Last review date: December 2024

Personal data means any information relating to an identified or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Last review date: December 2024

Sensitive data includes:

• personal data revealing racial or ethnic origin
• personal data revealing political opinions
• personal data revealing religious or philosophical belief
• personal data revealing trade / professional union or association membership
• genetic data
• biometric data for the purpose of uniquely identifying a natural person or biometric templates
• data concerning health/medical information
• data concerning a natural person's sex life or sexual orientation
• personal data regarding an individual's criminal convictions or record

Note: financial information does not qualify as special personal data under the GDPR, but — under the practice of the NAIH — the breach of confidentiality of this category of personal data may result in a severe risk to the rights and freedoms of the data subjects. Therefore, should a personal data breach occur relative to this type of data, the NAIH would treat said event similarly to a data breach relative to special categories of personal data.

Last review date: December 2024

Do the privacy laws distinguish between controllers/owners and processors/agents? Whereby:

• the controller/owner is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data
• the processor/agent is natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller

Answer: Yes