Select region
Submit

Definitions

The legal definitions found in the GDPR are not that easy to read and understand, not even for privacy professionals. This is evident if we look at how different the interpretation could be in case law and guidelines from authorities and courts in different countries, as well as the EU court of justice. 

Below, we have gathered the words most frequently used by us in this privacy center, to help you understand their meaning. We have not only included the legal definition (which is not always so helpful), but also an explanation in other words and examples.

If you would like more information, we encourage you to visit the website of a data protection authority. Through this link, you find the website address of the data protection authorities in the EU/EEA. 

Data controller

Legal definition:
Data Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of personal data; where the purposes and means of such Processing are determined by Union or Member State law, the Controller or the specific criteria for its nomination may be provided for by Union or Member State law. 

In other words:
The data controller is the Getinge company (or any other company or person) that decides why the personal data is used in a certain way, and how this usage will look like. One example is, as described in our privacy notice for customers, that the Getinge company that sells a product to your employer, will be data controller for any handling of your personal data when employees in that Getinge company communicates with you in relation to such purchase. In the same way, your employer will be data controller over personal data used but including Getinge employees. We have both separately decided what personal data we need to make sure we can communicate efficiently, in which way we will use it, and for how long such personal data will be saved. Another example is that your employer, in many situations is the data controller for your personal data as an employee.  

Data processor

Legal definition:
Data processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;   

In other words:
A data processor is a company (either an external company or a group company) that does not have the decision-making power as the data controller, and instead acts on behalf of that company, following the data controller’s instructions. One example could be a cloud service provider, providing any type of IT system used on a hospital. 

Data subject

Legal definition:
A Data subject means an identified or identifiable natural person to which the personal data relates to. 

In other words:
You, or anyone else, as an individual, whose personal data we in any way use. 

Legal basis

Processing of personal data is only lawful if the data controller can show that it has a valid legal basis. This means that Getinge before the processing personal data starts, must identify the applicable legal basis and ensure that the requirements of this is fulfilled. There are six legal bases in the GDPR: 

a) Consent - The data subject has given consent to the processing of his or her personal data for one or more specific purposes 
b) Performance of a contract - processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract 
c) Legal obligation - processing is necessary for compliance with a legal obligation to which the controller is subject 
d) Vital interest - processing is necessary in order to protect the vital interests of the data subject or of another natural person 
e) Public interest - processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; and 
f) Legitimate interest - processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

For Getinge, there is mainly the legal bases mentioned under (a)-(c) and (f) that applies. These are all mentioned in our privacy notices. Below we provide some more information regarding each of these. 

Consent
A consent, is defined in the GDPR as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her“.  

In other words, this means we need to make sure that you have been properly informed of what we are supposed to do with your personal data, and that you voluntarily have given clear approval. 

Performance of a contract
This legal basis applies if we need to process your personal data in order to perform our obligations under the contract we have entered into with you. For example, we may need bank details to execute payment as a result of your fulfillment of a task, we certainly need your name and personal identity number to be able to identify you as a party to the agreement, and your contact details, in order to communicate regarding the agreement. 

Legal obligation
Where we are required by law to fulfill an obligation, this means that it might be necessary for us to process your personal data. For example, if your name and job title would be present in any documents needed by us to fulfill our obligations in applicable medical device laws and regulations, we would keep such documents, and support the keeping of your personal data in such document because it is necessary for us in order to fulfill the legal obligation. 

Legitimate interest
This legal basis is a balancing exercise where the interest of the data controller, is weighed against the interest of the data subject. If Getinge would conclude that the legitimate interest(s) being pursued are overridden by the data subject’s interests, rights and freedoms, and if no mitigating measures can be taken, such processing activity cannot rely on this legal basis.
Legitimate interest can be applied in different situations, such as building relationships with clients, direct marketing, fraud prevention, safety and security.

Personal data

Legal definition:
means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; 

In other words:
Personal data can be almost anything which says something about you as a person, in itself or in combination with other information. Whether the information will be regarded as personal data is thus contextual. One good example is the name of a company and its address. This information is not personal data by default. However, in combination with a the full name of an employee and his/her job title, it becomes personal data, since it tells us where that person work (location), and which company that is his/her employer. Another example is a name. If the name is not unique, and you do not have any additional information about that person, this name may not be linked to an individual. However, there are of course direct identifiers which is enough to identify someone – such as a personal identification number (since this is linked to an individual).  

Other examples of personal data: 

  • Contact details such as e-mail (if it e.g., includes your name and company) and telephone number,
  • Age, height and weight.
  • Images and sound recordings of individuals that are processed by computer can constitute personal data even if no names are mentioned.
  • Encrypted data and various kinds of electronic identities, for example IP addresses and cookies are considered personal data if they can be linked to natural persons.  
  • Information that has been encoded, encrypted or pseudonymized but that can be related to a natural person by means of complementary data.

Privacy notice

“Privacy notice” is not a defined term in the GDPR but is a common name on a document used by organizations to inform individuals of their processing of personal data. Giving information, such as in a privacy notice, is not only an obligation in the GDPR, but also crucial for maintaining transparency between organizations and individuals. With our privacy notices, we want to inform you about what personal data is being collected, why it is collected, how it will be used, and who it will be shared with. 

Processing

Legal definition:
means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; 

In other words:
Processing is any action taken with personal data. This can be anything from collecting and storing data to using it, sharing it, or even deleting it. If you’re doing anything with personal data, you’re processing it. Only giving access to personal data is also considered as processing personal data. Below follows some examples. 

Collecting:
Collecting personal data can be done e.g. in the case of collecting email addresses to be able to communicate with you and to send you marketing material or other company information.

Using:
During the monthly payroll process your personal data you provided to your employer will be used to be able to send you the payment of the salary to your bank account and maybe in addition the related pay slip by email or by paper directly to your home address.  

Deleting:
Deleting personal data is at the stage when the personal data are no longer needed for the purpose(s) they were originally collected and stored, and the retention period reached. This can be if you need to store financial documents for 10 years according to financial laws and if this period is over the data can be deleted.  

Sharing:
Can happen if we need to share your personal data with a service provider who acts as data processor for Getinge to grant you the needed access to a software or solutions provided by the third party. 

Recording:
Can be if someone is acting as a speaker in a webinar or other event and the recorded material will be used to share with the participants or other individuals afterwards. 

Supervisory authority

Each Member State shall provide for one or more independent public authorities to be responsible for monitoring the application of the GDPR, in order to protect your fundamental rights and freedoms in relation to processing of personal data and to facilitate the free flow of personal data within the European Union. 

As stated in our page covering your rights, you have the right to exercise certain rights against an organization e.g. to get information about the processing of their personal data, to get personal data deleted etc. In addition, you have the right to lodge a complaint directly to the supervisory authority regarding the processing of their personal data. On this link, you will find information to the supervisory authorities in the EU/EEA. 

You are now leaving Getinge.com. You might access content  not managed by Getinge team, in that case Getinge can not be hold responsible of the content. 

I understand! Stay in Getinge.com