online identifiers are expressly called out in Recital 30, with IP addresses, cookies and RFID tags all listed as examples.

Personal data may be processed by either a "controller" or a "processor". The controller is the decision maker, the person who "alone or jointly with others, determines the purposes and means of the processing of personal data" (Article 4). The processor "processes personal data on behalf of the controller", acting on the instructions of the controller. In contrast to the previous law, the GDPR imposes direct obligations on both the controller and the processor, although fewer obligations are imposed on the processor.

The "data subject" is a living, natural person whose personal data are processed by either a controller or a processor.

Greece regulation

Definition of supervisory authority

The competent supervisory authority for the territory of Greece is the Hellenic Data Protection Authority (hereinafter the “HDPA”).

Definitions as per article 4 of the GDPR

Further to the definitions as per article 4 of the GDPR, the Greek Data Protection Law provides for specific definitions for the notions of public and private bodies:

‘Public body’ means public authorities, independent and regulatory administrative authorities, legal persons governed by public law, first and second-level local government authorities with their legal persons and their legal entities, state-owned or public undertakings and agencies, legal persons governed by private law which are state-owned or regularly receive at least 50% of their annual budget in the form of state subsidies, or their administration is designated by the state;
‘Private body’ means any natural or legal person or group of persons without legal personality which does not fall within the definition of a ‘public body’.

Further, as per Law 4961/2022 on “Emerging information and communication technologies, strengthening digital governance and other provisions” the following definitions are worth noting, to the extent related to the data protection regime:

“Internet of Things” (“IoT”) constitutes any technology that (a) allows devices or a group of interconnected or related devices, through their internet connection, to perform automatic processing of digital data; and (b) enables the collection and exchange of digital data, in order to offer a variety of services to users, with or without human participation.
“Distributed ledger” is defined as the repository of information that keeps records of transactions, and which is shared and synchronized between a set of DLT network nodes, using a consensus mechanism.
“Blockchain” is defined as a type of distributed ledger technology that records data in blocks, which are connected to each other in chronological order and form a chain of a consensual, decentralized and mathematically verifiable nature, which is mainly based on the science of cryptography.
A “smart contract” is defined as a set of coded computer functions, which is finalized and executed through distributed ledger technology in automated electronic form through instructions for the execution of actions, omissions or tolerances, which are based on the existence or not of specific conditions, according to terms recorded directly in electronic code, scheduled commands or programmed language.

Last modified 16 January 2025

Definition of Personal Data

Article 9, number 1 of the Law on Access to Public Information defines Personal Data as “relative to any information pertaining to natural persons identified or identifiable.”

Definition of Sensitive Personal Data

Article 9, number 2 of the Law on Access to Public Information defines Sensitive Personal Data as “such personal data referring to physical or moral characteristic of the persons or to facts or circumstances of its private life or activity, such as personal habits, racial origins, ethnic origin, ideology or political opinions, religious beliefs or convictions, physical or psychologic health status, sexual preference or sex life, moral and familiar situation or other intimate matters similar in nature.”

Last modified 21 December 2021

Definition of personal data

Section 111(1) of the DPL 2017 defines personal data as "any information relating to an identified or identifiable individual".

An 'identifiable individual' is given special meaning under Schedule 9 of the DPL 2017 and is defined as an individual who can be directly or indirectly identified from the information including:

by reference to a name or an identifier;
one or more factors specific to the person's physical, physiological, genetic, mental, economic, cultural or social identity;
where, despite pseudonymisation, that information is capable of being attributed to that individual by the use of additional information; or
by any other means reasonably likely to be used, taking into account objective factors such as technological factors and the cost and amount of time required for identification in the light of the available technology at the time of processing.

Definition of special category data

'Special category data' means personal data consisting of information as to a data subject's:

racial or ethnic origin
political opinions
religious or philosophical beliefs
trade union membership
genetic data, meaning personal data relating to the inherited or acquired genetic characteristics of an individual which gives unique information about their physiology or their health, including as a result of an analysis of a biological sample from that individual
biometric data, meaning personal data resulting from the specific technical processing relating to the physical, physiological or behavioural characteristics of an individual, which allows or confirms the unique identification of that individual, such as facial images or dactyloscopic data
health data, which includes any personal data relating to the health of an individual, including the provision of health care services, which reveals their health status and includes information about their physical or mental health
sex life or sexual orientation
criminal data which relates to the commission or alleged commission by an individual of any offence, or any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.

Last modified 16 January 2025

Definition of personal data

Article 1 of Law No. L/2016/037/AN defines personal data as any information of any kind and regardless of its medium, including sound and image, relating to an identified or identifiable natural person directly or indirectly, by reference to an identification number or to one or more factors specific to his or her physical, physiological, genetic, mental, cultural, social or economic identity.

Definition of sensitive personal data

According to Article 1 of Law No. L/2016/037/AN, sensitive data is all personal data, relating to religious, philosophical, political, trade union opinions or activities, sexual or racial life, health, social measures, prosecution, criminal and administrative sanctions.

Last modified 20 December 2021

Definition of Personal Data

There is no definition on the act.

Definition of Sensitive Personal Data

Article 4 of the Decree on personal data provides that “Any release of personal data that is likely to infringe the rights and freedom of an individual is forbidden”.

This disposition refers to sensitive personal data according to our interpretation. Thus, sensitive personal data is any data that is likely of infringe the rights and freedom of an individual.

Last modified 16 January 2025

Definition of personal data

Public Personal Data under the Law of the Civil Registry is defined as: Public Data whose disclosure is not restricted in any way, and includes the following:

Names and surnames
ID number
Date of birth and date of death
Gender
Domicile (but not address)
Job or occupation
Nationality
Civil status

Definition of sensitive personal data

The Law for Transparency and for Access to Public Information defines ‘Sensitive Personal Data’ as: "Those personal data relating to ethnic or racial origin, physical, moral or emotional characteristics, home address, telephone number, personal electronic address, political participation and ideology, religious or philosophical beliefs, health, physical or mental status, personal and familiar heritage and any other information related to the honor, personal or family privacy, and self-image."

Other definitions:

Consent: Written and express authorization of the person to whom the personal data refers in order to disclose, distribute, commercialize, and/or use it in a different way as it was originally given for
Confidential Information: Information provided by particular persons to the government which is declared confidential by any law, including sealed bids for public tenders
Classified Information: Public information classified as that by the law, and / or by resolutions issued by governmental institutions

Last modified 10 February 2025

Definition of personal data

Personal data is defined in the Ordinance as any data:

Relating directly or indirectly to a living individual;
From which it is practicable for the identity of the individual to be directly or indirectly ascertained; and
In a form in which access to or processing of the data is practicable.

The January 2020 Consultation Paper proposed to expand the definition of personal data to cover anonymized information where the relevant individual can be re‑identified.

Definition of sensitive personal data

There is not a separate concept of sensitive personal data in the Ordinance. However, non‑binding guidance issued by the PCPD (in the context of biometric data) has indicated that higher standards should be applied as a matter of best practice to more sensitive personal data.

Last modified 20 January 2025

Online identifiers are expressly called out in Recital 30, with IP addresses, cookies and RFID tags all listed as examples.

Personal data may be processed by either a "controller" or a "processor". The controller is the decision maker, the person who "alone or jointly with others, determines the purposes and means of the processing of personal data" (Article 4). The processor "processes personal data on behalf of the controller", acting on the instructions of the controller. In contrast to the previous law, the GDPR imposes direct obligations on both the controller and the processor, although fewer obligations are imposed on the processor.

The "data subject" is a living, natural person whose personal data are processed by either a controller or a processor.

Last modified 11 January 2024

EU regulation

Online identifiers are expressly called out in Recital 30, with IP addresses, cookies and RFID tags all listed as examples.

Personal data may be processed by either a "controller" or a "processor". The controller is the decision maker, the person who "alone or jointly with others, determines the purposes and means of the processing of personal data" (Article 4). The processor "processes personal data on behalf of the controller", acting on the instructions of the controller. In contrast to the previous law, the GDPR imposes direct obligations on both the controller and the processor, although fewer obligations are imposed on the processor.

The "data subject" is a living, natural person whose personal data are processed by either a controller or a processor.

Iceland regulation

The DPA defines a public authority or body in accordance with Article 1 of the Administrative Procedures Act no. 37/1993. The term public authority refers to all parties, institutions, committees, etc. which are governed by state and local government.

Last modified 16 January 2025

Definition of personal data

Under the DPDP Act, Personal Data refers to data about an individual who is identifiable either by such data or in relation to such data. This implies that anonymized data or non-personal data will not be covered by the DPDP Act.

The DPDP Act also defines ‘Data Fiduciary’, ‘Data Processor’ and ‘Data Principal’, among other concepts:

Definition of Data Fiduciary

Similar to ‘Controller’ as defined under the European Union's General Data Protection Regulation (EU-GDPR), the DPDP Act defines Data Fiduciary as an individual or entity that, either independently or in conjunction with others, determines the purpose and means of processing of personal data.

Definition of Data Processor

Data Processor is defined as any person who processes personal data on behalf of a Data Fiduciary.

Definition of Data Principal

Similar to ‘Data Subject’ under the EU-GDPR, the DPDP Act defines Data Principal as individual to whom the personal data relates. When dealing with personal data of a child under the age of eighteen years, the term Data Principal encompasses the child's parents or legal guardian. Likewise, for persons with disabilities, it includes their legal guardian, who acts on their behalf. The DPDP Act seeks to only protect personal data of natural persons and does not include data of companies.

Definition of Processing

The DPDP Act defines ‘processing’ to mean a “wholly or partly automated operation or set of operations performed on digital personal data, and includes operations such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction.” This definition closely aligns with the concept of ‘processing’ as defined under the EU-GDPR. Nevertheless, it is important to note that while the EU-GDPR's definition encompasses both automated and specific non-automated processes, the DPDP Act confines the scope of processing solely to ‘automated’ operations.

Last modified 6 January 2025

Definition of personal data

Personal data under the General Data Protection Regulations and the PDP Law is broadly defined as any data of an individual who can be identified and / or may be identified individually or combined with other information both directly or indirectly through electronic or non-electronic systems.

Definition of sensitive personal data

Sensitive personal data under the PDP Law is referred to as "specific personal data", which would include any (i) health data and records, (ii) biometric data, (iii) genetic data, (iv) sexual life / orientation, (v) political views, (vi) criminal records, (vii) children’s data, (viii) personal financial data, and / or (ix) any other data as (may be) provided in accordance to the prevailing laws and regulations. There is however, no clear / specific differentiation between the requirements for processing of general and specific personal data, except that:

a data controller may be obligated to carry out a data protection impact assessment when processing personal data with a high potential risk to data subjects, which includes, among others, such an event where it would process specific personal data;
a personal data controller and processor may be obliged to appoint a data protection officer (DPO), if the main activity of the personal data controller consists of processing personal data in a large scale that involves specific personal data and / or that relates to criminal acts. Further provisions may possibly be set out in subsequent implementing regulations to the PDP Law.

Last modified 20 January 2025

Definition of Personal Data

Not specifically defined.

Under the Law on Publishing and Access to Data, “personal data” means first and last name, home and work address, individual habits, bank accounts information, etc.

The E-Commerce Law defines “private data” as a “data message” associated with a specific data subject. “Data message” means any representation of facts, information, and concepts generated, sent, received, stored or processed by use of electronic, optical or other information technology means.

Definition of Sensitive Personal Data

Not specifically defined.

Under the E-Commerce Law “sensitive personal data” has customarily been understood to mean data relating to family matters, criminal records, tribal or ethnic origins, moral and religious beliefs, ethical characteristics, sexual habits and data regarding health, physical or psychological status.

Last modified 23 May 2019

EU regulation

Online identifiers are expressly called out in Recital 30, with IP addresses, cookies and RFID tags all listed as examples.

Personal data may be processed by either a "controller" or a "processor". The controller is the decision maker, the person who "alone or jointly with others, determines the purposes and means of the processing of personal data" (Article 4). The processor "processes personal data on behalf of the controller", acting on the instructions of the controller. In contrast to the previous law, the GDPR imposes direct obligations on both the controller and the processor, although fewer obligations are imposed on the processor.

The "data subject" is a living, natural person whose personal data are processed by either a controller or a processor.

Ireland regulation

"Public authority" and "public body" are terms used in the GDPR. For the purposes of the DP Act, the definition of a “public body” includes a company (and its subsidiaries) in which the majority of shares are held by or on behalf of a Minister of the Government.

Last modified 17 January 2025

Definition of personal data

Personal Data, as defined under the PPL, means: data regarding the personality, personal status, intimate affairs, state of health, economic position, vocational qualifications, opinions and beliefs of a person.

Definition of sensitive personal data

Sensitive Data, as currently defined under the PPL, means: data on the personality, intimate affairs, state of health, economic position, opinions and beliefs of a person; and other information if designated as such by the Minister of Justice with the approval of the Constitution, Law and Justice Committee of the Knesset. No such determination has been made to date.¹ Amendment 13 replaced the definition of Sensitive Data with the term "Especially Sensitive Data" which is broadly defined and includes various types of Personal Data, such as information about a person’s intimate life, medical information, sexual orientation, genetic data, biometric identifiers, ethnicity, criminal records, political opinions, religious beliefs, location data, salary and financial activity, personality assessments and personal data subject to a statutory confidentiality obligation.

