Article 4 of Regulation (EU) 2016/679 (the “GDPR”), defines “processing” of personal data as any operation carried out with or without the help of electronic means, concerning the collection, recording, organisation, storage, consultation, processing, modification, selection, retrieval, comparison, use, association, blocking, communication, dissemination, erasure and destruction of data, even if not recorded in a database. Even one of the operations listed above is sufficient for personal data to be processed.

Article 4 defines the Data Controller as the individual or legal person, public authority, agency or other body which alone or jointly with others determines the personal data processing purposes and methods. Where the purposes and methods of such processing are determined by EU or Member State law, the Data Controller or the criteria applicable to its designation may be established by EU or Member State law.

Under Art. 4, paragraph 8) of the GDPR, a Data Processor is defined as a third party that processes personal data on the Data Controller’s behalf. The Data Controller must use Data Processors with sufficient guarantees to put in place technical and organisational measures to ensure compliance with the GDPR and any applicable privacy legislation requirements. The relationship between Data Controller and Data Processor is governed, under art. 28 of the GDPR, by a contract or other legal document, which binds the Data Processor to the Data Controller and certain elements such as the processing subject, duration, nature and purpose, type of personal data, categories of data subjects and Data Controller obligations and rights.