Core GDPR Definitions: Personal Data, Controller, Processor, Data Subject

Domain two is the heaviest part of the exam, and it rests on a single Article: Article 4, the definitions. Almost every hard question you will face turns on whether something is personal data, and on whether a given organisation is a controller or a processor. Get the definitions exactly right and the rest of the GDPR becomes readable; get them fuzzy and you will guess.

So let's be precise. We will define personal data, data subject, processing, controller, and processor, and we will practise applying them, because the exam rarely asks you to recite a definition. It asks you to use it in a fact pattern.

Article 4(1) defines personal data as any information relating to an identified or identifiable natural person. The natural person, the living human being the data is about, is the data subject. The crucial word is identifiable.

A person is identifiable if they can be singled out directly, by a name, or indirectly, by reference to an identifier such as an identification number, location data, an online identifier like an IP address or cookie ID, or factors specific to their physical, economic, or social identity. Recital 26 tells us to assess identifiability by reference to the means reasonably likely to be used to identify the person. So personal data is a broad concept, broader than many candidates expect, and that breadth is exactly what the exam probes.

Article 4(2) defines processing extremely broadly: any operation performed on personal data. Collecting it, recording it, organising it, storing it, retrieving it, using it, disclosing it, combining it, restricting it, erasing it, all of that is processing. It covers both automated processing and manual processing where the data forms part of a filing system.

The practical takeaway is that almost anything you do with personal data counts as processing and therefore needs a lawful basis. When an exam question describes an organisation merely holding records, or even deleting them, remember that storage and erasure are both processing. The practical consequence is that there is almost no way to touch personal data that escapes the GDPR; the only real exits are the data ceasing to be personal, through genuine anonymisation, or one of the scope exemptions we will meet in Domain four.

Now the distinction that decides liability. Under Article 4(7), the controller is the entity that determines the purposes and the means of the processing, in plain terms, the why and the how. Under Article 4(8), the processor processes personal data on behalf of the controller, acting on the controller's instructions.

The classic example: a company that decides to run a payroll is the controller; the outside payroll bureau it hires is the processor. The roles are not about size or sophistication, they are about who decides. And the roles matter enormously, because the controller carries primary responsibility, and a controller and processor must put an Article 28 contract in place, which we will cover in the security lecture.

Sometimes two organisations jointly decide the purposes and means of the same processing; Article 26 calls them joint controllers, and they must agree, in a transparent arrangement, who is responsible for what, especially for handling data subject rights. The CJEU has read joint control quite broadly, for example treating an organisation that runs a social-media fan page as a joint controller with the platform. One more subtlety the exam loves: the same company can be a controller for one activity and a processor for another.

So never label an entity once and forget it, read each scenario and ask, for this processing, who determined the purposes and the means? That single question answers most role questions.

Let's lock in Article 4. Personal data is any information relating to an identified or identifiable living person, judged by the means reasonably likely to be used. Processing is almost any operation on that data, from collection to deletion.

The controller determines the purposes and means; the processor acts on the controller's instructions; and joint controllers share that decision under Article 26. The same body can switch roles depending on the activity. Next, we narrow in on the data that gets special protection, the special categories under Article 9, and we draw the vital line between pseudonymous and anonymous data.

Go test yourself on the definitions first.