Footnotes

1: On July 23, 2020, the Israeli Ministry of Justice published a draft bill proposing to amend the PPL (Definitions and Limiting Registration Obligations) 5782- 2021. The draft bill proposes to revise defined terms under the PPL to align with the definition in the GDPR, such as definition of: personal data, sensitive data, processing, owner of a database, holder of a database and other. In addition, the draft bill attempts to limit database registration requirements to apply to certain categories of databases containing information of 100,000 data subject or more. The draft bill has yet to be placed on the table of the Israel Knesset for its first reading. Furthermore, the draft bill expands the administrative enforcement of the IPA. On May 18, 2021, the Israeli Ministry of Justice published two draft bills proposing to amend the PPL (Appointment of an Official Representative) 5782-2021 and the PPL (Minor's Privacy) 5782-2021. On July 26, 2021, the Israeli Ministry of Justice published a draft bill proposing to amend the PPL (Limitation Period) 5721-2021 to extend the limitation period by which a civil claim may be filed under the PPL from a period of two years to a period of seven years, in accordance with the Statute of Limitations Law 5718-1958. All the foregoing draft bills have been placed on the table of the Israel Knesset and for their preliminary discussion. On January 31, 2022, the Israeli Ministry of Justice published a draft bill proposing to amend the PPL (Strengthening the Right to Privacy and its Protection) 5782-2021. The draft bill proposes additional rights of data subjects to control their personal information. In addition, the draft bill includes further strengthening of the enforcement powers of the IPA, in particular with regards to enforcement on an international level. The draft has been set on the Knesset's table for its first reading. On January 31, 2022, the Israeli Ministry of Justice published a draft bill proposing to amend the PPL (Deletion from Databases), 5782-2022. The draft bill proposes to add requirements to the notification obligations to data subjects, prior to collecting personal information (Section 11 of PPL), such as adding an obligation to indicate when a renewed authorization to hold the personal information will be requested and deleting the personal information either by the data subject contacting the owner of the database, or automatically if five years have passed since receiving a notification, and no renewed authorization to hold the personal information was received. The draft bill has been approved in its first reading of the Israel Knesset and is awaiting the Knesset committee to appoint a handling committee. On February 16, 2023, the Israeli Ministry of Justice published a draft bill proposing to amend the PPL: (Prohibition on Publishing a Recording of an Individual) 5783- 2023, which proposes to prohibit publishing a recording of an individual in public which contains Sensitive Data. The draft bill has been placed on the table of the Israel Knesset and for its preliminary discussion.

Last modified 25 December 2024

EU regulation

Online identifiers are expressly called out in Recital 30, with IP addresses, cookies and RFID tags all listed as examples.

Personal data may be processed by either a "controller" or a "processor". The controller is the decision maker, the person who "alone or jointly with others, determines the purposes and means of the processing of personal data" (Article 4). The processor "processes personal data on behalf of the controller", acting on the instructions of the controller. In contrast to the previous law, the GDPR imposes direct obligations on both the controller and the processor, although fewer obligations are imposed on the processor.

The "data subject" is a living, natural person whose personal data are processed by either a controller or a processor.

Italy regulation

The Italian Privacy Code adopts the definitions provided by the GDPR.

Last modified 16 January 2025

Definition of Personal Information

Personal Information is information about a living individual which can identify a specific individual by name, date of birth or other description contained in such information. Personal Information includes information which enables one to identify a specific individual with easy reference to other information. According to the guidelines issued by the PPC, "easy reference to other information" means that a business operator can easily reference other information by a method taken in the ordinary course of business. If a business operator needs to make an inquiry of another business operator to obtain the "other information" and it is difficult for the business operator to do so, such a situation would not be considered an "easy reference to other information".

Personal Information includes any "Personal Identifier Code". A Personal Identifier Code refers to certain types of data specified under a relevant cabinet order of the APPI, and includes biometric data which can identify a specific individual, or data in the form of a certain code uniquely assigned to an individual. Typical examples of such code would be passport numbers or driver's license numbers.

Definition of Sensitive Personal Information

Sensitive information includes information about a person's race, creed, social status, medical history, criminal record, any crimes a person has been a victim of, and any other information that might cause the person to be discriminated against. Obtaining sensitive information generally requires consent from the data subject. Additionally, the "opt out" option (discussed below) is not available for third party transfer for sensitive information-prior consent is basically required from the data subject to transfer the sensitive information to a third party.

Definition of Anonymously Processed Information

"Anonymously Processed Information" refers to any information about individuals from which all personal information (i.e. the information that can identify a specific individual, including any sensitive information) has been removed and such removed personal information cannot be restored by taking appropriate measures specified in the enforcement rules and the relevant PPC guidelines. As noted above, Personal Information includes personal identifier codes, so these must also be removed before information is considered anonymized.

If a business operator has sufficiently anonymized the information, it can be used beyond the purpose of use notified to the data subjects or disclosed to third parties without requiring the consent of the data subjects. However, care must be taken in anonymizing the information before disclosure; a failure to completely sanitize the information could result in the disclosure of Personal Information. Additionally, before disclosing the Anonymously Processed Information to a third party, a business operator must publicly state (likely in its privacy policy) the items of information (for example, gender, birth year and purchase history) included among the Anonymously Processed Information, and the means by which it shares the Anonymously Processed Information.

Definition of Pseudonymously Processed Information

Given the high hurdle of utilizing Anonymously Processed Information, such information has been less utilized than originally expected. The Amended APPI introduces the concept of "Pseudonymously Processed Information", which is the information that is processed so that such information is (i) not able to be used to identify a specific individual; but (ii) is able to be de-crypted by referencing other information. For example, Pseudonymously Processed Information is information in which names, addresses, and other similar such information are replaced with a random string of characters. Unlike normal Personal Information, a business operator can change the utilization purpose of Pseudonymously Processed Information at its own discretion (i.e. a business operator does not need to obtain consents from data subjects to change the utilization purpose). It is expected that business operators may utilize Pseudonymously Processed Information for internal data analytics purposes.

Definition of Personally Referable Information

The Amended APPI defines information which is related to personal matters, but that does not fall under the definition of Personal Information as "Personally Referable Information". The definition of Personally Referable Information is quite vague, but based on the guidelines issued by the PPC, it includes, among other things, a web browsing history collected through the terminal identifier such as cookie information, a person’s age, gender or family makeup that are linked to his / her email address, a person’s purchase history of goods and / or services, a person’s location data, or a person’s area of interest. The handling of Personally Referable Information is not regulated as Personal Information, but prior consent from data subjects would be required to transfer Personally Referable Information in certain circumstances as discussed below.

Last modified 20 January 2025

The DPJL defines 'data' as information that:

Is processed by means of equipment operating automatically in response to instructions given for that purpose or is recorded with the intention that it should be processed by means of such equipment
Is recorded as part of a filing system or with the intention that it should form part of a filing system, or
Is recorded information held by certain public authorities

The DPJL defines 'personal data' as being any data relating to a data subject.

A 'data subject' is defined in the DPJL as an identified or identifiable, natural living person who can be identified, directly or indirectly, by reference to (but not limited to) an identifier such as:

A name, an identification number or location data
An online identifier (which may include an IP address, location data or any unique number or code issued to the individual by a public authority), or
One or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the person

Enhanced levels of protection in the DPJL and DPAJL are provided for 'special category' personal data.

'Special category personal data' is defined under the DPJL as personal :

Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership
Genetic or biometric data that is processed for the purpose of uniquely identifying a natural person
Data concerning health
Data concerning a natural person’s sex life or sexual orientation, or
Data relating to a natural person’s criminal record or alleged criminal activity

Personal data may be processed by either a 'controller' or a 'processor'. The controller is the decision maker, the person who "alone or jointly with others, determines the purposes and means of the processing of personal data" (Article 1(1) DPJL). The processor "processes personal data on behalf of the controller", acting on the instructions of the controller. In contrast to the previous law, the DPJL imposes direct obligations on both the controller and the processor, although fewer obligations are imposed on the processor.

Last modified 16 January 2025

Definition of Personal Data

There is no specific definition in the laws or the regulations.

Definition of Sensitive Personal Data

There is no specific definition in the laws or the regulations.

Last modified 11 January 2024

Definition of personal data

'Personal data' is any information relating to a specific individual (personal data subject) or a personal data subject who can be identified on the basis of such information which is recorded on electronic, paper and / or another tangible medium.

The law divides personal data into:

'Generally accessible personal data', which is personal data that can be accessed freely with the consent of the personal data subject or to which confidentiality requirements do not apply in accordance with Kazakh law; and
'Limited access personal data', which is personal data, access to which is limited by Kazakh law

Definition of sensitive personal data

Kazakh law does not provide for express definition of sensitive personal data.

In certain cases, sensitive personal data may qualify as limited access personal data and, as such, it is additionally regulated by sector-specific laws of Kazakhstan (e.g. medical secrecy, subscriber data). In our replies, we do not consider sector-specific restrictions which may affect personal data regulation (e.g. Kazakh law prohibits transfer of subscriber data, which includes, inter alia, personal data of subscribers).

Last modified 4 February 2025

Definition of personal data

Section 2 of the Act

Personal data is defined as data relating to an identified or identifiable natural person.

Definition of sensitive personal data

Section 2 of the Act

Sensitive personal data is defined as data revealing the natural person's race, health status, ethnic social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details including names of the person's children, parents, spouse or spouses, sex or the sexual orientation of the data subject.

Last modified 6 February 2025

Definition of Personal Data

“Personal Data” is defined as “any information related to an identified or identifiable natural person (‘data subject’)."

An identifiable natural person is defined widely as any person “who can be identified directly or indirectly, particularly by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.

Definition of Sensitive Personal Data

“Sensitive Personal Data” is defined as “personal data revealing ethnic or racial origin, political or philosophical views, religious affiliation, union membership or any data related to health condition or sexual life, any involvement in or removal from criminal or offence records retained in accordance with the law. Biometric characteristics are also considered sensitive personal data if the latter enable the identification of a data subject in relation with any of the abovementioned circumstances in this sub-paragraph.”

Genetic data, biometric data and data concerning health are also considered as sensitive category of personal data within the meaning of the LPPD.

Last modified 4 February 2025

Definition of personal data

The Data Protection Regulation defines personal data as information associated with a natural or juristic person whose identity is known or can be directly determined from the data. This includes personal details like name, identity, financial, health, racial, or religious information, as well as data that reveals the individual’s location, fingerprint, genetic profile, or any audio file containing the person’s voice. It also covers any other identifier that facilitates online interaction with the individual.

Additionally, the E-Commerce Law refers to personal data as considered to include at least personal information about a person’s:

Positional affairs;
Personal status;
Health status; or
Elements of financial disclosures.

These elements are undefined, but broadly construed to encompass any personal information relating to the specified data element.

Definition of sensitive personal data

Kuwaiti law does not define sensitive personal data.

Last modified 4 February 2025

The Law on Personal Data provides that information recorded on a material carrier relating to a particular person, which identifies a specific person or which could be used to identify a specific person, directly or indirectly, by reference to one or more factors related to biological, economic, cultural, civil or social identity shall qualify as 'personal data'.

Personal data include:

Biographical and identification data;
Personal characteristics;
Information on marital status;
Financial status;
Health data.

There is no clear definition of Sensitive Personal Data. Under the provisions of the Law on Personal Data, all personal data is confidential. It should be noted that the Holder (Owner) of personal data (ie the data controller) and the data processor are obliged to ensure protection of personal data to prevent:

Unauthorized access;
Blocking;
Transmission;
As well as its accidental or unauthorized destruction;
Alteration or loss;
Provide guarantees in respect of technical security measures and organizational measures regulating processing of personal data.

However, confidentiality of personal data does not apply in cases of anonymisation or on request of the individual to which the personal data relates.

Last modified 4 February 2025

Definition of Personal Data

Article 3, Section 12 of the Law on Electronic Data Protection defines “personal data” to mean electronic data of an individual, legal entity, or organization.

Definition of Sensitive Personal Data

The Law on Electronic Data Protection aims to protect any type of electronic data. The law categorizes electronic data roughly into three types: (i) general data, (ii) sensitive data (a literal translation would be “specific data”), and (iii) prohibited data. Depending on its nature, personal data may fall under one of these three categories. Accordingly, there is no “sensitive personal data” so to speak. Given this, personal data may fall under the category of sensitive data.

Sensitive data is information “that an individual, legal entity, or organization cannot access, use, or disclose if [they] have not received consent from the Information Owner, or the relevant organization” (Article 10).

A list of examples of sensitive data is provided in the Instructions on the Implementation of the Law on Electronic Data (2018), which includes “information on customers, financial information, CV, history of medical treatment, race, religion, project plan, budget plan, official secret, etc.” (Section 3). The list is not exhaustive, and there is no official guidance to anticipate what other data may be considered sensitive data apart from these examples.

Last modified 8 January 2025

EU regulation

Personal data is defined as "any information relating to an identified or identifiable natural person" (Article 4). A low bar is set for "identifiable" – if the natural person can be identified using “all means reasonably likely to be used” (Recital 26) the information is personal data. A name is not necessary either – any identifier will do, such as an identification number, phone number, location data or other factors which may identify that natural person.

Online identifiers are expressly called out in Recital 30, with IP addresses, cookies and RFID tags all listed as examples.

The GDPR creates more restrictive rules for the processing of special categories (Article 9) of personal data (including data relating to race, religion, sexual life, data pertaining to health, genetics and biometrics) and personal data relating to criminal convictions and offences (Article 10).

The GDPR is concerned with the processing of personal data. Processing has an extremely wide meaning, and includes any set of operations performed on data, including the mere storage, hosting, consultation or deletion of the data.

Personal data may be processed by either a controller or a processor. The controller is the decision maker, the person who "alone or jointly with others, determines the purposes and means of the processing of personal data" (Article 4). The processor "processes personal data on behalf of the controller", acting on the instructions of the controller. In contrast to the previous law, the GDPR imposes direct obligations on both the controller and the processor, although fewer obligations are imposed on the processor.

The "data subject" is a living, natural person whose personal data are processed by either a controller or a processor.

Latvia regulation

The Personal Data Processing Law reproduces the definitions of Article 4 of GDPR, and generally uses the same terminology as the GDPR.

Last modified 4 February 2025

Definition of Personal Data

Personal Data is defined as any information relating to an individual which helps identifying such individual, either directly or indirectly, including by way of comparing or combining information of multiple sources.

Definition of Sensitive Personal Data

The Law brings no definition of sensitive personal data per se. However, it states that the processing of personal data falling within specific categories shall only be processed under a license from the Ministry of Economy and Trade (exceptions apply).

