Privasee's A -Z of common GDPR terms
Accountability Accountability is one of the key principles of the GDPR. Organisations must be able to demonstrate that they are complying with the GDPR. This includes having adequate policies and procedures in place, and being able to show that they are being followed.
ACTA ACTA is an international agreement that seeks to establish global standards for intellectual property enforcement. The agreement has been criticised for its lack of transparency and for potentially infringing on civil liberties.
Adequacy decision An adequacy decision is a decision by the European Commission that a non-EU country's data protection laws provide an adequate level of protection for personal data that is transferred from the EU to that country.
Article 29 Working Party (predecessor of the EDPB) The Article 29 Working Party is a group of data protection authorities from the European Union member states. The group provides guidance on data protection issues and coordinates the enforcement of EU data protection law.
As of 25 May 2018 the Article 29 Working Party ceased to exist, and has been replaced by the European Data Protection Board (EDPB).
Article 93 Committee Procedure The Article 93 Committee Procedure is a process established by the UN Security Council to investigate possible breaches of the UN Charter. It allows the Council to gather information from UN Member States, and to hear their views on the matter under investigation. The Committee may also request information from other sources, including NGOs and international organisations.
This is a committee within the meaning of Regulation EU No 182/2011.
Automated individual decision An automated individual decision is a decision made by a computer system on behalf of an individual. This type of decision can be made without the input or involvement of the individual themselves.
Berlin Group The Berlin Group is a coalition of European banking and retail payments associations that have come together to define and promote a common standard for European Single Euro Payments Area (SEPA) credit transfers and direct debits.
Binding corporate rules Binding corporate rules are a set of internal regulations that a multinational corporation adopts in order to comply with data protection laws in the European Union. The rules are binding on all of the corporation's subsidiaries and affiliates in the EU.
Complaint A GDPR complaint is a complaint filed with the supervisory authority under the GDPR. According to Article 63(1) of Regulation (EU) 2018/1725, "every data subject shall have the right to lodge a complaint with the European Data Protection Supervisor if the data subject considers that the processing of personal data relating to him or her infringes this Regulation".
Confidentiality The principle of confidentiality under GDPR states that personal data must be treated in a confidential manner and must not be disclosed to any third party without the individual’s consent.
Consent In the context of GDPR, consent is defined as any freely given, specific, informed and unambiguous indication of the data subject's wishes by which they, either by a statement or by a clear affirmative action, signify their agreement to the processing of personal data relating to them. (see Article 4 sub 11 of Regulation (EU) 2016/679 and Article 3 sub 15 of Regulation (EU) 2018/1725).
Controller A Data controller is an individual or organisation that determines the purposes for which, and the manner in which, personal data is processed.
Cookies Cookies are small pieces of data that are stored on a user's computer when they visit a website. They are commonly used to track user behaviour and to collect information about a user's browsing habits. Under GDPR, cookies can be considered personal data if they contain information that can be used to identify a specific individual. As a result, companies must obtain explicit consent from users before setting or accessing cookies on their computers.
Data controller A data controller is an individual or organisation that determines the purposes for which, and the manner in which, personal data is processed. Under Regulation (EU) 2018/1725, as well as under the GDPR, the data controller is the party that, alone or jointly with others, determines the purposes and means of the processing of personal data.
Data minimisation The principle of data minimisation is that organisations should only collect and use the minimum amount of personal data necessary to achieve their specific purpose. This means that organisations should carefully consider what data they need to collect and delete any data that is no longer required.
Data minimisation is a key element of data protection and is particularly important when it comes to sensitive personal data. By only collecting and using the minimum amount of data necessary, organisations can reduce the risk of data breaches and protect the privacy of their customers and employees.
See Article 5(1)(c) of the GDPR and Article 4(1)(c) of Regulation (EU) 2018/1725
Data mining Data mining is the process of extracting valuable information from large data sets. It involves sorting through large amounts of data to find patterns and trends. Data mining can be used to find relationships between different pieces of information, such as customer purchasing habits, or to predict future trends.It is commonly used in a wide range of profiling practices, such as marketing, surveillance, fraud detection and scientific discovery.
Data protection authority The Data Protection Authority is an independent authority that ensures that individuals' rights are respected with regard to their personal data.
The EDPS is established as an independent data protection authority at EU level by Article 52 of Regulation (EU) 2018/1725.
