Definitions

The processing of photographs should not systematically be considered to be processing of special categories of personal data, as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person. The GDPR indirectly refers to a definition of "data subject", not as a stand-alone definition but rather, within the definition of personal data. In addition, the DPD95 and GDPR provide following definition of "personal data filing system"/"filing system": any structured set of personal data accessible according to specific criteria, whether centralized, decentralized, or dispersed on functional or geographical basis. It is important for organizations to distinguish, in advance of collecting personal data, whether the proposed data collection relates to general personal data or sensitive personal data. The new GDPR risk assessments, data protection impact assessments, risk consultations, and data protection by design and by default obligations now require more nuanced policies, records, and methodologies.