The Law does not attribute a particular name for such category of data, simply listing specific data elements falling within the above defined category, as follows:

those related to the external and internal security of the State, under the terms of a joint decision of the Ministers of National Defence and Interior and Municipalities;
those related to criminal offences and judicial proceedings of various natures, under the terms of a decision by the Minister of Justice;
those related to health, genetic identity, sexual life of individuals, under the terms of a decision of the Minister of Public Health.

Last modified 21 December 2022

Definition of personal data

The DP Act defines personal data or information as being information about an identifiable individual that is recorded in any form, including:

Information relating to the race, national or ethnic origin, religion, age or marital status of the individual

Information relating to the education or the medical, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved

Any identifying number, symbol or other particular assigned to the individual

The address, fingerprints or blood type of the individual

The name of the individual where it appears with other personal information relating to the individual or where the disclosure of the name itself would reveal information about the individual

Correspondence sent to a data controller by the individual that is explicitly or implicitly of a private or confidential nature, and replies to such correspondence that would reveal the contents of the original correspondence

The views or opinions of any other person about the individual

Definition of sensitive personal data

The DP Act defines sensitive personal information as any of the following:

Genetic data, data related to children, data related to offenses, criminal sentences or security measure, biometric data as well as, if they are processed for what they reveal, personal information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, affiliation, trade-union membership, gender and data concerning health or sex life

Any personal information otherwise considered by Lesotho law as presenting a major risk to the rights and interests of the data subject, in particular unlawful or arbitrary discrimination.

Section 29 prohibits a data controller from processing sensitive personal information, unless specifically permitted under the DP Act.

Section 36 contains general exemptions to the prohibition on processing sensitive personal information. These include instances where:

Processing is carried out with prior parental consent where the data subject is a child and is subject to parental control in terms of the law

The processing is necessary for the establishment, exercise or defense of a right or obligation in law

Processing is necessary to comply with an obligation of international public law

The Commission has granted authority in terms of section 37 for processing in the public interest, and appropriate guarantees have been put in place in law to protect the data subject’s privacy

Processing is carried out with the consent of the data subject

The information has deliberately been made public by the data subject

Last modified 20 December 2021

Definition of Personal Data

Personal Data is not defined by existing laws. Data is however, defined variously by different statutes and legal instrument in Liberia as follows:

Financial Intelligence Unit Act of 2012: “Data" means: representations, in any form, of information or concepts”.
Central Bank of Liberia (“CBL”) E-Payment Regulation: “Data integrity” means “the assurance that information that is in-transit or in storage is not altered without authorization”
The ECOWAS Supplemental Act of which, Liberia is a signing member defines personal data as “any information relating to an identified individual or who may be directly identifiable by reference to an identification number or one or several elements related to their physical, physiological, genetic, psychological, cultural, social, or economic identity”. Accordingly, it can be concluded that that (i) cards numbers and (ii) account numbers from which a person can be directly identified qualify as sensitive personal information / data.

Definition of Sensitive Personal Data

There is no Liberian law that defines sensitive persona data.

Last modified 23 February 2024

While Libyan Law does not explicitly provide a specific definition for personal data, the National Information Security and Safety Authority (NISSA) Policy Manual offers a comprehensive understanding of personal information, categorizing it into three distinct categories. It is worth noting however that NISSA policies are only binding on the public sector at the moment, rather than the private sector.

Definition of Confidential Data

Information that is classified as confidential or restricted includes data that can be catastrophic to one or more individuals and / or organizations if compromised or lost. Such information is frequently provided on a “need to know” basis and might include:

Personal data, including personally identifiable information such as Social Security or national identification numbers, passport numbers, credit card numbers, driver's license numbers, and medical records.

Financial records, including financial account numbers such as checking or investment account numbers.
Business material, such as documents or data that is unique or specific intellectual property.
Legal data, including potential attorney-privileged material.
Authentication data, including private cryptography keys, username password pairs.

Definition of Sensitive Data

Information that is classified as being of medium sensitivity includes files and data that would not have a severe impact on an individual and / or organization if lost or destroyed. Such information might include:

Email, most of which can be deleted or distributed without causing a crisis (excluding mailboxes or email from individuals who are identified in the confidential classification).
Documents and files that do not include confidential data.
Anything that is not confidential. It can include most business data, because most files that are managed or used day-to-day can be classified as sensitive.

Definition of Public Data

Information that is classified as public includes data and files that are critical to business needs or operations. This classification can also include data that has deliberately been released to the public for their use, such as marketing material or press announcements. In addition, this classification can include data such as spam email messages sorted by an email service.

Last modified 18 January 2024

EU regulation

Online identifiers are expressly called out in Recital 30, with IP addresses, cookies and RFID tags all listed as examples.

The "data subject" is a living, natural person whose personal data are processed by either a controller or a processor.

Lithuania regulation

The Data Protection Law refers to the definitions provided by the GDPR. Only two definitions: ‘direct marketing’ and ‘institutions and authorities’ are defined differently in the Data Protection Law.

Under the Data Protection Law, 'direct marketing' means any activity consisting of offering goods or services or asking opinion on the goods or services offered, by post, telephone or other direct means.

'Institutions and authorities' means state and municipal institutions and authorities, enterprises and public institutions, financed from state or municipal budgets and state monetary funds and authorized by the Law on Public Administration of the Republic of Lithuania to perform public administration activities or to provide public or administrative services to persons or to perform other public functions.

Last modified 3 February 2025

EU regulation

Online identifiers are expressly called out in Recital 30, with IP addresses, cookies and RFID tags all listed as examples.

The "data subject" is a living, natural person whose personal data are processed by either a controller or a processor.

Luxembourg regulation

The definition of personal data has not been amended by applicable law. GDPR definitions apply.

Last modified 4 February 2025

Definition of personal data

The Law defines personal data as any information of any type, in any format, including sound and image, related to a specific or identifiable natural person (data subject). An ‘identifiable natural person’ is anyone who can be identified, directly or indirectly, in particular by reference to a specific number or to one or more specific elements related to his or her physical, physiological, mental, economic, cultural or social identity.

Definition of sensitive personal data

The Law defines sensitive personal data as any personal data revealing political persuasion or philosophical beliefs, political and joint trade union affiliation, religion, private life, racial or ethnical origin or data related to health or sex life, including genetic data.

Last modified 19 December 2023

Definition of personal data

Personal data is any information relating to a natural person, whereby that person is or can be identified, directly or indirectly, by reference to a name, an identification number or to one or more elements specific to him / her such relating to physical, physiological, psychical, economic, cultural or social.

Definition of sensitive personal data

Sensitive personal data means data which includes information relating to:

Racial origin;
Biometric and genetic information;
Political opinion;
Religious belief or other convictions;
Trade-union affiliation; and / or
Health or sexual life.

Last modified 4 February 2025

Definition of personal data

'Personal data' means any information in respect of commercial transactions that is:

Being processed wholly or partly by means of equipment operating automatically in response to instructions given for that purpose;
Recorded with the intention that it should wholly or partly be processed by means of such equipment; or
Recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system, and, in each case.

...that relates directly or indirectly to a data subject, who is identified or identifiable from that information or from that and other information in the possession of a data user.

Personal data includes any sensitive personal data or expression of opinion about the data subject. Personal data does not include any information that is processed for the purpose of a credit reporting business carried on by a credit reporting agency under the Credit Reporting Agencies Act 2010.

Definition of sensitive personal data

'Sensitive personal data' means any personal data consisting of information as to the physical or mental health or condition of a data subject, his or her political opinions, his or her religious beliefs or other beliefs of a similar nature, the commission or alleged commission by him or her of any offense, biometric data, or any other personal data as the Minister of Communications and Multimedia (Minister) may determine by published order. The Amending Act defines “biometric data” as “any personal data resulting from technical processing relating to the physical, physiological or behavioural characteristics of a person”.

Other than the categories of sensitive personal data listed above, the Minister has not published any other types of personal data to be sensitive personal data as of January 02, 2025.

Last modified 20 January 2025

EU regulation

Online identifiers are expressly called out in Recital 30, with IP addresses, cookies and RFID tags all listed as examples.

The "data subject" is a living, natural person whose personal data are processed by either a controller or a processor.

Malta regulation

The Data Protection Act reproduces the definitions provided by Article 4, GDPR.

Last modified 18 January 2024

Definition of personal data

Personal data is defined as any information relating to a data subject. A data subject is a natural person who is identified or identifiable, in particular by reference to an identifier such as a name, identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual.

Definition of sensitive personal data or special categories of personal data

Similar to the GDPR, the DPA 2017 refers to sensitive personal data as special categories of data. Special categories of data include personal data pertaining to any of the following about a data subject:

Racial or ethnic origin;
Political opinion or adherence;
Religious or philosophical beliefs;
Membership of a trade union;
Physical or mental health or condition;
Sexual orientation, practices or preferences;
Genetic or biometric data that is uniquely identifying;
Commission or alleged commission or proceedings related to the commission of a criminal offense; or
Such other personal data as the Commissioner may determine to be sensitive personal data.

Last modified 6 January 2025

Definition of personal data

‘Personal data’ is any information concerning an identified or identifiable individual.

Definition of sensitive personal data

‘Sensitive personal data’ is personal data that affects the most intimate areas of the data subject’s life, which if misused, may lead to discrimination or entail a serious risk to the data subject. In particular, the definition includes data that may reveal any of the following:

Racial or ethnic origin
Past or present health conditions
Genetic information
Religious, philosophical or moral beliefs
Union affiliation
Political views
Sexual orientation
Pictures and videos
Fingerprints
Geolocation
Banking information
Signature

Other key definitions

'ARCO Rights' refer to the access, ratification, cancelation and opposition rights of data subjects, with respect to their personal data.

'Controller' or 'data controller' means the individual or private entity makes decisions regarding the processing of personal data.

'Data subject' means the individual to which the personal data belongs.

'Guidelines' means the guidelines issued by INAI, regarding the compliance with the principles and duties of the Data Privacy Law.

'INAI' refers to the National Institute of Transparency, Access to Information and Protection of Personal Data (Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales).

'Privacy notice' means the physical or electronic document, or document generated in any other form by the controller and made available to data subjects, prior to the processing of their personal data. There are three forms of a privacy notice: comprehensive or full-form, simplified, and short.

'Processing' means any collection, use, disclosure or storage of personal data made through any means, including any access, handling, exploitation, transfer or disposal of personal data.

'Processor' or 'data processor' means the individual or entity that separately or jointly with others processes personal data on behalf of the controller.

'Remittance' any communication of personal data carried out between the controller and the processor, within or outside Mexican territory.

'Third Party' means an individual or entity, whether national or foreigner, that is not the data subject, the controller or the processor of the personal data.

'Transfer' means any communication of personal data carried out between the controller and any third party.

Last modified 28 January 2024

Definition of personal data

Personal data is defined as “any information relating to an identified or identifiable natural person (“personal data subject”)”. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.

The New Data Protection Law introduces the following definition for personal data, similar to the one regulated by the GDPR: "any information relating to an identified or identifiable natural person" (“data subject”). An identifiable natural person is one who can be "identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more elements specific to the physical, psychological, genetic, mental, economic, cultural or social identity of that natural person”.

Definition of sensitive personal data

Sensitive personal data is defined as special categories of personal data. Such special categories include data related to race, ethnic origin, political opinions, religious or philosophical beliefs, social belonging, data concerning health or sex life, as well as data relating to criminal convictions, administrative sanctions or coercive procedural measures.

The New Data Protection Law does not regulate the definition of sensitive personal data anymore. Instead, the following new definitions are introduced, similarly to the notions regulated by the GDPR:

“Genetic data” – means the personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample collected from the natural person in question.

“Biometric data” – means the personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.

“Data concerning health” – means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.

Last modified 16 January 2025

Definition of personal data

Under the DPL, personal data is defined as data enabling identification of a determined or determinable person. Any individual who can be identified, directly or indirectly, notably by reference to an identification number or to one or more factors specific to their physical, psychological, psychological, economic, cultural, or social identity is deemed to be determinable.

Definition of sensitive personal data

While not expressly defined under the DPL, sensitive personal data is considered to be personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and the processing of data concerning health / genetic data, sex life, data concerning morals or social matters.

Definition of data processing

Under the DPL, data processing is defined widely as any operation or set of operations performed on such data, whatever the process used (including collection, recording, organization, modification, storage, extraction, consultation, destruction, as well as exploitation, interconnection or reconciliation, transmission, broadcasting).

Definition of the data processor / controller

Under the DPL, the person in charge of the processing or “Data controller” shall be considered as any person (natural or legal entity governed by private or public law) who alone or jointly with others, determines the purpose and means of the processing and who decides of its implementation.

Definition of the data subject

Any person whose personal data are processed.

Last modified 6 February 2025

Definition of personal data

Pursuant to Article 4.1.11 of the Data Protection Law, the following information refers to Personal Data:

Sensitive personal data;
First and last name;
Date and place of birth;
Permanent address and location data;
Citizen’s registration number;
Properties;
Education and membership;
Online identifiers; and
Any other information that can be used to directly or indirectly identify a natural person.

Definition of sensitive personal data

Pursuant to the Data Protection Law, Sensitive Personal Data is subject to personal privacy. Sensitive Personal Data as defined in Article 4.1.12 of the Data Protection Law means:

Ethnicity and race;
Religion and beliefs;
Health, correspondence, genetic and biometric data;
Personal key of an electronic signature;
Criminal status and record; and
Any data concerning sexual orientation and sexual relationships.

Last modified 16 January 2025

Definition of personal data

The DP Law defines personal data as any information relating to an identified or identifiable data subject. Data subjects are natural persons whose identity is or can be determined, directly or indirectly, in particular by reference to a personal identification number or to one or more factors specific to their physical, physiological, mental, economic, cultural or social identity.

Definition of sensitive personal data

Under the DP Law, sensitive personal data is data relating to:

Ethnicity or race
Political opinion, or religious or philosophical belief
Trade union membership
Information on health condition and sexual life

Last modified 16 January 2025

Definition of personal data

Pursuant to Article 1 of the DP Law, personal data is defined as any information regardless of their nature, and format, relating to an identified or identifiable person.

