Any information relating to an identified or identifiable natural person (data subject), directly or indirectly, by reference to an identifier or factors specific to their identity.

Data that does not relate to an identified or identifiable person, or has been rendered anonymous so the person is not identifiable by any means reasonably likely to be used. GDPR does not apply.

Processing of personal data so it cannot be attributed to a specific person without additional information kept separately and protected. Still personal data under GDPR.

The identified or identifiable natural person to whom personal data relates.

Any operation performed on personal data, automated or not, such as collection, storage, use, disclosure, or erasure.

A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

A natural or legal person, public authority, agency or another body, to which personal data are disclosed, whether a third party or not.

The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Core GDPR Concepts: Personal Data, Roles and Territorial Scope — CIPP/E Exam Prep: Mastering European Data Protection Law and the GDPR

Q: A Spanish student keeps a private paper notebook of friends' birthdays and phone numbers, not organised in any structured index, and never shares it. Does GDPR apply?

No, because it is a purely personal or household activity.. This is a purely personal/household activity, excluded under Article 2(2)(c). Also, the notes are not part of a structured filing system. So GDPR does not apply.

Step 1 – Why These Definitions Matter

Why Definitions Matter

In GDPR, small wording differences can change legal outcomes. Exams love questions on Articles 2–4 and 3. This module gives you a decoding toolkit for these core definitions.

What You Will Learn

You will learn to distinguish personal, anonymous and pseudonymous data; identify data subjects; recognize processing and filing systems; and label controllers, processors and recipients.

Scope and Roles

You will also decide when GDPR applies (material and territorial scope) and see how role allocation affects accountability, contracts and liability under GDPR today.

Step 2 – Personal Data, Anonymous Data, Pseudonymisation

Personal Data

Personal data is any information relating to an identified or identifiable natural person. Identifiable includes direct or indirect identification via names, IDs, location, online identifiers or characteristics.

Anonymous Data

Anonymous data is information where no one can identify the person using means reasonably likely to be used. True anonymisation is hard; if re‑identification is realistic, GDPR still applies.

Pseudonymisation

Pseudonymisation replaces identifiers with codes, but a key exists to re‑identify. It reduces risk but the data is still personal data, so GDPR continues to apply.

Data Subject

The data subject is the identified or identifiable natural person the data relates to. GDPR focuses on living humans, not companies, though some national laws add extra rules.

Step 3 – Personal vs Anonymous vs Pseudonymous: Quick Scenarios

Scenario 1–2

IP addresses in logs are usually personal data because users can be identified. A statistic like "35% of students failed" with no way to single out individuals is typically anonymous.

Scenario 3–4

Random IDs with a separate key: pseudonymous personal data. Irreversibly blurred faces and deleted originals, with no realistic re‑identification: anonymous data.

Scenario 5 + Strategy

Hashes linked to original emails via another system are pseudonymous personal data. Exam tip: if anyone can reasonably re‑identify a person, treat the data as personal data.

Step 4 – Processing and Filing Systems

What is Processing?

Processing is any operation on personal data: collecting, storing, using, disclosing, or deleting. In exams, almost any handling of personal data counts as processing.

Filing Systems

A filing system is a structured set of personal data, digital or paper, accessible by criteria like name or ID. Think HR databases or paper files sorted by patient number.

Material Scope

GDPR covers automated processing and non‑automated processing that is part of a filing system. Random, unstructured notes may fall outside, but structured CRMs and files are in scope.

Key Exclusions

GDPR does not apply to national security, purely personal or household activities, or certain law‑enforcement processing covered by other EU rules.

Step 5 – Controller, Joint Controllers, Processor, Recipients

Controller

The controller decides the purposes and essential means of processing. Ask: who decides why and, in a meaningful way, how the data is processed?

Joint Controllers

Joint controllers jointly determine purposes and means. They must allocate responsibilities in an arrangement and are each accountable to data subjects and authorities.

