GDPR glossary

A

Accountability: Under the GDPR, accountability signifies an organization's obligation to demonstrate compliance with the regulation. This includes implementing data protection measures, maintaining records, and responding to data subject requests.

B

Biometric data: This information resulting from specific technical processes regarding the physical, physiological, or behavioral characteristics of a data subject, enabling their unique identification, such as facial images or fingerprint data.

Binding corporate rules: BCRs are legally enforceable policies within a company group. They ensure adequate data protection for personal data transferred from the EU to group entities outside the EU.

C

Consent: Voluntary, specific, informed, and clear indication of a data subject's agreement to the processing of their personal data; consent is expressed through a statement or affirmative action.

Cross-border processing: Cross-border processing means handling personal data that touches more than one EU country. This happens either if a company operates in multiple EU locations or if their data processing significantly affects people in multiple EU countries.

D

Data controller: This is an entity, whether a person or organization, that determines the purposes and methods of processing personal data either independently or jointly with others.

Data processor: This is an entity that processes personal data on behalf of the data controller.

Data subject: This is an individual whose personal data is processed by a data controller or processor.

Data concerning health: This involves data that can expose the current and past mental or physical health situation of the data subject.

Data minimization: This is collecting and processing only the personal information absolutely necessary for the specific purpose(s) it's collected for. This reduces the amount of data you have to store and protects the data subject's privacy.

Data retention: Data retention under the GDPR refers to how long organizations are allowed to store personal data. Organizations must have a clear reason for storing the data, and they can only hold it for as long as necessary for that purpose.

Data protection officer: The DPO is an appointed individual at an organization that is responsible for ensuring GDPR compliance, managing subject access requests and complaints, liaising with the Information Commissioner's Office, and serving as the organization's expert on data privacy matters, offering guidance across all GDPR-related areas.

Data processing agreement: This is a legal contract between a data controller (who controls the data) and a data processor (who processes the data on the controller's behalf) under the GDPR. It outlines what data is processed, how it's processed, and the responsibilities of each party.

Data protection authority: A DPA is an independent entity responsible for overseeing personal data processing within its jurisdiction, advising on relevant legislative and administrative measures, and addressing citizens' complaints regarding data protection rights.

Directive 95/46/EC: Directive 95/46/EC, often referred to simply as the Data Protection Directive, was a foundational piece of legislation in the European Union (EU) regarding the protection of personal data.

E

EDPB: The European Data Protection Board (EDPB), is an independent European Union body that helps make sure the GDPR is applied fairly across Europe. It also encourages collaboration between all EU data protection authorities.

EDPS: The European Data Protection Supervisor (EDPS) acts as an independent supervisory authority, making sure EU organizations follow data protection rules when handling personal information.

F

Filing system: This is any organized collection of personal data that can be accessed according to specific criteria. It applies to both electronic and physical filing systems, centralized or spread out.

G

Genetic data: This involves data concerning the inherited or acquired genetic traits of an individual, providing unique information about their physiology or health, typically obtained from biological samples.

I

International organization: This is an entity established by, or based on agreements between, two or more countries governed by international law. This includes their subordinate bodies.

J

Joint supervisory authorities: Joint supervisory authorities are bodies composed of representatives from national data protection authorities designed to oversee the data protection of large-scale IT databases and certain law-enforcement agencies at the European level.

Lead supervisory authority: The lead supervisory authority is the primary data protection regulator responsible for overseeing and coordinating the data protection activities of an organization operating in multiple EU member states.

M

Main establishment:

For controllers: If a controller operates in multiple EU countries, the "main establishment" is usually its central administration in the EU. However, if another establishment in the EU makes decisions about data processing and has the authority to enforce those decisions, that establishment is considered the main one.

For processors: If a processor operates in multiple EU countries, the "main establishment" is its central administration in the EU. If the processor doesn’t have a central administration in the EU, the "main establishment" is the location in the EU where the main data processing activities occur, as long as the processor has specific obligations under this regulation

O

One-stop shop: In the context of the GDPR, a "one-stop shop" refers to the mechanism designed to streamline the regulatory process for multinational companies operating within the EU.

P

Personal data: Any information related to an identified or identifiable individual, directly or indirectly, including identifiers like names, ID numbers, or factors specific to the individual's identity.

Personal data breach: Unauthorized or accidental access, alteration, disclosure, or loss of personal data.

Privacy impact assessment: PIA is the process aimed at identifying and mitigating privacy risks associated with planned data processing activities.

Principles: These are the fundamental guidelines outlined in the GDPR that delineate organizational responsibilities regarding personal data processing.

Processor: A processor is an entity that processes personal data on behalf of a controller. The processor acts under the authority of the controller and follows the controller's instructions regarding how to process the data.

Processing: Any operation performed on personal data, whether automated or not, including collection, storage, retrieval, and deletion.

Profiling: Automated processing of personal data to evaluate specific aspects of a data subject, such as work performance, economic situation, or behavior.

Pseudonymization: Processing personal data in a manner that prevents direct attribution to a specific data subject without additional information.

Personally identifiable information: PII is any information that can be used to identify a specific person, either directly (for example, name, social security number) or indirectly (when combined with other data).

R

Relevant and reasoned objection: This is a disagreement with a draft data privacy ruling. It argues why the proposed decision could harm people's privacy rights or the free movement of data within the EU.

Right of access: This is an entitlement for data subjects to access and obtain information about their personal data processed by the data controller.

Right of rectification: This right enables data subjects to request the correction of inaccurate or incomplete personal data held by data controllers.

Right to object: This right allows data subjects to object to the processing of their personal data in certain circumstances.

Right to erasure: The right grants data subjects the right to request the deletion of their personal data by data controllers. This can be requested if the data is no longer needed for its initial purpose, if the data subjects withdraw their consent, if the data is being used unlawfully, or if it violates other regulations.

Right to data portability: The right to data portability allows data subjects to obtain and reuse their personal data for their own purposes across different services or platforms. In essence, it gives data subjects more control over their personal data and promotes data mobility.

S

Special categories of personal data: This involves data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data for unique identification, data concerning health, or data concerning sexual orientation or sex life.

Supervisory authority: This is an independent public body in each EU country responsible for enforcing the GDPR and protecting data subjects' data privacy rights.

Security breach: A security breach refers to an incident in which an individual, entity, or system gains unauthorized access to sensitive, confidential, or protected information or compromises the integrity, availability, or confidentiality of data or systems.

T

Territorial scope: This refers to the reach and applicability of the GDPR's regulations beyond the borders of the EU. This aspect of the GDPR clarifies which organizations and activities fall under its jurisdiction, even if they are not physically located within the EU.