GDPR definitions

This is a glossary where you can find key GDPR definitions and the meaning of relevant terms and abbreviations used in articles on this site. Concepts are described from a GDPR context and may be explained differently outside this specific area.

AJAX progress indicator
Search: (clear)
  • a

  • Archiving
    Archiving is defined as a secured storage of documents such that they are rendered inaccessible by authorised users in the ordinary course of business.
  • Article 5(1)(a)
    Principles relating to processing of personal data Personal data shall be: (a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness,(...)
  • Article 10
    Processing of personal data relating to criminal convictions and offences
  • Article 13
    Information to provide where personal data are collected from the data subject
  • Article 14
    Information to provide where personal data have not been obtained from the data subject
  • Article 16
    Right to rectification
  • Article 21
    Right to object
  • Article 23
    Restrictions
  • Article 29
    Processing under the authority of the controller or processor
  • Article 30
    Records of processing activities
  • Article 35
    Data protection impact assessment
  • Article 39
    Tasks of the data protection officer
  • Article 51
    Supervisory authority
  • Article 9(1)
    Processing of special categories of personal data 1.  Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union(...)
  • Audit
    Audit means the inspection or examination of the processor's activities and its facilities to ensure GDPR compliance.
  • b

  • Binding Corporate Rules
    Binding corporate rules means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of(...)
  • Biometric Data
    Biometric data means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm(...)
  • c

  • CJEU
    The Court of Justice of the European Union (CJEU) is the highest court of the EU member states. The court interprets EU law and give advice to national courts how to interpret EU law.
  • Compliance
    Compliance refers to the process of ensuring that an organisation follows applicable laws, rules and regulations. It is an on-going effort with constant reviews and updates. The ultimate goal is(...)
  • Consent
    Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative(...)
  • Controller
    Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.(...)
  • Cookies and similar technologies
    Cookies are text files that contain a small amount of data and are downloaded on your device when you visit a website. Cookies are useful because they allow a website to recognize your device,(...)
  • Cross-border Processing
    Cross-border processing means either (a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or(...)
  • d

  • Data Concerning Health
    Data concerning health means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or(...)
  • Data Controller
    The individual or legal person who determines the purposes for which and the means by which personal data is processed.
  • Data Minimisation
    Data minimisation is a fundamental principle under the GDPR. It means that you only should collect and process personal data that is absolutely necessary to fulfil your purpose. You need to(...)
  • Data Portability
    Data portability is a new right for data subjects to receive and transfer their personal data between data controllers if the personal data has been provided by the data subject, and the(...)
  • Data Processing Agreement
    A Data Processing Agreement is a legally binding document to be entered into between a data controller and a data processor when required by the GDPR.
  • Data Processor
    A natural or legal person who processes personal data only on behalf of a Data Controller.
  • Data Protection Authority
    Also known as Supervisory Authority. Each Member State in the EU has a supervisory authority with the task of supervising GDPR-compliance. The supervisory authority has many responsibilities(...)
  • Data Protection Impact Assessment
    Data protection impact assessment (DPIA) is a process to identify and mitigate data protection risks. If a processing activity is likely to result in a high risk to individuals, you need to do a(...)
  • Data Protection Officer
    The Data Protection Officer (DPO) is responsible for reviewing and monitoring the internal privacy work carried out by an organisation. The tasks of a DPO is many, but consist of at least the(...)
  • Data Subject
    A natural person (i.e. not a company or organisation) who resides in the European Union, whose personal data is being processed.
  • Destruction
    Destruction is defined as physical or technical destruction meant to render the information contained in documents irretrievable by ordinary commercially available means.
  • DPA
    A Data Processing Agreement is a legally binding document to be entered into between a data controller and a data processor when required by the GDPR.
  • DPIA
    Data protection impact assessment (DPIA) is a process to identify and mitigate data protection risks. If a processing activity is likely to result in a high risk to individuals, you need to do a(...)
  • DPO
    The Data Protection Officer (DPO) is responsible for reviewing and monitoring the internal privacy work carried out by an organisation. The tasks of a DPO is many, but consist of at least the(...)
  • e