Processor

A processor processes personal data on behalf of a controller, following its instructions. The relationship must be governed by an Article 28 data processing agreement.

Recipients and Third Parties

A recipient is anyone to whom data is disclosed. A third party is anyone other than the data subject, controller, processor and those under their authority.

Why Roles Matter

Roles determine accountability, who must do DPIAs and breach notifications, what contracts are needed, and who is primarily liable and can be fined.

Step 6 – Role Allocation in Realistic Chains

Shop + Cloud Provider

Online shop decides why and how customer data is used: controller. Cloud host just runs the systems under instructions: processor.

University + Survey SaaS

If the survey platform only follows the university’s instructions, it is a processor. If it also uses the data for its own purposes, it may be a separate controller for that use.

News Site + Social Media Plugin

Embedding a tracking plugin often makes the site and platform joint controllers for collection and transmission of visitor data, based on CJEU case law.

HR + Payroll

The employer decides HR purposes: controller. The payroll bureau processes employee data on the employer’s behalf: processor.

Exam Tactic

Ask: who decides purposes and essential means? One party: controller. Two together: joint controllers. One just follows instructions: processor.

Step 7 – Territorial Scope: When Does GDPR Apply Geographically?

Establishment Criterion

GDPR applies to processing in the context of an EU establishment’s activities, regardless of where the processing physically happens. Establishment is interpreted broadly.

Targeting Criterion

Non‑EU organisations are covered if they offer goods or services to people in the EU or monitor their behaviour in the EU, for example via tracking and profiling.

Processor in the EU

If a processor is in the EU, GDPR applies to processing done in the context of that processor’s EU activities, even if the controller is outside the EU.

Location, Not Nationality

GDPR protects individuals in the EU, regardless of nationality. A US tourist in Paris is covered; an EU citizen in Brazil may not be, unless targeting or establishment criteria are met.

Step 8 – Territorial Scope Thought Exercise

Decide whether GDPR applies. Focus on where people are, establishments, and targeting/monitoring.

Scenario A:

A Canadian fitness app has no EU office.
Its app is in English only, priced in CAD and USD, and not marketed to the EU.
EU residents can technically download it via app stores, but there is no EU-specific targeting.

Question: Is GDPR likely to apply just because EU users download the app?

Think: Is there an EU establishment? Clear targeting of EU users? Monitoring of behaviour in the EU?

Scenario B:

The same Canadian app adds German and French language versions, offers prices in EUR, and runs online ads targeted at users in Germany and France.

Question: How does this change the analysis?

Scenario C:

A US analytics company with no EU office tracks visitors on EU news sites via cookies, building profiles for targeted ads.

Question: Does GDPR apply? Under which criterion?

Reflect and write down your reasoning in 2–3 bullet points for each scenario before checking against model answers in class or notes.

Step 9 – Quick Check: Roles and Data Types

Test your understanding with two focused questions.

A hospital outsources MRI image storage to a specialized cloud provider. The hospital decides which patients are scanned, why scans are taken, and how long to keep them. The cloud provider stores encrypted images and may not use them for any other purpose. Which statement is most accurate under GDPR?

The hospital is the controller; the cloud provider is the processor.
Both the hospital and the cloud provider are joint controllers.
The hospital is a processor; the cloud provider is the controller.
Neither party is a controller because medical data is special category data.

Show Answer

Answer: A) The hospital is the controller; the cloud provider is the processor.

The hospital decides the purposes (diagnosis, treatment) and essential means, so it is the controller. The cloud provider processes data on behalf of the hospital following instructions, so it is a processor. Special category status does not remove the need for a controller.

Step 10 – Quick Check: Territorial and Material Scope

One more question on scope.

A Spanish student keeps a private paper notebook of friends' birthdays and phone numbers, not organised in any structured index, and never shares it. Does GDPR apply?

Yes, because it is personal data and on EU territory.
No, because it is a purely personal or household activity.
Yes, because any personal data about EU residents is covered.
No, because paper records are always excluded.