Data protection coordinator A data protection coordinator is a person who is responsible for ensuring that an organisation's data protection policies are adhered to. This person may also be responsible for training staff on data protection issues, and for investigating any data breaches that occur.
Data Protection Day Data Protection Day is each year on the 28th January.
This date marks the anniversary of the Council of Europe's Convention 108, the first legally binding international instrument related to data protection.
Data Protection Impact Assessment (DPIA) A Data Protection Impact Assessment (DPIA) is a process that helps organisations identify and assess the data protection risks associated with a specific project or initiative. A DPIA is required under the EU General Data Protection Regulation (GDPR) when data processing is likely to result in a high risk to the rights and freedoms of individuals.
The DPIA is a tool that can be used to help organisations identify and assess the risks associated with a specific project or initiative. It is important to note that a DPIA is not a static document, but rather a living document that should be updated as the project or initiative evolves.
The DPIA should be carried out at the beginning of a project or initiative, and should be revisited on a regular basis. It should be seen as an ongoing process, rather than a one-time exercise.
The GDPR requires that a DPIA be carried out when data processing is likely to result in a high risk to the rights and freedoms of individuals. This includes processing that is likely to result in a risk of physical or psychological harm, or a risk of discrimination, exclusion, or other adverse consequences.
Data protection officer A Data protection officer is a person who is responsible for ensuring that an organisation's data is protected from unauthorised access or disclosure. They are often responsible for developing and implementing policies and procedures to safeguard data, as well as overseeing the organisation's compliance with data protection laws and regulations (DPO)
Data quality GDPR data quality is the process of ensuring that the data collected by an organisation is accurate, complete, and up-to-date. This process can be used to improve the quality of customer data, contact data, financial data, and other types of data. (Article 4 of Regulation (EU) 2018/1725)
The Data Retention Directive The Data Retention Directive is a directive of the European Union that requires member states to retain data for law enforcement and national security purposes. The directive was first introduced in 2006 and was subsequently amended in 2009. It requires member states to retain data for a minimum of six months and a maximum of two years. The data that must be retained includes communications data, traffic data, and location data.
Data subject The data subject is the person in question whose personal data is collected, held or processed.
Data transfer Data transfer in GDPR refers to the process of transferring data from one party to another. This can be done electronically or physically, and it can be done within the EU or outside of the EU.
Eurodac Eurodac is a European Union system for fingerprinting asylum seekers and illegal immigrants. It was established in 2000 in order to help EU member states identify and return people who had entered the EU illegally.
EDPB EDPB is the European Data Protection Board. It is an independent body that promotes cooperation between data protection authorities in the European Union.
European Conference The European Conference of data protection authorities of EU Member States and other European countries meets every year in spring.
EDPS The European Data Protection Supervisor (EDPS) is an independent supervisory authority established by the European Union (EU) in 2004. Its objective is to ensure that the EU treats personal data fairly and protects the privacy of individuals.
The EDPS is responsible for monitoring the EU's handling of personal data, including ensuring that the EU complies with the provisions of the General Data Protection Regulation (GDPR). The EDPS also provides guidance on data protection issues and promotes public awareness of data protection rights and obligations.
E-privacy Directive 2009/136/EC
The E-privacy Directive covers processing of personal data and the protection of privacy including provisions on:
IWGDPT Stands for - International Working Group on Data Protection in Telecommunications.
Joint Supervisory Authorities A Joint Supervisory Authorities (JSA) is a supervisory authority that is jointly responsible for supervising a particular sector or activity.
It is usual to have the EDPS supervise the central unit of large-scale IT systems, while the use made of them by Member States' authorities is supervised by the national data protection authorities.
Large-scale IT systems Large-scale IT systems are computerised systems that support large organisations and manage large amounts of data. They often use mainframe computers and large databases.
Personal data Personal data is information that can be used to identify an individual. This includes information such as your name, address, phone number, and email address. According to Article 3 (1) of Regulation (EU) 2018/1725: "‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;".
PETs Privacy Enhancing Technologies (PETs) are software tools that help protect the privacy of users while they are online. PETs can help prevent online tracking, provide anonymity, and encrypt communications.
Privacy by design Privacy by design is an approach to data privacy that emphasises the need to consider data privacy throughout the design process of products and services, rather than as an afterthought. The term was first coined by Ann Cavoukian, the Information and Privacy Commissioner of Ontario, Canada, in the 1990s.
