GDPR, Data Protection, Privacy Compliance

The GDPR replaces Directive 95/46/EC on data protection and, by virtue of its direct effect, supersedes the national legislation of each EU Member State adopted under the former Directive. The purpose of the GDPR is to protect the rights and freedoms of natural persons (living individuals) and to ensure that personal data is not processed without their knowledge and, where required, is processed only with their specific and informed consent.

Definitions used by SunEnergies (as provided by GDPR)
Material Scope (Article 2)

The GDPR applies to the processing of personal data carried out wholly or partly by automated means (computer, laptop, digital systems), as well as to non-automated processing (paper records) where such data forms part of a filing system or is intended to form part of a filing system.

Territorial Scope (Article 3)

The GDPR applies to all data controllers established in the European Union (EU) that process personal data of data subjects, regardless of whether the processing takes place within the EU or not. It also applies to controllers outside the EU where personal data is processed for offering goods or services to individuals residing in the EU or for monitoring their behaviour.

Establishment

The main establishment of a controller in the EU is the place where key decisions regarding the purposes and means of data processing are taken. This is typically the location of central administration. Controllers established outside the EU must appoint a representative within the relevant EU jurisdiction to act on their behalf and liaise with supervisory authorities.

Personal Data

Any information relating to an identified or identifiable natural person (“data subject”). An identifiable person is one who can be identified, directly or indirectly, particularly by reference to an identifier such as a name, identification number, location data, online identifier, or one or more factors specific to their physical, physiological, genetic, mental, economic, cultural or social identity.

Special Categories of Personal Data

Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, as well as genetic data, biometric data used for unique identification, health data, and data concerning a person’s sex life or sexual orientation.

Controller

A natural or legal person, public authority, agency or other body which determines the purposes and means of processing personal data, alone or jointly with others.

Processor

A natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller.

Processing

Any operation or set of operations performed on personal data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, restriction, erasure or destruction.

Profiling

Any form of automated processing of personal data used to evaluate personal aspects relating to an individual, including work performance, economic situation, location, health, personal preferences, reliability or behaviour.

Personal Data Breach

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. Controllers are legally required to report data breaches to supervisory authorities and, where applicable, to affected individuals.

Consent of the Data Subject

Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which they, through a clear affirmative action or statement, signify agreement to the processing of their personal data.