Personal data

According to Article 3 (1) of Regulation (EU) 2018/1725: "‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;".

The name and the social security number are two examples of personal data which relate directly to a person. But the definition also extends further and also encompasses for instance e-mail addresses and the office phone number of an employee. Other examples of personal data can be found in information on physical disabilities, in medical records and in an employee's evaluation.

Personal data which is processed in relation to the work of the data subject remain personal/individual in the sense that they continue to be protected by the relevant data protection legislation, which strives to protect the privacy and integrity of natural persons. As a consequence, data protection legislation does not address the situation of legal persons (apart from the exceptional cases where information on a legal person also relates to a physical person).

Personal data filing system

According to Article 3 (7) of Regulation (EU) 2018/1725, personal data filing system refers to "any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis."

The definition is independent of the size of the filing system, which may vary according to the circumstances. In some cases, such as for instance the case of disciplinary files for a small sized EU-body, the filing system can comprise just a handful of entries.


The acronym 'PETs' stands for "Privacy Enhancing Technologies". It refers to a coherent system of information and communication technology (ICT) measures that protect privacy by eliminating or reducing personal data or by preventing unnecessary and/or undesired processing of personal data, all without losing the functionality of the information system.

The use of PETs can help to design information and communication systems and services in a way that minimizes the collection and use of personal data and facilitates compliance with data protection rules. It should result in making breaches of certain data protection rules more difficult and/or helping to detect them.

PETs can be stand-alone tools requiring positive action by consumers (who must purchase and install them in their computers) or be built into the very architecture of information systems.


PNR is the acronym for "Passenger Name Record".

This information is collected by airlines or travel agencies at the time a passenger makes a reservation, before travelling. It differs from Advanced Passenger Information (API), which is collected later at the time of boarding.

In addition to the name of the passenger, PNR includes all information necessary for the reservation, such as:

  • the travel agency responsible for the booking;
  • the itinerary (including connections);
  • the flights (number, date, time);
  • groups of persons registered under the same booking;
  • the passenger's contact details (telephone number, address, etc);
  • payment/billing information;
  • hotel or car booking;
  • special service requests (such as seat number, special meal, medical assistance);
  • "frequent flyer" information.

Enforcement authorities have shown interest in the collection of PNR data, with a view to fighting terrorism and other forms of crimes. The European Union has concluded agreements with third countries requesting such information, in order to establish minimal data protection safeguards on the use of this information. The Article 29 Working Party and the EDPS have adopted official opinions on these agreements.

See also:


Privacy is the ability of an individual to be left alone, out of public view, and in control of information about oneself.

One can distinguish the ability to prevent intrusion in one's physical space ("physical privacy", for example with regard to the protection of the private home) and the ability to control the collection and sharing of information about oneself ("informational privacy").

The concept of privacy therefore overlaps, but does not coincide, with the concept of data protection.

The right to privacy is enshrined in the Universal Declaration of Human Rights (Article 12) as well as in the European Convention of Human Rights (Article 8).

Privacy by design

Privacy by design aims at building privacy and data protection up front, into the design specifications and architecture of information and communication systems and technologies, in order to facilitate compliance with privacy and data protection principles.

Processing (of personal data)

According to Article 3 (3) of Regulation (EU) 2018/1725, processing of personal data refers to "any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction."

Personal data may be processed in many activities which relate to the professional life of a data subject. Examples from within the EU institutions and bodies include: the procedures relating to staff appraisals and to the billing of an office phone number, lists of participants at a meeting, the handling of disciplinary and medical files, as well as compiling and making available on-line a list of officials and their respective field of responsibilities.

Personal data relating to other natural persons than staff may also be processed. Such examples may concern visitors, contractors, petitioners, etc.


According to Article 3 (12) of Regulation (EU) 2018/1725, a processor shall mean "a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller."

The essential element is therefore that the processor only acts "on behalf of the controller" and thus only subject to his instructions.

For example, a security company monitoring the entries into an institution's building is not processing personal data of the persons entering a building for its own purpose, but on behalf of the institution concerned.

In some cases, the processor may choose not to process the data himself, but may have recourse to a subcontractor who processes the data on his behalf. In practice, this will depend upon the processor agreement entered into with the controller.

Processor agreement

Transfers of personal data from a data controller to a data processor must be secured by a data processor agreement. It must meet certain minimum requirements, as set forth by Article 28 of the General Data Protection Regulation and Article 29 of Regulation (EU) 2018/1725.

The contract must stipulate that the data processor shall act only on instructions from the data controller. The data processor must provide sufficient guarantees in respect of the technical security measures and organisational measure governing the processing to be carried out, and must ensure compliance with such measures.

Prüm Treaty

The Prüm Treaty is an international agreement signed on 27 May 2005 by Belgium, Germany, Spain, France, Luxembourg, Netherlands and Austria in order to improve cross-border cooperation in combating terrorism, cross-border crime and illegal immigration.

In June 2008 the Council adopted two decisions bringing the main provisions of this agreement into EU law, thus extending it to all EU Member States. These decisions focus on the exchange of biometric data (DNA and fingerprints) between police and judicial authorities, and requires Member States to set up DNA databases.

The EDPS issued two opinions (one on the initiative itself (pdf), one on its implementing rules (pdf)), recommending a step-by-step approach and highlighting that the specific provisions on data protection contained in the initiative are not stand-alone and should therefore be complemented by other general data protection rules.