Processing (of personal data) The act of collecting, storing, using, or sharing data about an individual. According to Article 3 (3) of Regulation (EU) 2018/1725: "any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction."
Processor agreement A processor agreement is a contract between a company and a processor that outlines the processor's responsibilities for handling the company's data. The agreement should specify the types of data that the processor will handle, the processor's obligations for protecting the data, and the consequences of any breach of the agreement.
Prüm Treaty The Prüm Treaty is a treaty signed in 2005 by Belgium, France, Germany, Luxembourg, the Netherlands, and Spain. The treaty allows for police and judicial cooperation between the signatory states in order to combat terrorism, cross-border crime, and illegal immigration.
Recipient According to Article 3 (13) of the Regulation (EU) 2018/1725 “‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing; "
Records In order to demonstrate compliance with Regulation (EU) No 2018/1725, controllers should maintain records of processing activities under their responsibility and processors should maintain records of categories of processing activities under their responsibility.
Regulation (EC) No 45/2001 Regulation (EC) No 45/2001 is a regulation of the European Union that provides for the protection of individuals with regard to the processing of personal data by Community institutions and bodies. The regulation applies to all processing of personal data by Community institutions and bodies, including the European Parliament, the Council of the European Union, the European Commission, the Court of Justice of the European Union, the Court of First Instance, the European Economic and Social Committee, the Committee of the Regions, the European Ombudsman, the European Data Protection Supervisor, and the European Investment Bank.
Retention periods The data retention period is the length of time that data is kept before it is deleted.
Right of access The right of access, also known as data subject access, is a key component of GDPR. It gives individuals the right to obtain confirmation from organisations as to whether or not their personal data is being processed, as well as access to that data. Individuals also have the right to know the purposes for which their data is being processed, the recipients of the data, and the length of time that the data will be stored.
Right of information The right to information is the right for an individual to be able to access information held about them by organisations or the government. This information can include things like their personal data, medical records, or financial information. The right to information is often seen as a part of the right to privacy, and is protected by data protection laws in many countries.
Right of rectification The right of rectification is the right to have inaccurate or incomplete personal data corrected.
Right to object The right to object is a fundamental right under the EU's General Data Protection Regulation (GDPR). It gives individuals the right to object to the processing of their personal data for certain purposes, including direct marketing.
According to Regulation (EU) 2018/1725 "The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (a) of Article 5(1), including profiling based on that provision. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims."
Right to restriction of processing Under the GDPR, individuals have the right to restrict the processing of their personal data in certain circumstances. This right is primarily intended to allow individuals to temporarily suspend the use of their data while any issues relating to the accuracy or processing of that data are being resolved.
Security of Processing The security of processing is the ability of a company to protect data from unauthorised access, use, or disclosure. It is the responsibility of the company to ensure that data is protected from these threats. There are many ways to protect data, including physical security, logical security, and data encryption.
Safe Harbour Principle The Safe Harbour Principle is a legal principle that provides a process for companies to transfer data from the European Union to the United States in compliance with European Union data protection laws.
Special categories of personal data Special categories of personal data include data that reveals "racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural's sex life or sexual orientation" (Article 10 of Regulation (EU) 2018/1725; Article 9 of the GDPR)
Schengen Information System (SIS) The Schengen Information System (SIS) is a European Union-wide system for the exchange of information on people and property. It is used by police and other authorities to track people who are wanted in connection with criminal activities, and to identify stolen property.
Security breach A GDPR security breach is any unauthorised access to, or disclosure of, personal data. This includes both physical and electronic data. A security breach can also occur if personal data is lost or stolen.
Third country A third country is a country which is not bound by the General Data Protection Regulation (GDPR)
Third party A natural or legal person, public authority, agency or body, other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor are authorised to process the data.
Traffic data Traffic data, generated by electronic communications providers and/or processed by them, falls under the scope of GDPR. This could include, but is not limited to, IP addresses, website browsing activity and metadata relating to communications. Under GDPR, any organisation that processes the personal data of EU citizens must take steps to protect that data from accidental or unauthorised access, destruction, alteration, or unauthorised use. They must also ensure that the data is accurate and up to date, and that it is only used for the purpose for which it was collected. Lastly, they must take steps to ensure that individuals have the right to access their own personal data and to exercise their rights under GDPR.