# Personal data (GDPR) overview

Personal data refers to any piece of information that enables the recognition of a private person (whether by itself or in combination with other data points) such as phone number, client ID, etc... In this article we provide an overview for the following areas related to personal data:

* [Personal data processing](#personal-data-processing)
* [Personal data processing parties](#personal-data-processing-parties)
* [Register of Processing (GDPR)](#register-of-processing-gdpr)
* [Information obligation (GDPR)](#information-obligation-gdpr)

***

### Personal data processing

Personal data processing refers to any operation on an end-user's personal data even when that data is pseydonumized.

An entity can process personal data only in some cases which implies a requirement (legal basis of processing):

* A contract execution necessity that the user affected is a part of or pre-contractual measures submitted by him (for instance : delivery address )
* Legal obligation necessity (for instance : social security number for the pay statement and the mandatory social statements);
* Safeguard of vital interests necessity for the person affected or another private person  (for instance : the name for a hospitalization);
* A task carried out in the public interest or in the exercise of official authority the data controller is part of (for instance : tax situation by tax office);
* Legitimate interests necessity for the data controller or a third person, unless the interests or the fundamental rights and freedoms of the person affected predominate ( login data for statistics).

### Personal data processing parties

<table><thead><tr><th width="209">Party</th><th>Description</th></tr></thead><tbody><tr><td>Processor</td><td>The processor is the party that acts on the controller's instructions regarding the processing of an end-user's personal data. </td></tr><tr><td>Controller representative</td><td>A controller representative is a person operating under instructions of another one. They don't take any decision upon the personal data use.</td></tr><tr><td>Third-person</td><td>A third person is every private or legal person, public authority, agency or organism other than the concerned person, the processor, or controller representative.</td></tr><tr><td>Receiver</td><td>A receiver is any person who receive or obtain access to personal data, whether it is a third person or not. There is an exception when some public authorities (customs, tax authority, etc.) receive data during a survey job: since they are not receivers</td></tr></tbody></table>

### Register of Processing (GDPR)

The Article 30 of GDPR impose to each controller to establish a Register of processing under its responsibility. This register must contain all of these information (some of them are the same that need to shared with customers).

* Name and contact details of the processor and, where applicable, the co-responsible of processing, the processor's representative and the Data Protection Officer: they are included the information obligation for the articles 13 and 14 of GDPR.).
* The purposes of processing: they are included in the information obligation for the articles 13 and 14 of GDPR.
* A description of who is concerned and what data is concerned.
* To what kind of receivers the data have been or will be communicated, including receivers from foreign countries or international organizations: they are included in the information obligation in the articles 13 and 14 of GDPR.
* Where applicable, the personal data transfer toward a foreign country or an international organization, including the country or international organization identification and when it is transferred for Article 49, section 1, second subparagraph, files certifying the existence of the appropriate guarantees: they are included in the information obligation in the articles 13 and 14 of GDPR.
* The deadlines set for data removal: they are included in the information obligation in the articles 13 and 14 of GDPR.
* When possible, a general description of the technical and organizational security measures referred in the Article 32 (for instance the pseudonymization and the encryption of personal data; the measures allowing to guarantee confidentiality, integrity, availability of personal data and the accessibility to them in appropriate delays in case of physical or technical incident, the procedure for checking, analyzing and evaluating regularly the efficiency of technical and organizational measures to insure the security of processing.

Each processor's representative shall maintain a record of all categories of processing activities carried out on behalf of a controller containing:

* Name and contact details of the processor and, where applicable, the co-responsible of processing for which it is working, and the Data Protection Officer contact details.
* The purposes of processing done for each processor.
* Where applicable, the personal data transfer toward a foreign country or an international organization, including the country or international organization identification and when it is transferred for Article 49, section 1, second subparagraph, files certifying the existence of appropriate guarantees.
* When possible, a general description of the technical and organizational security measures.

There are exceptions for the obligations of those records, especially for a company that has less than 250 workers, unless these treatments are risky and are not occasional or if they include particular categories of personal data (sensitive data).

### Information obligation (GDPR)

The data controller must communicate to the user:&#x20;

* His identity and coordinates.
* The Data Protection officer (DPO) coordinates.
* The purposes of processing for the personal data (why data are collected) and the legal basis of processing.
* Where applicable the legitimate interests he or a third person is processing for
* The data receivers.
* If he is intending to transfer the data to a foreigner country (a country out of the European Union), an international organism and the existence or not of an Adequacy decision of the Committee or the reference of the appropriate guarantees (such as contract clauses or intra-firm agreement).
* The retention period of personal data - or when not possible - the criteria used to determine this retention period.
* The right he as for access, rectification, erasure, limitation principles, objection and portability.
* The right he as to withdraw his consent when processing is based on consent.
* The right he as to have a recourse with the supervising authorities.
* He must know if the data provision is regulatory or contractual (if it relies on the conclusion of a contract).
* He must know if the data processing includes automated decision-making, even for profiling and where applicable he must have information about the underlying logic and the importance and consequences intended of the processing for the user affected.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.didomi.io/consent-management-platform-cmp/frameworks-regulations/general-data-protection-regulation-gdpr/personal-data-gdpr-overview.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.