Definition of sensitive personal data

Sensitive personal data is defined under the law as personal data which reveal the racial or ethnic origin, political opinions, religious or philosophical beliefs or union membership of the person concerned or relating to his health, including his genetic data (article 1.3 of the DP Law).

Last modified 18 January 2024

Definition of personal data

The Constitution of the Republic of Mozambique provides that all citizens are entitled to the protection of their private life and have the right to honour, good name, reputation, protection of their public image and privacy. Further, Article 71 of the Constitution identifies the need to legislate on access, generation, protection and use of computerized personal data (either by public or private entities); however, implementing legislation has not yet been approved.

The Electronic Transactions Law defines personal data as being any information in relation to a natural person which can be directly or indirectly identified by reference to an identification number or one or more factors. The AU Convention contains an indication of these factors, being: physical, physiological, mental, economic, cultural or social identity.

Definition of sensitive personal data

The Constitution of the Republic of Mozambique imposes restrictions on recording and handling any individually identifiable information concerning a person’s political, philosophical or ideological beliefs, religious beliefs, membership in a political party or trade union and (particulars) related to the person’s privacy.

One of the manifestations of protecting the privacy of the citizens relates to the rules established in respect to data protection, which must be observed in the use of private data through computer databases, namely:

Restrictions regarding certain types of information: databases are prohibited from recording and handling any information, individually identifiable, concerning political, philosophical, or ideological beliefs, religious beliefs, membership in a political party or trade union and (particulars) related to the person’s privacy¹.
Protection of personal data: there is a need to legislate on protection of personal data contained in computer-based record, as well as on the conditions for access thereto and also its generation and use either by public or private entities².
Prohibition of access and transfer of personal data: access to archives, files and computer records, or to databases to find out third parties' personal data is prohibited³. This prohibition also includes the transfer of data belonging to different services or institutions from one file to another. Exceptions to this rule are the means of access that may be authorized by law or through a court order.
Right of access: the right of all persons to gain access to related data pertaining to them and have it rectified, in cases where for example, such information is wrong, outdated, or incorrect⁴.

In addition, the AU Convention also considers personal data relating to sex-life, race, health, social measures, legal proceedings and penal or administrative sanctions as sensitive.

Footnotes

1. CRM, Article 71(1).
2. Ibid.: Article 71(2).
3. Ibid: Article 71(3)
4. Ibid.: Article 71(4).

Last modified 16 January 2025

Definition of Personal Data

Personal Data means any information that relates to an identified or identifiable living individual. (Section 2(l) of Electronic Transactions Law as amended in 2021).

Definition of Sensitive Personal Data

No definition provided.

Last modified 18 December 2024

Definition of Personal Data

Not defined.

Definition of Sensitive Personal Data

Not defined.

Last modified 18 January 2024

Definition of Personal Data

Privacy Act defines "Personal information" as the following information related to any person:

his or her caste, ethnicity, birth, origin, religion, color or marital status;
his or her education or academic qualification;
his or her address, telephone or address of electronic letter (email);
his or her passport, citizenship certificate, national identity card number, driving license, voter identity card or details of identity card issued by a public body;
a letter sent or received by him or her to or from anybody mentioning personal information;
his or her thumb impressions, fingerprints, retina of eye, blood group or other biometric information;
his or her criminal background or description of the sentence imposed on him or her for a criminal offence or service of the sentence;
matter as to what opinion or view has been expressed by a person who gives professional or expert opinion, in the process of any decision.

Definition of Sensitive Personal Data

Privacy Act has listed following information as the “sensitive information”:

his or her caste, ethnicity or origin;
political affiliation;
religious faith or belief;
physical or mental health or condition;
dexual orientation or event relating to sexual life;
fetails relating to property.

Last modified 20 January 2025

EU regulation

Online identifiers are expressly called out in Recital 30, with IP addresses, cookies and RFID tags all listed as examples.

The "data subject" is a living, natural person whose personal data are processed by either a controller or a processor.

Netherlands regulation

The definitions are largely the same as in Article 4, GDPR. In addition, the Implementation Act defines "personal data concerning criminal law matters" as personal data concerning criminal convictions and offences or related security measures as referred to in Article 10, GDPR, as well as personal data relating to a prohibition imposed by the courts for unlawful or objectionable conduct.

Last modified 18 January 2024

Definition of personal data

Personal information under the Act is defined as information about an identifiable individual and includes information relating to a death that is maintained by the Registrar General pursuant to the Births, Deaths, Marriages, and Relationships Registration Act 1995, or any former Act.

Definition of sensitive personal data

The Act does not include a concept of 'sensitive personal data', and there is no differentiation between how different types of personal information are to be treated under the Act. However, the Privacy Commissioner has issued (non–binding) guidance defining sensitive personal information as information about the individual that has some real significance to them, is revealing of them, or generally relates to matters that an individual might wish to keep private. This can be contrasted with routine or mundane information that is about a person but is either not particularly revealing or does not reveal information that is very intimate or “private”. The Privacy Commissioner has indicated that information about a person’s race, ethnicity, gender or sexual orientation, sex life, health, disability, age, religious, cultural or political beliefs, activities or memberships will generally be considered sensitive in nature.

Because the Act does not include a concept of sensitive personal data, there are no specific statutory obligations attracting to more sensitive information. However, the Privacy Commissioner's guidance states that agencies have a higher standard of care when they collect or hold sensitive information. While the Act does not specify special procedures for information that is sensitive, the obligations on agencies are stronger with respect to sensitive information and they will be held to a higher standard of accountability. For example, IPP 5 requires agencies to protect personal information with security safeguards that are reasonable in the circumstances — there will be a higher bar for what is considered reasonable if the information to be protected is sensitive in nature.

Additionally, the codes of practice issued by the Privacy Commissioner may modify the operation of the Act for specific industries, agencies, activities and types of personnel information. The Privacy Commissioner is currently considering introducing a new code to regulate biometric information, which the Privacy Commissioner considers to be particularly sensitive information and requires careful assessment before use.

Definition of agency

Agency is defined under the Act as any person or body of persons, whether corporate or unincorporated, and whether in the public sector (including government departments) or the private sector. Certain bodies are specifically excluded from the definition.

Last modified 24 January 2025

Definition of Personal Data

Personal data: It is all the information about a natural or legal person that identifies or makes it identifiable.

Definition of Sensitive Personal Data

Sensitive personal data: It is any information that reveals the racial, ethnic, political affiliation, religious, philosophical or moral, union, health or sexual life, criminal record or administrative, economic and financial misconduct; as well as credit and financial information and any other information that could be grounds for discrimination.

Last modified 28 January 2024

Definition of Personal Data

Any information of any nature related to an identified or identifiable natural person, including sounds and images, directly or indirectly referencing an identification number, or one or more elements specific to his physical, physiological, genetic, psychological, cultural, social, or economic identity (Article 1 of the Law).

Definition of Sensitive Personal Data

Any personal data relating to religious or philosophical opinions or activities, political affiliation, sex life, race, health, social measures, prosecutions, and criminal or administrative sanctions (Article 1 of the Law).

Last modified 6 January 2025

Definition of Personal Data

Personal Data is defined as any information relating to an individual, who can be identified or is identifiable, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, psychological, cultural, social, or economic identity of that individual.

Definition of Personal Data Breach

Personal Data Breach is defined as a breach of security of a data controller or data processor leading to or likely to lead to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

Definition of Data Subject

Data Subject means an individual to whom personal data relates.

Definition of Data Controller

Data Controller means an individual, private entity, public Commission, agency or any other body who, alone or jointly with others, determines the purposes and means of processing of personal data.

Definition of Processing

Processing means any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment, combination, restriction, erasure or destruction and does not include the mere transit of data originating outside Nigeria.

Definition of Sensitive Personal Data

Sensitive Personal Data means personal data relating to an individual’s:

genetic and biometric data, for the purpose of uniquely identifying a natural person,
race or ethnic origin,
religious or similar beliefs, such as those reflecting conscience or philosophy,
health status,
sex life,
political opinions or affiliations,
trade union memberships, or
other information prescribed by the Commission as sensitive personal data.

Last modified 18 January 2025

Definition of personal data

The DP Law defines personal data as any information relating to an identified or identifiable natural person, where an identifiable natural person is one whose identity can be determined directly or indirectly, especially by reference to an identifier such as a name and surname, his or her personal identification number, location data, an online identifier or on one or a combination of features that are specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Definition of sensitive personal data

Under the DP Law, sensitive personal data is personal data which reveal:

racial or ethnic origin;
political opinions, religious or philosophical beliefs;
membership in a trade union;
genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data referring to a natural person’s sex life or sexual orientation.

Last modified 17 January 2024

Online identifiers are expressly called out in Recital 30, with IP addresses, cookies and RFID tags all listed as examples.

Personal data may be processed by either a "controller" or a "processor". The controller is the decision maker, the person who "alone or jointly with others, determines the purposes and means of the processing of personal data" (Article 4). The processor "processes personal data on behalf of the controller", acting on the instructions of the controller. In contrast to the previous law, the GDPR imposes direct obligations on both the controller and the processor, although fewer obligations are imposed on the processor.

The "data subject" is a living, natural person whose personal data are processed by either a controller or a processor.

Last modified 16 January 2025

Definition of personal data

The term “personal data” is defined in PECA 2016 in Section 2(xviii) as ““identity information” means an information which may authenticate or identify an individual or an information system and enable access to any data or information system.”

“Data” in PECA 2016 is defined in Section 2(xiii) as ““data” includes content data and traffic data.”

The use of the word ‘include’ in the abovementioned definition of ‘data’ is indicative of the fact that the legislators intended for the definition of ‘data’ to include content data and traffic data in addition to what the typical dictionary meaning and definition of the word ‘data’ is.

Hence, identity information means any piece of information that is capable of authenticating or identifying an individual and enable access to any piece of information that may indirectly assist in authenticating or identifying an individual.

On the other hand, the PDPB defines “personal data” as “any information that relates directly or indirectly to a data subject, who is identified or identifiable from that information or from that information or other information in the possession of a data controller and / or data processor, including any sensitive or critical personal data. Provided that anonymized, or pseudonymized data which is incapable of identifying an individual is not personal data”.

For the purpose of clarity, “data subject” under the PDPB means a natural person who is the subject of the personal data, whereas “data controller” means a natural or legal person or the government, who either alone or jointly has the authority to decide on the collection, obtaining, usage, or disclosure of personal data.

In addition, the PDPB defines “anonymized data” as personal data which has undergone the irreversible process of transforming or converting personal data to a form in which a data subject cannot be identified. The PDPB defines “pseudonymisation” as the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

It must be noted, however, that the PDPB is yet to be promulgated into law and therefore the content of the promulgated legislation may differ from the draft.

Definition of sensitive personal data

PECA 2016 does not differentiate between the terms “personal data” and “sensitive personal data”, and therefore a piece of information that is considered as “sensitive personal data” shall be covered under PECA 2016 if the same is capable of being classified as “identity information” under the aforementioned legislation.

The PDPB however specifically provides a definition of “sensitive personal data” to mean any personal data relating to: financial information excluding identification number, credit card data, debit card data, account number, or other payment instruments data; health data (physical, behavioural, psychological, and mental health conditions, or medical records); computerized national identity card or passport; biometric data; genetic data; religious beliefs; criminal records; political affiliations; caste or tribe; and an individual’s ethnicity.

It must be noted, however, that the PDPB is yet to be promulgated into law and therefore the content of the promulgated legislation may differ from the draft.

Last modified 4 January 2024

Definition of personal data

Personal Data is defined by the Data Protection Law as the personal information of an individual that identifies him or makes him identifiable.

Definition of sensitive data

Sensitive Data is defined by the Data Protection Law as the one that refers to the intimate sphere of its owner, or whose improper use could give rise to discrimination or entail a serious risk for the individual, such as information about the racial or ethnic origin, beliefs or religious, philosophical and moral convictions; union membership; political opinions; data related to health, life, sexual preference or orientation, genetic data or biometric data, among others, subject to regulation and aimed at identifying univocally a natural person.

Last modified 28 January 2024

Definition of personal data

Art. 3 of Personal Credit Data Protection Law defines Personal Data or Personal Information as “information of any type that refers to legal entities or natural persons that are identified or identifiable. An identifiable person shall mean any person who can be identified by means of an identifier or by one or more elements that characterize the physical, physiological, genetics, mental, economic, cultural, or social identity of the data subject. The rights and guarantees of personal data protection shall be extended to legal entities, insofar as they are applicable”.

Definition of sensitive personal data

Sensitive Personal Data is defined as information that refers to the intimate sphere of the data subject, or data that, if misused, may give rise to discrimination or entail a serious risk for the data subject. Personal data is considered sensitive when it reveals aspects such as racial and ethnic origin; religious, philosophical and moral beliefs or convictions; trade union memberships; political opinion; data related to health, life, sexual preference or orientation, genetic or biometric data aimed at uniquely identifying a natural person.

Personal Credit Data Protection Law further defines Credit Data as 'information, positive and negative, related to the credit history of natural persons and legal entities, in relation to credit, commercial and other activities of similar nature, that serves to identify, correctly and unequivocally, the data subject, his/her address, business activity, determine his/her level of indebtedness, compliance with his/her financial obligations and, in general, of his/her credit risks, at any given time'.

Last modified 28 January 2025

Definitions (prior to March 30, 2025)

Definition of Personal Data

Any information — regardless of whether numerical, alphabetic, graphic, photographic, acoustic — about personal habits or any other kind of information about an individual that identifies or may identify such individual by any reasonable means.

Definition of sensitive personal data

Is defined as Personal Data revealing informatoin regarding an individual's

Physical or emotional characteristics, facts or circumstances of their emotional or family life, as well as personal habits that correspond to the most intimate sphere
Racial and ethnic origin
Economic income, opinions or political, religious, philosophical or moral convictions
Union membership, or
Physical or mental health, to sexual life

Additionally, the following is also considered Sensitive Personal Data:

Biometric data, including data derived from biometric data which by itself renders a data subject identifiable, and

Other similar data that impacts the data subject’s privacy in similar ways.

