For the purposes of this Code, the following definitions apply:
"personal data" means any information relating to an identified or identifiable natural person (the "data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person;
"sensitive personal data" means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data processed for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation;
"processing" means any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment, combination, restriction, erasure, or destruction;
"controller" means the natural or legal person, public authority, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the State or one of its organs determines the purposes and means of processing, the State or the relevant organ shall be regarded as the controller;
"processor" means a natural or legal person, public authority, or other body which processes personal data on behalf of the controller;
"data subject" means an identified or identifiable natural person whose personal data is the object of processing;
"consent" means any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which the data subject, by a clear affirmative act, signifies agreement to the processing of personal data relating to him or her;
"personal data breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed;
"supervisory authority" means the independent authority established or designated under this Code to monitor and enforce the application of the data protection rules of the Principality;
"third party" means a natural or legal person, public authority, or body other than the data subject, the controller, the processor, and the persons who, under the direct authority of the controller or processor, are authorised to process personal data;
"recipient" means a natural or legal person, public authority, or body to which personal data is disclosed, whether or not such person, authority, or body is a third party;
"filing system" means any structured set of personal data which is accessible according to specific criteria, whether centralised, decentralised, or dispersed on a functional or geographical basis.