What are Special Categories of Personal Data under the GDPR?

The GDPR identifies certain types of personal data as ‘special categories’ of personal data meriting specific protections, as the nature of these categories means their processing could create significant risks to individuals’ fundamental rights and freedoms. These are ‘personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation’.

Genetic data is defined as ‘personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question’.

Additional guidance is also given on the meaning of data that relates to health, a phrase clearly meant to be given a broad interpretation. It means personal data ‘related to the physical or mental health of a natural person, including the provision of healthcare services, which reveal information about his or her health status’ and includes ‘all data pertaining to the health status of a data subject which reveal information relating to the past, current or future physical or mental health status of the data subject’, including:

Read more ...


What are the actual Obligations of Data Processors?

If you’ve been following the latest data protection news, you might have heard that under the GDPR, you can be either a data controller or a data processor.

A “Controller’ is defined in the Regulation as: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

On the other hand the Regulation defines a processor as ‘a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller’.

But the GDPR puts almost all the emphasis of enforcement on data controllers. So; what does a data processor have to do in terms of their obligations? They clearly have a very important role, even if it might not seem that way in purely legal terms.

Well, don’t fear; the info you crave is here.

Read more ...

gdpr how it applies to the cloud London Cyber Major

GDPR - How does it apply to the cloud?

The cloud. It’s all the rage with technology companies nowadays, and for good reason.

‘Cloud computing’ refers to the provision of information technology services over the Internet.

These services may be provided by a company for its users in a ‘private cloud’ or by third-party suppliers. The services can include software, infrastructure (i.e., servers), hosting and platforms (i.e., operating systems). Cloud computing has numerous applications, from personal webmail to corporate data storage.

Read more ...

Data_Processor_Data_Controller_GPDR_Cyber Major_London

Data Controller? Data Processor? What’s the difference?

The concepts of the “data controller” and “data processor” were established by the 1995 EU Data Protection Directive and remain fundamentally similar under the GDPR. This does not mean they are straightforward or mutually exclusive.

In practice, the application of these concepts has become increasingly complex due to the evolving nature of the business environment, the increased sophistication of outsourcing, and the growing tendency of organisations to centralise IT systems. However, they remain key for determining the allocation of legal obligations under the GDPR, which is essential for protecting the rights and freedoms of data subjects.

A data controller is the natural or legal person or any other body which alone or jointly with others determines the purposes and means of the processing of personal data. In other words, the data controller is the key decision maker with regards to personal data.

Read more ...

General Data Protection Regulation_Cyber Major London

GDPR- Not just for Europeans!

I don’t know about you, but I’ve seen plenty of people saying that the upcoming GDPR only applies to EU Citizens. Nope. This is a major misconception. Let me clear this up a bit.

The GDPR applies:

a) to the processing of personal data in the context of the activities of an establishment of a data controller or a processor in the EU, regardless of whether the processing takes place in the Union or not.


b) on a long-arm, extraterritorial basis to organisations which offer to sell goods or services to or who monitor individuals in the EU.

“Establishment” means the effective and real exercise of activity through stable arrangements. (the legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect).

And what does “in the context of activities of an establishment” mean? I think the Google Spain case decided by the Court of Justice of the European Union is really helpful here.

Read more ...

Get in Touch

  • Phone
    0207 458 4088
  • Email
    This email address is being protected from spambots. You need JavaScript enabled to view it.
  • Address
    1 Canada Sq, Canary Wharf
    London, E14 5AB