Definitions (after March 30, 2025)

Definition of Personal Data

Any information — regardless of whether numerical, alphabetic, graphic, photographic, acoustic — about personal habits, location, online identifiers or any other information concerning physical, economic, cultural or social aspects regarding an individual that identifies or may be used to identify a specific individual by any reasonable means. Information is considered identifiable when the individual’s identity can be directly or indirectly verified from the combination of data through means that can be reasonably used.

Definition of Sensitive Personal Data

Any information revealing or related to an individual's

genetics
biometrics
neural data
moral or emotional data
sexual or family life
personal habits regarding the most intimate sphere
union membership
physical or mental health, or

And other information affecting the individual's privacy in similar ways.

Definition of Health-related Personal Data

Is information concerning the past, present or predicted health, physical or mental, of an individual, including information derived from a medical act, the degree of disability, and genetic information.

Last modified 26 January 2023

Definition of personal information

Personal Information is defined in the Act as ‘any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.’

The Act, in addition to defining ‘Personal Information’ that is covered by the law, also expressly excludes certain information from its coverage. These are:

information about any individual who is or was an officer or employee of a government institution that relates to the position or functions of the individual, including:

the fact that the individual is or was an officer or employee of the government institution;
the title, business address and office telephone number of the individual;
the classification, salary range and responsibilities of the position held by the individual; and
the name of the individual on a document prepared by the individual in the course of employment with the government.

information about an individual who is or was performing services under contract for a government institution that relates to the services performed, including the terms of the contract, and the name of the individual given in the course of the performance of those services;
information relating to any discretionary benefit of a financial nature such as the granting of a license or permit given by the government to an individual, including the name of the individual and the exact nature of the benefit;
Personal Information processed for journalistic, artistic, literary or research purposes (intended for a public benefit);
information necessary in order to carry out the functions of a public authority which includes the processing of personal data for the performance by the independent, central monetary authority and law enforcement and regulatory agencies of their constitutionally and statutorily mandated functions. Nothing in this Act shall be construed as to have amended or repealed Republic Act No. 1405, otherwise known as the Secrecy of Bank Deposits Act; Republic Act No. 6426, otherwise known as the Foreign Currency Deposit Act; and Republic Act No. 9510, otherwise known as the Credit Information System Act ("CISA");
information necessary for banks and other financial institutions under the jurisdiction of the independent, central monetary authority or Bangko Sentral ng Pilipinas to comply with Republic Act No. 9510, and Republic Act No. 9160, as amended, otherwise known as the Anti-Money Laundering Act and other applicable laws; and
Personal Information originally collected from residents of foreign jurisdictions in accordance with the laws of those foreign jurisdictions, including any applicable data privacy laws, which is being processed in the Philippines.

Definition of sensitive personal information

"Sensitive Personal Information" is defined in the Act as Personal Information:

about an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;
about an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offence committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns, and specifically established by an executive order or an act of Congress to be kept classified.

Last modified 20 January 2025

EU regulation

Online identifiers are expressly called out in Recital 30, with IP addresses, cookies and RFID tags all listed as examples.

The "data subject" is a living, natural person whose personal data are processed by either a controller or a processor.

Poland regulation

The Implementing act does not include any local derogations to the definitions set out in GDPR.

Last modified 16 January 2025

Online identifiers are expressly called out in Recital 30, with IP addresses, cookies and RFID tags all listed as examples.

The "data subject" is a living, natural person whose personal data are processed by either a controller or a processor.

Last modified 17 January 2024

Definition of personal data

Personal data is defined under the Data Protection Law as data relating to a natural person whose identity is identified or is reasonably identifiable, whether through this data or by means of combining this data with any other data or details.

Definition of sensitive personal data

Sensitive personal data means personal data consisting of information as to a natural person’s:

Ethnic origin
Health
Physical or mental health or condition
Religious beliefs
Relationships
Criminal records

Last modified 17 January 2024

Definition of data controller

An individual or entity that determines the purposes and means of the processing of personal data.

Definition of data processor

An individual or entity that undertakes the processing of personal data on behalf of a data controller or another data processor.

Definition of data subject

A natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the data subject.

Definition of personal data

Any information relating to a data subject.

Definition of personal data breach

Any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosed of, or access to, personal data transmitted, stored or otherwise processed.

Definition of processing

Any operation or set of operations that is performed (whether or not by automatic means) on personal data or on sets of personal data, and includes collecting, recording, organizing, structuring, storing, adapting or altering, retrieving, consultation, using, disclosing by transmission, disseminating or otherwise making available, aligning or combining, restricting, erasing and destroying the personal data.

Definition of sensitive personal data

Personal data revealing or relating to race or ethnicity, political affiliation or opinions, religious or philosophical beliefs, trade-union or organizational membership, criminal records, health or sex life, and genetic and biometric data used to identify an individual.

Last modified 17 January 2024

Definition of Personal Data

Any information relating to a natural person identified or identifiable directly or indirectly, by reference to an identification number or identifiable on the basis of one or more elements specific to his / her physical, physiological, genetic, psychological, cultural, social or economic identity.

Definition of Sensitive Personal Data

Genetic data, data relating to minors, data relating to offences, criminal convictions or security measures, biometric data and, all personal data revealing ethnic origin, parentage, political opinions, religious or philosophical beliefs, trade union membership, gender, health and sex life.

Last modified 23 February 2024

EU regulation

Personal data is defined as "any information relating to an identified or identifiable natural person." A low bar is set for identifiable – if the natural person can be identified using “all means reasonably likely to be used” the information is personal data. A name is not necessary either – any identifier will do, such as an identification number, phone number, location data or other factors which may identify that natural person.

Online identifiers are expressly called out in Recital 30, with IP addresses, cookies and RFID tags all listed as examples.

The GDPR creates more restrictive rules for the processing of special categories of personal data (including data relating to race, religion, sexual life, data pertaining to health, genetics and biometrics) and personal data relating to criminal convictions and offences.

Personal data may be processed by either a controller or a processor. The controller is the decision maker, the person who "alone or jointly with others, determines the purposes and means of the processing of personal data." The processor "processes personal data on behalf of the controller," acting on the instructions of the controller. In contrast to the previous law, the GDPR imposes direct obligations on both the controller and the processor, although fewer obligations are imposed on the processor.

The data subject is a living, natural person whose personal data are processed by either a controller or a processor.

Romania regulation

Law no. 190/2018 does not provide any specific definitions with respect to personal data, as this term is already defined by the GDPR. However, the following relevant definitions are included:

"Public authorities and bodies" means the Chamber of Deputies and the Senate, the Presidential Administration, the Government, the ministries, other specialized bodies of the central public administration, autonomous public authorities and institutions, local and county public administration authorities, other public authorities, as well as any institutions subordinated / coordinated by such authorities. Religious establishments, organisations and foundations of public service are considered public authorities / bodies.
"National identification number" means the number by which an individual is identified in certain record systems and which has general applicability, such as: (i) personal identification number, (ii) serial number and identity card number, (iii) passport number, (iv) driving license, and (v) social health insurance number.
"Remediation plan" means an annex to the report for finding and sanctioning misdemeanours, drafted by the National Supervisory Authority for Personal Data Processing (hereinafter referred to as ANSPDCP) setting remediation measures and terms.
"Remediation measure" means a solution imposed by ANSPDCP in the remediation plan, in view of ensuring the compliance of the public authority/body with the obligations provided by the law.
"Remediation term" means a time period of maximum 90 days calculated from the moment when the report for finding and sanctioning misdemeanours is communicated, in which the public authority/body may undertake remedial actions in order to correct any irregularities assessed by ANSPDCP and comply with its legal obligations.

All definitions included by the GDPR in Article 4 are applicable and have the same meaning as in Law no. 190/2018.

Last modified 17 January 2024

Definition of personal data

Personal data is defined in law as any information which relates directly or indirectly to a specific or defined physical person (the data subject). This can be widely interpreted in various contexts, so it is important to consider each situation carefully.

Definition of sensitive personal data

Sensitive personal data is defined as special categories of personal data in Russian legislation. Such special categories include data related to race, national identity, political opinions, religious and philosophical beliefs, health state, intimacies. While not specifically included as “sensitive” personal data, there are special rules for handling criminal records, so this should also be considered as sensitive.

Definition of biometric personal data

Biometric personal data is defined as information on physiological and biological features of a person, on the basis of which it is possible to and is used to establish the data subject’s identity. The definition of biometric personal data requires the data operator’s use of the information to identify the data subject.

Definition of personal data authorized by the personal data subject for dissemination

Intended to capture circumstances where a data subject has provided information or has given authorization for the dissemination of information to the public (mainly online), Russian law features a defined type of personal data as "personal data authorized by the personal data subject for dissemination.” The focus of the definition is not so much on the nature of the personal data itself, but the data subject’s authorization for its dissemination.

Data Operator

Russian law does not distinguish between “data controllers” and “data processors” in nearly all circumstances. Instead, the reference is to “data operators”.

Last modified 17 January 2024

Definition of Personal Data

The Data Protection Law defines personal data as “any information relating to an identified or identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as:

name
identification number
location data
an online identifier or to one or more factors specific to the physical, psychological, genetic, mental, economic, cultural or social identity of that natural person” (article 3, 1°).

Definition of Sensitive Personal Data

The Data Protection Law defines sensitive personal data as “information revealing a person’s race, health status, criminal records, medical records, social origin, religious or philosophical beliefs, political opinion, genetic or biometric information, sexual life or family details” (article 3, 2°).

Last modified 17 January 2024

Definition of personal data

Personal data is defined as "every data – of whatever source or form – that would lead to the identification of the individual specifically, or make it possible to identify him directly or indirectly, including: name, personal identification number, addresses, contact numbers, license numbers, records, personal property, bank account and credit card numbers, fixed or moving pictures of the individual, and other data of personal nature."

Definition of sensitive personal data

Sensitive data is defined as "every personal data that includes a reference to an individual's ethnic or tribal origin, or religious, intellectual or political belief, or indicates his membership in nongovernmental associations or institutions, as well as criminal and security data, biometric data, genetic data, credit data, health data, location data, and data that indicates that both parents of an individual or one of them is unknown."

Last modified 23 February 2024

Definition of Personal Data

“Personal Data” means all data relating to an identified or identifiable individual by reference to an identification number or one, or many, characteristics of his / her physical, physiological, genetic, psychical cultural, social and economic identity.¹

Definition of Sensitive Personal Data

“Sensitive Personal Data” means all data relating to religious, philosophical or political opinions or union activities; sex, life, race, health, social measures and prosecutions; and criminal and administrative sanctions.²

Definition of Electronic Trading

“Electronic Trading” means the act of offering, purchasing or supplying goods and services via computer systems and telecommunication networks such as the Internet or any other network using electronic, optical or other similar means enabling remote exchanges of information.³

Definition of Processing

“Processing [of Personal Data]” means any operation or set of operations which is performed upon data, whether or not by automatic means, such as collection, use, recording, organisation, storage, adaptation, alteration, retrieval, transmission, dissemination or otherwise making available, alignment or combination, blocking, encryption, erasure or destruction of personal data.

Footnotes

1: 2008-12 on the Protection of Personal Data; Article 4 Number 6

2: 2008-12 on the Protection of Personal Data; Article 4 Number 8

3: Article 1er of the African Union Convention on Cyber Security and Protection of Personal Data

Last modified 23 February 2024

Definition of personal data

Under the DP Law, personal data is any information about a natural person through which the respective person is identified or identifiable (for example, name, address, email address, photo, etc.).

Last modified 17 January 2024

Definition of personal data

Personal data is defined under the Act as data consisting of information which relates to a living individual who can be identified from that information (or from that and other information in the possession of the data user), including any expression of opinion about the individual but not any indication of the intentions of the data user in respect of that individual.

Definition of sensitive personal data

The Act does not define sensitive personal data. However the Act makes provision for the Minister to modify or supplement the Data Protection Principles set out in the Act for the purpose of providing additional safeguards in relation to personal data consisting of information as to:

the racial origin of the data subject
his political opinions or religious or other beliefs
his physical or mental health or his sexual life, or
his criminal convictions.

Last modified 17 January 2024

Definition of personal data

Personal data is defined in the Act to mean data, whether true or not, about an individual (whether living or recently deceased*) who can be identified from:

that data; or
that data and other information to which the organization has, or is likely to have access.

*The Act's application to recently deceased individuals is limited to disclosure and protection of personal data where such data is about an individual who has been deceased for ten years or fewer.

The data protection obligations under the Act do not apply to business contact information. This excludes from the Act the following if provided solely for business purposes:

Name;
Position name or title;
Business telephone number;
Business address;
Business electronic mail address;
Business fax number.

It is important to note that the Act still governs business contact information provided by individuals solely in their personal capacity. Where the purposes of provision of business contact information are mixed (that is, for both business and personal purposes), the Act does not apply.

Definition of sensitive personal data

There is no definition of sensitive personal data in the Act.

However, non-binding guidance from the Commission indicates that sensitivity of data is a factor for consideration in implementing policies and procedures to ensure appropriate levels of security for personal data. For example, encryption is recommended for sensitive data stored in an electronic medium that has a higher risk of adversely affecting the individual should it be compromised. Where any personal data collected is particularly sensitive (e.g. regarding physical or mental health), as a matter of best practice, such data should only be used for limited purposes and the security measures afforded to such data should take into account the sensitivity of the data.

In addition, the non-binding guidelines issued by the Commission also provide that, in its calculation of financial penalties for breaches of the Act, the Commission would consider whether the organization in question is in the business of handling large volumes of sensitive personal data, the disclosure of which may cause exceptional damage, injury or hardship to an individual (such as medical or financial data), but it has failed to put in place adequate safeguards proportional to the harm that might be caused by disclosure of such personal data.

The Commission has also issued a set of advisory guidelines to impose restrictions on the collection, use and disclosure of National Identification Registration Card (“NRIC”) numbers, due to the sensitive nature of the information contained in NRICs (and other similar forms of identification). Organizations are not permitted to collect either the NRIC number or the physical cards or other similar forms of identification unless the organization is permitted to do so under the law or if the collection is necessary for the verification of an individual's identity to “high degree of fidelity” (where it is extremely important the individual’s identity is verified, and failure to do so may, for example, pose a significant safety or security risk).

