3.1 Key Definitions & Material/Territorial Scope
Key Takeaways
- Personal data (Art. 4(1)) is any information relating to an identified or identifiable natural person; the GDPR protects living individuals only, not legal persons or the deceased
- Special category data (Art. 9) covers racial/ethnic origin, political opinions, religious/philosophical beliefs, trade-union membership, genetic data, biometric data used for identification, health, sex life, and sexual orientation
- Pseudonymised data is still personal data and in scope; only truly anonymised data falls outside the GDPR (Recital 26)
- Territorial scope (Art. 3) reaches non-EU controllers via the establishment test (Art. 3(1)) and the targeting test (Art. 3(2): offering goods/services to, or monitoring, EU data subjects)
Why Definitions Decide the Question
Quick Answer: Most CIPP/E questions are won or lost on definitions. Before you can pick a lawful basis or a data subject right, you must establish that the data is personal data, decide whether it is a special category under Article 9, and assign each party a role as controller or processor. The General Data Protection Regulation (GDPR) is Regulation (EU) 2016/679, applicable since 25 May 2018.
The CIPP/E (Certified Information Privacy Professional/Europe) is administered by the International Association of Privacy Professionals (IAPP). The exam is 90 multiple-choice questions (75 scored, 15 unscored pre-test items), delivered in 2.5 hours, and scored on a scaled range of 100–500 with 300 to pass. A large share of those 75 scored items reduce to a definitional judgement, so Article 4 vocabulary is the highest-leverage material in Module 3.
The definitions in Article 4 are the grammar of the entire regulation. Examiners deliberately write scenarios where the wrong definition leads to a plausible-but-wrong answer, so precision beats rote memorisation.
Personal Data and Identifiability
Personal data (Art. 4(1)) is any information relating to an identified or identifiable natural person (the data subject). A person is identifiable if they can be singled out directly or indirectly — by name, identification number, location data, an online identifier, or one or more factors specific to their physical, physiological, genetic, mental, economic, cultural, or social identity.
What the exam tests:
- The GDPR protects living natural persons only. It does not cover the deceased (though Member States may legislate, e.g., Italy and Denmark) or legal persons such as companies.
- Online identifiers — IP addresses, cookie IDs, advertising IDs, device fingerprints — are personal data when they allow singling out (CJEU Breyer confirmed dynamic IPs can be personal data for a website operator with lawful means to obtain the identity).
- Identifiability turns on the means reasonably likely to be used, considering cost, time, and available technology (Recital 26). A purely theoretical re-identification risk does not make data personal.
A worked example: a sandwich shop loyalty number tied to a name is plainly personal data. A salary figure with no link to an individual is not — but the same figure becomes personal data the moment it sits in a row labelled by employee. Context, not the data point alone, decides.
Processing, Controller and Processor
Processing (Art. 4(2)) is any operation performed on personal data: collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, alignment, restriction, erasure — even mere holding. The definition is deliberately exhaustive, so almost any handling counts.
Role assignment is the single most frequent exam trap. Roles are functional, not contractual: a party that calls itself a "processor" is a controller if it actually decides the purposes (why) and essential means (the core how).
| Role | Definition (Art. 4) | Diagnostic question |
|---|---|---|
| Controller | Determines the purposes and means of processing | Who decides why and how? |
| Processor | Processes personal data on behalf of the controller | Who acts only on instructions? |
| Joint controllers (Art. 26) | Jointly determine purposes and means | Do two parties decide together? |
| Recipient | Any party to whom data is disclosed | Who receives the data? |
| Third party | Not the subject, controller, processor, or staff under their authority | Who is outside the controller's authority? |
A cloud host that only follows client instructions is a processor. A payroll bureau that independently sets retention periods or repurposes data becomes a controller for those decisions. CJEU Fashion ID established that a website embedding a Facebook "Like" button is a joint controller with Facebook for the collection and transmission of visitor data, even though it never sees the data afterwards.
A UK marketing agency hires an EU-based email platform to send campaigns. The agency decides who to email, the message content, and when to delete the lists. The platform only sends mail as instructed and stores the data securely. Which role does the email platform most likely hold?
Special Category Data (Art. 9), Pseudonymisation and Scope
Special category data is sensitive data with extra protection. Processing it is prohibited unless an Article 9(2) exception applies (explicit consent, employment/social-security law, vital interests where the subject cannot consent, data manifestly made public, legal claims, substantial public interest, etc.). The categories:
- Racial or ethnic origin
- Political opinions; religious or philosophical beliefs; trade-union membership
- Genetic data; biometric data processed to uniquely identify a person
- Data concerning health, a person's sex life, or sexual orientation
Trap: criminal conviction and offence data is not an Article 9 category — it lives in Article 10 and requires official authority or Member State law. A plain photograph is special category data only when processed by biometric means for identification.
Pseudonymisation vs anonymisation is routinely confused:
- Pseudonymisation (Art. 4(5)) replaces identifiers so data cannot be attributed without additional information kept separately. Re-identification is still possible, so it remains personal data and stays in scope; it is a recognised security and "by design" safeguard.
- Anonymisation irreversibly prevents identification, putting data outside the GDPR entirely (Recital 26). If a re-identification key exists anywhere, the data is pseudonymous, not anonymous.
Material scope (Art. 2) covers wholly or partly automated processing and non-automated processing of data in a filing system. Exclusions: purely personal or household activity, national security, and law-enforcement processing under the separate Law Enforcement Directive. Territorial scope (Art. 3) uses two tests — the establishment test (Art. 3(1)): processing in the context of an EU establishment's activities, wherever it occurs; and the targeting test (Art. 3(2)): a non-EU controller/processor offering goods or services (even free) to people in the EU, or monitoring their behaviour in the EU.
Many caught non-EU organisations must appoint an EU representative under Article 27.
A US e-commerce site is in English only and prices solely in US dollars, but ships worldwide and occasionally fulfils orders from individuals in France. It does no tracking or profiling of EU visitors. Is it most likely subject to the GDPR under Article 3?