  • EDPS
    The European Data Protection Supervisor ("EDPS") is an EU institution with the goal of ensuring that EU institutions and bodies respect individuals' right to privacy when processing personal data.
  • Enterprise
    Enterprise means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity.
  • f

  • Filing System
    Filing system means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.
  • g

  • GDPR
    General Data Protection Regulation. A regulation (set of rules) drafted by the EU. All EU Member States must follow these rules. It sets out rules for data protection and privacy for all(...)
  • General Data Protection Regulation
    General Data Protection Regulation. A regulation (set of rules) drafted by the EU. All EU Member States must follow these rules. It sets out rules for data protection and privacy for all(...)
  • Genetic Data
    Genetic data means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that(...)
  • Group of Undertakings
    Group of undertakings means a controlling undertaking and its controlled undertakings.
  • i

  • Information Society Service
    Information society service means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council (19).
  • International Organisation
    International organisation means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between(...)
  • l

  • Legal Basis
    A basis on which you can legally motivate your processing. There are six available legal basis under the GDPR: Consent performance of a Contract (including taking steps to conclude a(...)
  • m

  • Main Establishment
    Main establishment means (a) as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes(...)
  • p

  • Personal Data
    Personal data means any information relating to an identified or identifiable physical person (‘data subject’) (i.e. not a legal entity); an identifiable physical person is one who can be(...)
  • Personal Data Breach
    Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored(...)
  • Privacy by Design
    Privacy by design means that the privacy protection rules are taken into account already when IT systems and procedures are designed.
  • Privacy Policy
    A policy or information sheet provided by the Controller to the data subjects. It is usually a written text where the data subject can read about the processing in question.
  • Processing
    Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording,(...)
  • Processor
    Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
  • Profiling
    Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to(...)
  • Pseudonymisation
    Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information,(...)
  • r

  • Recipient
    Recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may(...)
  • Relevant and Reasoned Objection
      Relevant and reasoned objection means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or(...)
  • Representative
    Representative means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor(...)
  • Restriction of Processing
    Restriction of processing means the marking of stored personal data with the aim of limiting their processing in the future.
  • Retention
    Retention is defined as the maintenance of documents in a production or live environment that can be accessed by an authorised user in the ordinary course of business.
  • Right to Access
    The right of access gives individuals the right to obtain a copy of their personal data as well as other supplementary information.
  • Right to Erasure
    The right to erasure means that individuals have the right to have personal data erased.
  • Right to Objection
    The right to objection means that individuals have the right to object to the processing of their personal data.
  • Right to Rectification
    The right to rectification means that individuals have the right to have inaccurate data rectified.
  • Right to Restriction
    The right to restriction means that the individuals have the right to restrict the processing of their personal data in certain circumstances.
  • s

  • Special Categories of Data
    Means personal data that is more sensitive and therefore require more protection. Often referred to as "sensitive data".
  • Sub-Processor
    A Sub-Processor is a third party data processor engaged by a Data Processor who has or will have access to or process personal data from a Data Controller.
  • Supervisory Authority Concerned
    Supervisory authority concerned means a supervisory authority which is concerned by the processing of personal data because (a) the controller or processor is established on the territory of the(...)
  • t

  • The Court of Justice of the European Union
    The Court of Justice of the European Union (CJEU) is the highest court of the EU member states. The court interprets EU law and give advice to national courts how to interpret EU law.
  • Third Country
    In the context of GDPR, this means countries that are not members of the European Economic Area (EEA). This area includes all member countries of the EU and Iceland, Liechtenstein and Norway.
  • Third Party
    Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or(...)
  • Transparency
    In sum, transparent processing means that organisations are open and clear with: who they are how they process personal data why they process personal data Transparency is(...)