The Commission also advises against the use of NRIC numbers by individuals as passwords and the use of NRIC numbers by organizations to authenticate an individual’s identity or set default passwords. That said, it is worth noting that the guidelines outlined above are subject to potential change, as the Commission is in the process of reviewing and updating the NRIC-related advisory guidelines according to a statement dated 14 December 2024.

The Commission has also made it clear in advisory guidelines that the personal data of children is generally considered to be sensitive personal data and must be accorded a higher standard of protection.

Last modified 23 January 2025

Definition of Personal Data

National Ordinance Personal Data Protection

GDPR

Definition of Sensitive Personal Data

National Ordinance Personal Data Protection

A person’s religion or belief, race, political views, health, sexual life as well as personal data concerning membership of a trade union.

GDPR

Last modified 10 February 2025

EU regulation

"Personal data" is defined as "any information relating to an identified or identifiable natural person" (Article 4). A low bar is set for "identifiable" – if the natural person can be identified using “all means reasonably likely to be used” (Recital 26) the information is personal data. A name is not necessary either – any identifier will do, such as an identification number, phone number, location data or other factors which may identify that natural person.

Online identifiers are expressly called out in Recital 30, with IP addresses, cookies and RFID tags all listed as examples.

Personal data may be processed by either a "controller" or a "processor". The controller is the decision maker, the person who "alone or jointly with others, determines the purposes and means of the processing of personal data" (Article 4). The processor "processes personal data on behalf of the controller", acting on the instructions of the controller. In contrast to the previous law, the GDPR imposes direct obligations on both the controller and the processor, although fewer obligations are imposed on the processor.

The "data subject" is a living, natural person whose personal data are processed by either a controller or a processor.

Slovak Republic regulation

The definitions provided by the GDPR apply.

Last modified 17 January 2024

In accordance with Article 5(1) ZVOP-2, terms used in ZVOP-2 have the same meaning as terms defined by Article 4 GDPR.

"Personal data" is defined as "any information relating to an identified or identifiable natural person" (Article 5(1) ZVOP-2 in connection with Article 4 GDPR). A low bar is set for "identifiable" – meaning a personal identification number; and any other (by law) defined unique identifiers of individuals by means of which it is possible to collect or retrieve personal data from personal data files in which unique identifier are processed; and other similar signs which are used regularly or systematically for linking databases between different controllers or between two or several files within one controller; a name is not necessary – any identifier will do, such as an identification number, phone number, location data or other factors which may identify that natural person (Article 5(2-V.) ZVOP-2).

Online identifiers are expressly called out in Recital 30 GDPR, with IP addresses, cookies and RFID tags all listed as examples.

ZVOP-2 contains more restrictive rules for the processing of "special categories" of personal data (including data relating to race, religion and nationality (Article 6(5) ZVOP-2), genetics and biometrics (Articles 81-84 ZVOP-2)) and personal data relating to criminal convictions and offences (Article 10 ZVOP-2), which do not differentiate from provisions of Article 9-10 GDPR. Additionally, ZVOP-2 creates rules regulating personal data relating to deceased persons (Article 9 ZVOP-2). Such personal data may be processed by either data processors authorized by law, family members, any entities who have legal interest exercising their rights before Slovenian authorities or to whom the deceased had given their consent for such processing prior to their passing. Provisions of Article 9 ZVOP-2 apply for 20 years after individuals passing away, unless otherwise provided by law.

ZVOP-2 together with GDPR is concerned with the "processing" of personal data. Processing has an extremely wide meaning, and includes any set of operations performed on data, including the mere storage, hosting, consultation, or deletion of the data.

Personal data may be processed by either a "controller" or a "processor". The controller is the decision maker, the person who "alone or jointly with others, determines the purposes and means of the processing of personal data" (Article 5(1) ZVOP-2 in connection with Article 4 GDPR). The processor "processes personal data on behalf of the controller", acting on the instructions of the controller. In contrast to the previous law, the ZVOP-2 together with GDPR imposes direct obligations on both the controller and the processor, although fewer obligations are imposed on the processor.

The "data subject" is a living, natural person whose personal data are processed by either a controller or a processor.

Last modified 17 January 2024

Definition of personal data

"Personal information" is defined in POPIA as information relating to an identifiable, living, natural person, and where applicable, an identifiable, existing, juristic person, including:

Information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin; color, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief; culture, language and birth of the person;
Information relating to the education, medical, financial, criminal or employment history of the person;
Any identifying number, symbol, email address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
The biometric information of the person;
The personal opinions, views or preferences of the person;
Correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
The views or opinions of another individual about the person; and
The name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.

POPIA applies to the processing of personal information entered in a record by or for a responsible party / data controller that is domiciled in South Africa and that makes use of automated or non-automated means to process the personal information. It would also apply if the responsible party is not domiciled in South Africa but makes use of automated or non-automated means in South Africa unless those means are used only to forward personal information through South Africa.

POPIA does not apply to the processing of personal information:

In the course of a purely personal or household activity;
That has been de-identified to the extent that it cannot be re-identified again;
By or on behalf of the State with regard to national security, defense or public safety, or the prevention, investigation or proof of offenses; or for the purposes of the prosecution of offenders or the execution of sentences or security measures, to the extent that adequate safeguards have been established in specific legislation for the protection of such personal information;
For exclusively journalistic purposes by responsible parties who are subject to, by virtue of office, employment or profession, a code of ethics that provides adequate safeguards for the protection of personal information;
Solely for the purposes of journalistic, literary or artistic expression to the extent that such exclusion is necessary to reconcile, as a matter of public interest, the right to privacy with the right to freedom of expression;
By Cabinet and its committees, the Executive Council of a province and a Municipal Council of a municipality;
For purposes relating to the judicial functions of a court referred to in section 166 of the Constitution; and
Under circumstances that have been exempted from the application of the conditions for lawful processing by the Information Regulator in certain circumstances.

Definition of sensitive personal data

Special personal information is information concerning religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life, biometric information and criminal behavior (to the extent that such information relates to the alleged commission of an offense or any proceedings in respect of any offence allegedly committed, or the disposal of such proceedings).

Subject to certain prescribed exceptions, the processing of special personal information without the consent of the data subject is generally prohibited under POPIA.

Last modified 17 January 2024

Definition of personal data

Under the PIPA, “personal information” means information relating to a living individual that constitutes any of the following:

Information that identifies a particular individual by his / her full name, resident registration number, image, etc.;
Information which, even if by itself does not identify a particular individual, may be easily combined with other information to identify a particular individual (in this case, whether or not there is ease of combination shall be determined by reasonably considering the time, cost, technology, etc. used to identify the individual such as likelihood that the other information can be procured);
Information under items (a) or (b) above that is pseudonymised in accordance with the relevant provisions and thereby becomes incapable of identifying a particular individual without the use or combination of information for restoration to the original state (referred to as “pseudonymised information”).

Definition of sensitive personal data

Under the PIPA, “sensitive information” is defined as personal information concerning an individual’s ideology, faith, labor union.

membership, political views or membership in a political party, health or medical treatment information, sexual orientation, genetic information, criminal records and biometric data for the purpose of uniquely identifying a natural person and race / ethnic information. Sensitive information can be processed if (a) such processing is required or permitted by a statute, or (b) the consent of the data subject is separately obtained.

Definition of unique identification personal data

Under the PIPA, “unique identification information” is defined to be Resident registration number (“RRN”), driver’s license number, passport number, and foreigner registration number. Other information, apart from RRNs, can be processed if (a) such processing is required or permitted by statute, or (b) the consent of the data subject is separately obtained. RRN can only be processed based on a legal basis, irrespective of whether consent to the processing is obtained from the data subject.

Last modified 20 January 2025

EU regulation

"Personal data" is defined as "any information relating to an identified or identifiable natural person" (Article 4 of the GDPR). A low bar is set for "identifiable" – if the natural person can be identified using “all means reasonably likely to be used” (Recital 26 of the GDPR) the information is personal data. A name is not necessary either – any identifier will do, such as an identification number, phone number, location data or other factors which may identify that natural person.

Online identifiers are expressly called out in Recital 30, with IP addresses, cookies and RFID tags all listed as examples.

Spain regulation

NLOPD is extremely restrictive regarding the processing of criminal convictions and offences data, that shall be forbidden except in very exceptional circumstances. Spain deviates itself notably in this regard from the standard position in the EU, where this prohibition is not usually so strict.

EU regulation

Personal data may be processed by either a "controller" or a "processor". The controller is the decision maker, the person who "alone or jointly with others, determines the purposes and means of the processing of personal data" (Article 4). The processor "processes personal data on behalf of the controller", acting on the instructions of the controller. In contrast to the previous law, the GDPR imposes direct obligations on both the controller and the processor, although fewer obligations are imposed on the processor.

The "data subject" is a living, natural person whose personal data are processed by either a controller or a processor.

Spain regulation

Despite following GDPR’s approach in this regard, NLOPD does also regulate certain features related to personal data of deceased people.

Last modified 22 January 2024

Many definitions in the PDPA are similar to that of the GDPR. In particular:

“Personal data” is defined to mean any information by which a data subject may be identified, either directly or indirectly by referring to an identifier or one or more factors specific to that individual. Thus, a name of a person is not a necessity for data to constitute personal data, but any factor such as an identification number, financial data, location data or an online identifier or factors specific to the physical, physiological, genetic, psychological, economic, cultural or social identity of that individual that allows for the tracing of him / her, would constitute personal data under the PDPA.

The PDPA further identifies a category of personal data as “special categories of personal data” with a view of protecting more sensitive personal data which are at a higher risk of adversely affecting an individual in the event such data is exploited. Special categories of personal data are defined to include personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic data and biometric data, data concerning health or a natural person’s sex life or sexual orientation, personal data in relation to offences, criminal proceedings and convictions or personal data relating to a child.

The term ‘processing’ has been rendered an extremely wide meaning within the PDPA to include (but not be limited to) collection, storage, preservation, alteration, retrieval, disclosure, transmission, making available, erasure, destruction of, consultation, alignment, combination, or the carrying out of logical or arithmetical operations on, personal data.

The PDPA places extensive obligations on controllers of personal data. A ‘controller’ is defined to include any natural or legal person / entity which determines the purposes and means of processing personal data. When two or more controllers jointly determine the ways and means of processing personal data, the PDPA identifies them as joint controllers.

A ‘processor’ on the other hand is any natural or legal person / entity which processes personal data on behalf of the controller.

Last modified 3 January 2024

Online identifiers are expressly called out in Recital 30, with IP addresses, cookies and RFID tags all listed as examples.

Personal data may be processed by either a "controller" or a "processor". The controller is the decision maker, the person who "alone or jointly with others, determines the purposes and means of the processing of personal data" (Article 4). The processor "processes personal data on behalf of the controller", acting on the instructions of the controller. In contrast to the previous law, the GDPR imposes direct obligations on both the controller and the processor, although fewer obligations are imposed on the processor.

The "data subject" is a living, natural person whose personal data are processed by either a controller or a processor.

Last modified 22 January 2024

Definition of personal data

Personal data means any information relating to an identified or identifiable natural person. In contrast to its previous version, the FADP does no longer apply to personal data pertaining to legal persons.

Definition of sensitive personal data

Sensitive personal data is defined as:

Data relating to religious, philosophical, political or trade union-related views or activities;
data relating to health, the intimate sphere or the affiliation to a race or ethnicity;
genetic data;
biometric data that uniquely identifies a natural person;
data relating to administrative and criminal proceedings or sanctions;
data relating to social assistance measures.

Profiling and high-risk profiling

Profiling means any form of automated processing of personal data consisting of the use of such data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

High-risk profiling means profiling that poses a high risk to the data subject's personality or fundamental rights by matching data that allow an assessment to be made of essential aspects of the personality of a natural person.

High-risk profiling is subject to certain stricter requirements.

Breach of data security

Breach of data security means a breach of security that leads to the accidental or unlawful loss, deletion, destruction or modification or unauthorised disclosure of or access to personal data.

Last modified 22 August 2023

Definition of personal data

The PDPA defines “personal data” as the name, date of birth, identification card number, passport number, special traits, fingerprints, marital status, family, education, profession, medical history, medical treatment, genetic information, sexual life (including sexual orientation), health examination, criminal record, contact information, financial condition, and social activities of a natural person, as well as other data by which such person may be directly or indirectly identified.

Definition of sensitive personal data

The PDPA defines “sensitive personal data” as medical records, medical treatment, genetic information, sexual life (including sexual orientation) and health examination and criminal records.

Last modified 18 December 2023

Personal Data Protection Law (hereinafter 'PDPL') identifies personal data as any information about the facts, events and circumstances of the life of a data subject, which allow to identify him / her.

Under the foregoing law the data subject is considered a physical person, to whom relevant personal data refers.

PDPL does not define the term of sensitive data. However it provides the definition of biometric personal data which includes biometrical and physiological data which identifies the data subject. Biometric personal data may be collected upon receipt of the subject’s consent.

Last modified 27 January 2025

Definition of Personal Data

The PDPA defines “personal data” as data about an identified or identifiable person that is recorded in any form, including such person’s:

personal data relating to the race, national or ethnic origin, religion, age or marital status;
personal data relating to the education, medical history, criminal or employment history;
identification number, symbol or other assigned particular;
address, fingerprints, or blood type;
name appearing in the personal data of another person or where the disclosure of that name itself will reveal the personal data of that person; and
correspondence sent to a data collector by the data subject that is explicitly or implicitly of a private or confidential nature, and responses to such correspondence that would reveal the personal data about the individual.¹

Definition of Sensitive Personal Data

The PDPA defines “sensitive personal data” to include the following information:

genetic data, data related to children, data related to offences, financial transactions of an individual, security measures or biometric data;
if processed for what they reveal, personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, affiliation, trade union membership, gender and data concerning health or sexual life; and
any personal data which according to the laws of the country is considered to present a major risk to the rights and interests of the data subject.²

Footnotes

1: Section 3 of the DPA

2: Ibid

Last modified 25 January 2024

Data Controller is defined as "a person or juristic person who determines the purposes for which and the manner in which any personal data are, or are to be processed." Data Controllers have primary responsibility for ensuring that processing activities are compliant with the PDPA.

