On this page: glossary, sensitive data, personal data, process, controller,
processor, participant, data subject, special categories, legal ground, legal
basis, anonymised, pseudonymised
Date of last review: 2023-07-11
Below, you will find a selection of important terms in the GDPR that you should become familiar with when working with personal data (also included in the Glossary). Click on a term to see the definition.
Any information related to an identified or identifiable (living) natural person. This can include identifiers (name, identification number, location data, online identifier or a combination of identifiers) or factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the person. Moreover, IP addresses, opinions, tweets, answers to questionnaires, etc. may also be personal data, either by itself or through a combination of one another.
Of note: as soon as you collect data related to a person that is identifiable, you are processing personal data. Additionally, pseudonymised data is still considered personal data. Read more in What are personal data?.
Special categories of personal data
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade union membership
- genetic and biometric data when meant to uniquely identify someone
- physical or mental health conditions
- an individual’s sex life or sexual orientation
- the data subject has provided explicit consent to process these data for a specific purpose,
- the data subject has made the data publicly available themselves,
- processing is necessary for scientific research purposes and obtaining consent is impossible or would require an unreasonable amount of effort.
Contact your privacy officer if you wish to process special categories of personal data.
The natural or legal entity that, alone or with others, determines or has an influence on why and how personal data are processed. On an organisational level, Utrecht University (UU) is the controller of personal data collected by UU researchers and will be held responsible in case of GDPR infringement. On a practical level, however, researchers (e.g., Principal Investigators) often determine why and how data are processed, and are thus fulfilling the role of controller themselves.
Note that it is possible to be a controller without having access to personal data, for example if you assign an external company to execute research for which you determined which data they should collect, among which data subjects, how, and for what purpose.
- by combining variables or datasets (e.g., a combination of date of birth, gender and birthplace, or the combination of a dataset with its name-number key)
- via inference, i.e., when you can deduce who the data are about (e.g., when “profession” is Dutch prime minister, it is clear who the data is about)
- by singling out a single subject, such as through unique data points, e.g., someone who is 210 cm tall is relatively easy to identify)
Anonymous data are no longer personal data and thus not subject to GDPR compliance. In practice, anonymous data may be difficult to attain and care must be given that the data legitimately cannot be traced to an individual in any way. The document Opinion 05/2014 on Anonymisation Techniques explains the criteria that must be met for data to be considered anonymous.