Data Processor is defined as "a person or an entity that collects, uses, or discloses personal data on behalf of, or in accordance with, the instructions of a Data Controller." Data Processors have direct liability under the PDPA in areas such as (this is not exhaustive) data security, data transfer and record keeping.

Personal Data is defined as "any data pertaining to a person that enables the identification of that person, whether directly or indirectly, but specifically excluding data of the deceased."

Sensitive Personal Data is defined as "personal data relating to a person’s race, ethnicity, political opinion, cult, religious or philosophical beliefs, sexual behaviour, criminal records, health, disability, labour union, genetics, biometric or any data which may affect the data subject in the same way as prescribed by the Regulator." The PDPA requires Sensitive Personal Data to be handled carefully. We expect the Personal Data Protection Committee to provide further guidance on this in due course.

Personal Data Breach is defined as “a breach of security measures which causes loss, accessibility, usage, alteration, modification, or disclosure of personal data without authorization or unlawfully, whether or not by intention, deliberation, negligence, unauthorized or unlawful acts, a commission of computer offenses, cyber threats, errors or accidents, or any other causes.”

Last modified 6 January 2025

Definition of Personal Data

None.

Definition of Sensitive Personal Data

None.

Last modified 15 February 2022

Definition of personal data

Personal information is defined as information about an identifiable individual that is recorded in any form including:

The name of the individual where it appears with other personal information relating to the individual or where the disclosure of the name itself would reveal information about the individual
The address and telephone number of the individual
Any identifying number, symbol or other particular identifier designed to identify the individual
Information relating to the individual's race, nationality or ethnic origin, religion, age or marital status
Information relating to the education or the medical, criminal or employment history of the individual, or information relating to the financial transactions in which the individual has been involved or which refer to the individual
Correspondence sent to an establishment by the individual
Information that is explicitly or implicitly of a private or confidential nature, and any replies to such correspondence that would reveal the contents of the original correspondence
The views and opinions of any other person about the individual
The fingerprints, DNA, blood type or other biometric characteristics of the individual

Definition of sensitive personal data

Sensitive personal information is defined as personal information on a person's:

Racial or ethnic origins
Political affiliations or trade union membership
Religious beliefs or other beliefs of a similar nature
Physical or mental health or condition
Sexual orientation or sexual life
Criminal or financial record

Last modified 26 January 2023

Definition of personal data

Article 4 of Act n° 2004-63 of July 27, 2004 defined personal data as all information, regardless of their origin or form, and which directly or indirectly, allows to identify or make identifiable, a natural person, with the exception of information related to public life, or considered as such by law.

Definition of sensitive personal data

Act n° 2004-63 of July 27, 2004 did not give a clear definition of sensitive personal data, but it listed some personal data that the processing of which is either prohibited, or would question the data subject’s prior consent or the national authority’s authorization.

The processing of personal data is prohibited when involving criminal history and proceedings, criminal prosecution, penalties, preventative measures or judicial history.

In addition, the processing of personal data which directly or indirectly concerns the following is also prohibited:

Racial or genetic origins;
Religious beliefs;
Political opinions;
Philosophical or union activism; or
Health and scientific research.

Health data is defined by above-mentioned INPDP Decision No. 4 of September 5, 2018 as follows:

“sensitive personal data, which concerns all information related to the physical, mental or psychological health situation of the natural person concerned, as well as his hereditary or acquired genetic characteristics that may characterize him or her and that may result especially from the analysis of a biopsy or physiotherapy services rendered to him or her and that may reveal such information”.

Last modified 27 January 2025

Definition of personal data

In the LLPD, personal data is defined as “Any information relating to an identified or identifiable natural person.”

Definition of sensitive personal data

Sensitive personal data (Special Categories of Personal Data under the LPPD) is defined as "personal data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, clothing, membership of associations, foundations or trade unions, information related to health, sex life, previous criminal convictions and security measures, and biometric and genetic data.”

Last modified 27 January 2025

Article 1 of the Data Protection Law defines the term ‘personal data’ as ‘any kind of information, which relates to a certain individual, which is recorded on an electronic, paper or other medium’. In terms of accessibility, personal data can be divided into two types: public (such as telephone directory, social media, etc) and restricted. Publicly available personal data includes information, which is either freely accessible upon consent of the individual (owner of personal data) or exempted from confidentiality in accordance with the laws of Turkmenistan.

The Data Protection Law additionally introduces a term ‘biometric data’ that encompasses any information that reflects physical and biological characteristics of an individual (owner of personal data). The term is somewhat similar to the term ‘biometric data’ that is envisaged in the GDPR (Article 4(14)) but does not include any reference to physiological and behavioural characteristics.

Both personal data and biometric data are recognized as confidential under the Data Protection Law and collection and processing of such data must be limited to the purposes the data is collected for.

In Turkmenistan the Data Protection Law does not provide for a definition of sensitive personal data. It is directly prohibited to collect specific categories of personal data which, inter alia, includes data on nationality, skin colour, religious and political views, medical conditions, etc. Collection of such categories of personal data is permissible under the following circumstances:

Receipt of a written consent of owner of personal information
Such personal data is publicly available
Collection of personal data is required for healthcare and health protection of an owner of such personal data
Collection of personal data is performed by religious or non-commercial organization provided that the collected data would not be distributed without a prior written consent of owner of personal data
Collection of personal data is required for implementation of justice and / or investigative activity

Last modified 23 December 2022

Definition of Controller

The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

Definition of Processor

A natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller.

Definition of Data Subject

An identified or identifiable living natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Definition of Personal Data

Any information relating to a Data Subject.

Definition of Personal Data Breach

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.

Definition of Processing

Any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Definition of Special Categories of Personal Data

Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs;
Genetic Data, Biometric Data for the purpose of uniquely identifying a natural person, Data Concerning Health or data concerning a natural person's sex life or sexual orientation; and
Personal Data relating to criminal convictions and offences or related security measures.

Last modified 9 January 2024

Definition of Data Subject

The identified or Identifiable Natural Person to whom Personal Data relates.

Definition of Personal Data

Any data referring to an “Identifiable Natural Person”.

Definition of Identifiable Natural Person

A natural living person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one (1) or more factors specific to his biological, physical, biometric, physiological, mental, genetic, economic, cultural or social identity.

Definition of High Risk Processing Activities

Processing of Personal Data where one (1) or more of the following applies:

Processing that includes the adoption of new or different technologies or methods, which creates a materially increased risk to the security or rights of a Data Subject or renders it more difficult for a Data Subject to exercise his rights;
A considerable amount of Personal Data will be Processed (including staff and contractor Personal Data) and where such Processing is likely to result in a high risk to the Data Subject, including due to the sensitivity of the Personal Data or risks relating to the security, integrity or privacy of the Personal Data;
The Processing will involve a systematic and extensive evaluation of personal aspects relating to natural persons, based on automated Processing, including Profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person; or
A material amount of Special Categories of Personal Data is to be Processed.

Definition of Special Categories of Personal Data

Personal data revealing or concerning (directly or indirectly) racial or ethnic origin, communal origin, political affiliations or opinions, religious or philosophical beliefs, criminal record, trade-union membership and health or sex life and including genetic data and biometric data where it is used for the purpose of uniquely identifying a natural person.

Definition of Process, Processed, Processes and Processing

Any operation or set of operations performed upon Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage and archiving, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, transfer or otherwise making available, alignment or combination, restricting (meaning the marking of stored Personal Data with the aim of limiting Processing of it in the future), erasure or destruction, but excluding operations or sets of operations performed on Personal Data by:

a natural person in the course of a purely personal or household activity that has no connection to a commercial purpose; or
law enforcement authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including safeguarding against and preventing threats to public security.

Definition of Substantial Public Interest

Includes, but is not limited to:

Administration of justice, including criminal and regulatory investigations; and
Exercise of a function conferred on a person by Applicable Law.

Last modified 27 January 2025

Definition of Patient Health Information

Information about a patient, whether spoken, written, or in the form of an Electronic Record, that is created or received by any Licensee, that relates to the physical or mental health or condition of the patient, including the reports from any diagnostic procedures and information related to the payment for services.

Definition of Licensee

A Licensed Healthcare Professional, Licensed Complementary and Alternative Medicine Professional, a Licensed Healthcare Operator, an Approved Education Operator, an Approved Research Operator, a Licensed Commercial Company, or a Non-Clinical Operating Permit Holder; (essentially a healthcare professional working in the DHCC with access to Patient Health Information).

Definition of Process, Processed, Processes and Processing

Any operation or set of operations which is performed on Patient Health Information, whether or not by automatic means such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment, erasure or destruction.

Last modified 27 January 2025

The PDPL contains the following definitions.

Definition of Personal Data

“Personal Data” is defined as any data relating to an identified natural person, or one who can be identified directly or indirectly by way of linking data, using identifiers such as name, voice, picture, identification number, online identifier, geographic location, or one or more special features that express the physical, psychological, economic, cultural or social identity of such person. It also includes Sensitive Personal Data and Biometric Data.

Definition of Sensitive Personal Data

“Sensitive Personal Data” is defined as any data that directly or indirectly reveals a natural person's family, racial origin, political or philosophical opinions, religious beliefs, criminal records, biometric data, or any data related to the health of such person, such as his / her physical, psychological, mental, genetic or sexual condition, including information related to health care services provided thereto that reveals his / her health status.

Definition of Biometric Data

“Biometric Data” is defined as Personal Data resulting from Processing, using a specific technique, relating to the physical, physiological or behavioral characteristics of a Data Subject, which allows or confirms the unique identification of the Data Subject, such as facial images or dactyloscopic data.

Definition of Processing

“Processing” is defined as any operation or set of operations which is performed on Personal Data using any electronic means, including Processing and other means. This process includes collection, storage, recording, organization, adaptation, alteration, circulation, modification, retrieval, exchange, sharing, use, or classification or disclosure of Personal Data by transmission, dissemination or distribution, or otherwise making it available, or aligning, combining, restricting, blocking, erasing or destroying Personal Data or creating models therefor.

Definition of Automated Processing

“Automated Processing” is defined as Processing that is carried out using an electronic program or system that is automatically operated, either completely independently without any human intervention, or partially independently with limited human supervision and intervention.

Definition of Controller

“Controller” is defined as an establishment or natural person who has Personal Data and who, given the nature of his / her activity, specifies the method, criteria and purpose of Processing such Personal Data, whether individually or jointly with other persons or establishments.

Definition of Processor

“Processor” is defined as an establishment or natural person who processes Personal Data on behalf of the Controller, as directed and instructed by the Controller.

Definition of Data Subject

“Data Subject” is defined as The natural person who is the subject of the Personal Data.

Last modified 27 January 2025

Definition of Personal Data

Personal data is defined under section 2 of the Data Protection and Privacy Act as information about a person from which the person can be identified such as information relating to nationality, age, marital status, education level, occupation and identity data.

This information is considered personal data regardless of the form in which the information is recorded.

Definition of Sensitive Personal Data

The term “sensitive personal data” is not defined under Uganda’s data protection law.

However, section 9 of the Data Protection and Privacy Act defines a related term, “special personal data”, as data which relates to the religious or philosophical beliefs, political opinion, sexual life, financial information, health status or medical records of an individual.

Last modified 27 January 2025

Definition of personal data

Data Protection Law defines "personal data" as data or an aggregation of data on an individual who is identified or can be precisely identified.

Definition of sensitive personal data

There is no definition of "sensitive personal data".

However, there is general prohibition to process personal data with regard to racial or ethnic origin, political, religious ideological convictions, participation in political parties and trade unions, accusation in criminal offenses or conviction to criminal punishment, as well as data relating to the health or sex life of an individual.

Processing of such data is allowed if unambiguous consent has been given by the personal data subject or based on exemptions envisaged by Data Protection Law (eg. the processing is performed for the reasons of protection of vital interest of individuals, healthcare purposes, in course of criminal proceedings, anti-terrorism purposes, etc.).

Last modified 27 January 2025

"Personal data" is defined as "any information relating to an identified or identifiable natural person" (Article 4). A low bar is set for "identifiable" – if the natural person can be identified using “all means reasonably likely to be used” (Recital 26) the information is personal data. A name is not necessary either – any identifier will do, such as an identification number, phone number, location data or other factors which may identify that natural person.

Online identifiers are expressly called out in Recital 30, with IP addresses, cookies and RFID tags all listed as examples.

The UK GDPR creates more restrictive rules for the processing of "special categories" (Article 9) of personal data (including data relating to race, religion, sexual life, data pertaining to health, genetics and biometrics) and personal data relating to criminal convictions and offences (Article 10).

The UK GDPR is concerned with the "processing" of personal data. Processing has an extremely wide meaning, and includes any set of operations performed on data, including the mere storage, hosting, consultation or deletion of the data.

Personal data may be processed by either a "controller" or a "processor". The controller is the decision maker, the person who "alone or jointly with others, determines the purposes and means of the processing of personal data" (Article 4). The processor "processes personal data on behalf of the controller", acting on the instructions of the controller. In contrast to the previous law, the GDPR imposes direct obligations on both the controller and the processor, although fewer obligations are imposed on the processor.

The "data subject" is a living, natural person whose personal data are processed by either a controller or a processor.

"Public authority" and "public body" are expressions used in the UK GDPR. The DPA defines them by reference to the definition of "public authority" used in the Freedom of Information Act 2000.

The DPA also clarifies that, where the purpose and means of processing are determined by an enactment of law, then the person on whom the obligation to process the data is imposed by the enactment is the controller.

Last modified 6 February 2025

Definition of personal data

Varies widely by law and regulation. The definition of personal information varies under US law. Some laws—such as data breach and security laws—apply more narrowly, to sensitive personal information, such as government identifiers, financial account information, password, biometrics, health insurance or medical information, and other information that can lead to identity fraud and theft or financial harm. On the other hand, under a number of state and federal laws, personal information broadly includes any information that identifies or is linked or reasonably linkable to an individual.

California

Under the CCPA, personal information includes information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. The definition specifically includes name, alias, contact information, government IDs, biometrics, genetic data, location data, account numbers, education history, purchase history, online and device IDs, and search and browsing history and other online activities, if such information is linked or linkable with a particular consumer or household. Excluded from the definition are deidentified information and information lawfully made publicly available through various means, such as through government records or by the consumer.

Under the law, 'consumer' is broadly defined as any resident of California.

Other State Comprehensive Privacy Laws

Under the other eighteen comprehensive state privacy laws, personal data includes information that is linked or reasonably linkable to an identified or identifiable individual, who is a resident of the particular state acting an individual or household capacity. Deidentified data, personal data made publicly available, and personal data about individuals acting in an employment or B2B context are generally not in scope.

Definition of sensitive personal data

Varies widely by sector and by type of statute.

Generally, includes personal health data, financial data, credit worthiness data, student data, biometric data, personal information collected online from children under 13, and information that can be used to carry out identity theft or fraud are considered sensitive, and subject to additional restrictions and regulations.

For example, state breach notification laws and data security laws generally apply to more sensitive categories of information, such as Social security numbers and other government identifiers, credit card and financial account numbers, passwords and user credentials, health or medical information, insurance ID, digital signatures, and/or biometrics.

California

The CCPA defines sensitive personal information as personal information that reveals about a consumer one or more of the following types of information, including:

Social Security, driver’s license, state identification card or passport number
account log-in, financial account, debit card or credit card number in combination with any required security or access code, password or credentials allowing access to an account
precise geolocation
racial or origin, citizenship or immigration status, religious or philosophical beliefs, or union membership
contents of a consumer’s mail, email, and text messages unless the business is the intended recipient of the communication
genetic data
biometric information
health information
information about sex life or sexual orientation

Other State Comprehensive Privacy Laws

Under the other comprehensive state privacy laws, the definition of sensitive data is a sub-cateogry of peronsal data and largely the same with various states adding or subtracting certain data elements from the above list.

Washington

Washington’s MHMD Act introduced a very broad definition of consumer health data, which includes: “personal information that is linked or reasonably linkable to a consumer and that identifies the consumer's past, present, or future physical or mental health status."

For the purposes of this definition, physical or mental health status includes, but is not limited to:

Individual health conditions, treatment, diseases, or diagnosis
Social, psychological, behavioral, and medical interventions
Health-related surgeries or procedures
Use or purchase of prescribed medication
Bodily functions, vital signs, symptoms, or measurements of the information described in subsection (8)(b)
Diagnoses or diagnostic testing, treatment, or medication
Gender-affirming care information
Reproductive or sexual health information
Biometric data
Genetic data
Precise location information that could reasonably indicate a consumer's attempt to acquire or receive health services or supplies
Data that identifies a consumer seeking health care services
Any information that a regulated entity or a small business, or their respective processor, processes to associate or identify a consumer with the data described in (b)(i) through (xii) of this subsection that is derived or extrapolated from nonhealth information (such as proxy, derivative, inferred, or emergent data by any means, including algorithms or machine learning)

This definition could arguably include any category of personal data (e.g., the inclusion of inference data makes it difficult to exclude any data whatsoever in the health, wellness, and fitness space). In addition, “health care services” includes any service provided to a person to assess, measure, improve, or learn about a person's health.

Last modified 6 February 2025

Definition of Personal Data

Any kind of information related to an individual or legal entity identified or identifiable.

Definition of Sensitive Personal Data

Any kind of Personal Data revealing an individual's racial or ethnic origin, political preferences, religious or moral beliefs, trade union membership or any kind of information concerning their health or sexual life.

Definition of Data Controller

A natural or legal person, whether public or private, who owns the database or determines the content, purposes and use of the Data Processing.

Definition of Data Processor

A natural or legal person, whether public or private, who, either individually or jointly with others, processes Personal Data under the instruction and on behalf of the Data Controller.

Definition of Processing

Systematic operations and procedures, whether automated or not, that enable the processing of Personal Data, as well as any disclosures to third parties via communications, consultations, interconnections, or data transfers.

Last modified 28 January 2024

Definition of personal data

The Law on Personal Data defines Personal Data as information recorded on electronic, paper and / or other tangible medium, relating to a specific individual or that allows to identify such individual (i.e. ‘subject of personal data’).

Apart from the above, the Law on Personal Data distinguishes separate types of personal data in respect of which the Law imposes a special processing and protection regime. They include:

special personal data, i.e. data about racial or social origin, political, religious or ideological beliefs, membership in political parties and trade unions, as well as data regarding physical or mental health, information about private life and criminal records;
biometric personal data, i.e. personal data characterizing anatomical and physiological characteristics of the subject of personal data; and
genetic personal data, i.e. personal data related to the inherited or acquired characteristics of the subject of personal data, which is the result of the analysis of the biological sample of the subject or the analysis of another element that allows to obtain equivalent information.

Definition of sensitive personal data

The Law on Personal Data does not provide for an express definition of sensitive personal data. Yet, it distinguishes the category of special personal data. Under the foregoing Law, special personal data includes:

data about racial or social origin;
data about political, religious or ideological beliefs;
data about membership in political parties and trade unions;
data about physical and mental health; and
data about private life and criminal records.

Last modified 27 January 2025

Definition of Personal Data

There is no legal definition of “Personal Data” in Venezuelan legislation.

Nonetheless, decision No. 855 of the TSJ, of May 8, 2012, gave us the following definition of Personal Data: “Any information related to an identified or identifiable individual”.

Likewise, any Personal Data must be processed fairly and responsibly for particular purposes, on the basis of the data subject's consent or as a consequence of some other legitimate basis, provided by law.

Definition of Sensitive Personal Data

There is no legal definition of “Sensitive Personal Data” in Venezuelan legislation.

However, in decision No. 1335 of the TSJ, of August 8, 2011, in a case on the sensitive and personal data in a medical record, the TSJ expressed that any such data must be handled under the strictest confidentiality and privacy controls, and its content must not be disclosed.

The decision says that sensitive and personal data is a person’s most genuine and authentic assets, and, as such, is the absolute owner and holder of all that information, only that person can grant permission for its use and treatment.

Under this decision, we can conclude that any person’s intimate data can also be considered to be Sensitive Personal Data, and, as such, must be confidential, be duly guarded and only that person can grant permission for its use and treatment.

Last modified 12 December 2022

Definition of personal data

Under the PDPD, personal data is defined as information on an electronic medium in the form of symbols, letters, numbers, photos, sounds, or the like that is associated with or helps to identify a specific individual. Information that helps to identify a specific individual is further clarified as information generated from an individual's activities that, when combined with other data and stored information, can identify a particular person.

Definition of sensitive personal data

The PDPD classifies personal data into two categories of “basic personal data” and “sensitive personal data”. Accordingly, basic personal data includes:

surname, middle name, and birth name, alias (if any);
date of birth, date of death or date of going missing;
gender;
place of birth, place of birth registration, permanent residence, current residence, hometown, contact address;
nationality;
personal image;
phone number, ID card number, personal identification number, passport number, driver's license number, plate number, personal tax identification number, social insurance number; health insurance card number;
marital status;
family relationship information (parents, children);
digital account information, personal data that reflects activities and activity history in cyberspace; and
information associated with an individual or used to identify an individual other than sensitive personal data.

On the other hand, sensitive personal data is defined as personal data in association with individual privacy which, when being infringed, will directly affect an individual's legal rights and interests, and includes:

political and religious views;
health conditions and personal information stated in health record, excluding information on blood type;
information about racial or ethnic origin;
information about genetic data relating to inherited or acquired genetic characteristics of each individual;
information about physical or biological characteristics of each individual;
information about criminals and criminal acts collected and stored by law enforcement agencies;
information about sex life and sexual orientation of each individual;
information on customers of credit institutions, foreign bank branches, intermediary payment service providers and other;
licensed institutions, including: customer identification as prescribed by law, accounts, deposits, deposited assets,
transactions, organizations and individuals that are guarantors at credit institutions, bank branches, and intermediary payment service providers;
personal location data identified via location services; and
other specific personal data as specified by law as special and subject to necessary confidentiality measures.

Definition of Data Controller, Data Processor, Data Controller-Processor and Third Party

The PDPD also provides the definitions and roles of different stakeholders involved in the collection and processing of personal data with their respective obligations, notably:

Data controller

A data controller is an organization or individual that decides the purposes and means of processing personal data. The controller is responsible for serving privacy notices to and obtaining consent from the data subjects, preparing and filing to the authority a Data Processing Impact Assessment (“DPIA”) and Cross-border Transfer Impact Assessment (“TIA”), notifying the authority of violations of regulations on personal data protection, ensuring and honouring the data subjects’ rights, etc.

Data processor

A data processor is an organization or individual that processes data on behalf of the controller via a contract or agreement with the controller. Accordingly, the processor must receive and process personal data strictly in compliance with the contract or agreement with the controller. In particular, after the completion of the data processing / agreed purposes, the law requires the processor to delete and return all personal data to the controller. The processor is responsible for preparing and filing to the authority a processor’s DPIA and a TIA, notifying the controller of violations of regulations on personal data protection, etc.

Data controller-processor

A data controller-processor is an organization or individual that jointly decides the purposes and means, and directly processes personal data. Consequently, the controller-processor must fully comply with both the responsibilities of the controller and the processor.

Third party

A third party is defined as “an organization or individual other than the data subject, data controller or the data processor that is permitted to process personal data”.

Definition of Personal Data Processing

Under the PDPD, “personal data processing”, or “processing” is rather broad. It refers to one or multiple activities that impact personal data, including collection, recording, analysis, confirmation, storage, rectification, disclosure, combination, access, tracing, retrieval, encryption, decryption, copying, sharing, transmission, provision, transfer, deletion, destruction or other relevant activities. With such wide and open-ended definition of personal data processing, it appears that all types of activities related to personal data could be considered processing personal data and subject to the requirements prescribed by the PDPD.

Last modified 20 January 2025

Definition of Personal Data

Data which relates to an individual who can be directly or indirectly identified from that data which includes a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Definition of Sensitive Personal Data

Personal data which by its nature may be used to suppress the data subject’s fundamental rights and freedoms and includes:

the race, marital status, ethnic origin or sex of a data subject;
genetic data and biometric data;
child abuse data;
a data subject’s political opinions;
a data subject’s religious beliefs or other beliefs of a similar nature;
whether a data subject is a member of a trade union; or
a data subject’s physical or mental health, or physical or mental condition.

Last modified 27 January 2025

Definition of personal data

According to the Act, “personal information” means information relating to a data subject, and includes:

the person’s name, address or telephone number;
the person’s race, national or ethnic origin, colour, religious or political beliefs or associations;
the person’s age, sex, sexual orientation, marital status or family status;
an identifying number, symbol or other particulars assigned to that person;
fingerprints, blood type or inheritable characteristics;
information about a person’s health care history, including a physical or mental disability;
information about educational, financial, criminal or employment history;
opinions expressed about an identifiable person;
the individual’s personal views or opinions, except if they are about someone else; and
personal correspondence pertaining to home and family life.

Definition of sensitive personal data

According to the Act, “sensitive data” refers to:

information or any opinion about an individual which reveals or contains the following—
racial or ethnic origin;
political opinions;
membership of a political association;
religious beliefs or affiliations;
philosophical beliefs;
membership of a professional or trade association;
membership of a trade union;
sex life;
criminal educational, financial or employment history;
gender, age, marital status or family status;
health information about an individual;
genetic information about an individual; or
any information which may be considered presenting a major risk to the rights of the data subject.

Definition of personal life data

There is no definition of “Personal Life Data” in the Act or the Regulations.

Definition of biometric personal data

According to section 2 of the Regulations, “biometric data” means physiological characteristics which are related to a data subject and include but are not limited to the following:

Fingerprints;
Palm veins;
Face recognition.

Definition of publicly available personal data

There is no definition of "Publicly Available Personal Data" in the Act or in the Regulations.

Last modified 27 January 2025

Quick links

Data Protection in Albania

Definitions

Definition of Personal Data

Definition of Sensitive Personal Data

Definition of personal data

Definition of sensitive personal data

Definition of personal data

Definition of sensitive personal data

Definition of personal data

Definition of sensitive personal data

Definition of sensitive personal data

Definition of personal life data

Definition of biometric personal data

Definition of publicly available personal data

Definition of Personal Data

National Ordinance Person Registration

GDPR

Definition of Sensitive Personal Data

National Ordinance Person Registration

GDPR

Definition of personal data

Definition of sensitive personal data

EU regulation

Austria regulation

Definition of Personal Data

Definition of Sensitive Personal Data

Definition of Personal Data

Definition of Sensitive Personal Data

Definition of personal data

Definition of sensitive personal data

Definition of personal data

Definition of sensitive personal data

Definition of Personal Data

Definition of Sensitive Personal Data

Definition of personal data

Definition of sensitive personal data

EU regulation

Belgium regulation

Footnotes

Definition of Personal Data

Definition of Sensitive Personal Data

Definition of use

Definition of personal data

Definition of sensitive personal data

There are no official definitions of personal data or sensitive personal data.

Definition of Personal Data

Personal Data Protection Act BES

GDPR

Definition of Sensitive Personal Data

Personal Data Protection Act BES

GDPR

Definition of personal data

Definition of sensitive personal data

Definition of personal data

Definition of sensitive personal data

Definition of personal data

Definition of sensitive personal data

Definition of personal data

Definition of sensitive personal data

Other key definitions

Definition of personal data

Definition of sensitive personal data

EU regulation

Bulgaria regulation

Definition of personal data

Definition of sensitive personal data

Definition of Personal Data

Definition of Sensitive Personal Data

Definition of personal data

Definition of sensitive personal data

Definition of Personal Data

Definition of Sensitive Personal Data

Definition of personal data

Definition of sensitive personal data

Definition of personal data

Definition of sensitive personal data

Definition of anonymized information

Definition of de-identified information

Definition of biometric information