GDPR definitions

This is a glossary where you can find key GDPR definitions and the meaning of relevant terms and abbreviations used in articles on this site. Concepts are described from a GDPR context and may be explained differently outside this specific area.

Search:

Search

(clear) All CategoriesAuthoritiesGDPR legal provisionsGDPR rightsGeneric termsLegal definitionsOrganisationsPolicies and Notices

• a
• ADP
  The Autorité de protection des données, or Gegevensbeschermingsautoriteit, is the Belgian Data Protection Authority (ADP). The Belgian Data Protection Authority is the responsible data(...)
• AP
  The Dutch data protection authority is called Autoriteit persoonsgregevens (AP) and their objective is to provide guidance and advice as well as deal with complaints and make inspections(...)
• Archiving
  A secured storage of documents such that they are rendered inaccessible by authorised users in the ordinary course of business. Since GDPR applies to the processing of personal data in both(...)
• Article 5
  Article 5 sets out the seven fundamental principles for the lawful processing of data. They are the principles of: 'lawfulness, fairness and transparency' (a). According to Recital 39 of(...)
• Article 6
  Article 6 lists the six legal bases that data controllers can use to justify their use of personal data. Without a legal basis, processing cannot be done lawfully under the GDPR. The six(...)
• Article 8
  Article 8 defines the conditions for children's consent in relation to information society services. It limits the age for when a child can consent on their own and puts special duties on(...)
• Article 9
  This article regulates the processing of special category data. By special category data means data that needs more protection than regular data. Therefore, Art. 9 GDPR state that in order to(...)
• Article 10
  Regulates the processing of personal data that is relating to criminal convictions and offences. The article says: "Processing of personal data relating to criminal convictions and offences or(...)
• Article 13
  The controller needs to provide certain information to a data subject whose personal data have been collected. The article applies when the data regarding a data subject have been collected(...)
• Article 14
  The information that a controller needs to provide to a data subject when the personal data have not been obtained from the data subject himself. This information must be provided to the data(...)
• Article 22
  Article 22 gives data subjects the right to opt-out of automated decision-making if it is not strictly necessary. The data subject always has the right not to be subjected to decisions that(...)
• Article 30
  Regulates the demands regarding a record of processing. The Art. states that all controllers need to keep a record of the processing activities they are responsible for. With except for(...)
• Article 32
  Article 32 states the security measures that a controller must take. This is to protect the personal data they process. The article mainly approaches security measures that the controller(...)
• Article 33
  Article 33 states that controllers must notify the supervisory authority if a personal data breach occurs. It also states that processors must notify controllers in case of a breach. All(...)
• Article 35
  The controller must carry out a Data Protection Impact Assessment (DPIA) before they starts a processing that may lead to high risk for the data subjects. DPIA is particularly essential before(...)
• Article 44
  Article 44 gives the main principle for the transfer of personal data outside of the EU. It prohibits all transfers that do not fulfil the requirements of the GDPR. There are several types(...)
• Audit
  Audit means the inspection or examination of the processor's activities and its facilities to ensure GDPR compliance. Art. 28(3)(h) GDPR state that the terms of the audit always should be(...)
• Austrian Data Protection Authority
  The Datenschutz behörde is the Austrian Data Protection Authority (DSB). The Austrian Data Protection Authority is the responsible authority for data protection in Austria. Their objective(...)
• b
• BCR
  The opportunity for international organisations established in the EU to transfer personal data outside of the EU within their group of undertakings or enterprises. The legal demands for the(...)
• Belgian Data Protection Authority
  The Autorité de protection des données, or Gegevensbeschermingsautoriteit, is the Belgian Data Protection Authority (ADP). The Belgian Data Protection Authority is the responsible data(...)
• Binding Corporate Rules
  The opportunity for international organisations established in the EU to transfer personal data outside of the EU within their group of undertakings or enterprises. The legal demands for the(...)
• Biometric Data
  Personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique(...)
• c
• CJEU
  The Court of Justice of the European Union (CJEU) is the highest court of the EU member states. The court interprets EU law and gives advice to national courts how to interpret EU law.
• CNIL
  National Commission on Informatics and Liberty (CNIL) is the data protection authority in France. Their main objectives are to provide guidance and advice as well as deal with complaints(...)
• Commission nationale de l'informatique et des libertés
  National Commission on Informatics and Liberty (CNIL) is the data protection authority in France. Their main objectives are to provide guidance and advice as well as deal with complaints(...)
• Compliance
  The process of ensuring that an organisation follows applicable laws, rules and regulations. It is an on-going effort with constant reviews and updates. The ultimate goal is to always act as you(...)
• Consent
  The data subjects freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies(...)
• Controller
  Simplified the controller is the individual or legal person who determines the purposes for which and the means by which personal data is processed. According to the legal definition in Art. 4(...)
• Cookies and similar technologies
  Cookies are text files that contain a small amount of data and are downloaded on your device when you visit a website. Cookies are useful because they allow a website to recognize your device,(...)
• Cross-border Processing
  When a processing of personal data has a connection to more than one member state of the EU it is called cross-border processing. The meaning of cross-border processing is defined in the GDPR(...)
• d
• Danish Data Protection Authority
  Datatilsynet, or the Danish Data Protection Agency, is the Danish Data Protection Authority. The Danish Data Protection Authority is called Datatilsynet. Their objective is to provide(...)
• Data Concerning Health
  Personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status. 'Health(...)
• Data Controller
  Simplified the data controller is the individual or legal person who determines the purposes for which and the means by which personal data is processed. According to the legal definition in(...)
• Data Minimisation
  Data minimisation is a fundamental principle under the GDPR. It means that you only should collect and process personal data that is absolutely necessary to fulfil your purpose. You need to(...)
• Data Portability
  The right for data subjects to receive and transfer their personal data between data controllers if the personal data has been provided by the data subject, and the processing is based on a(...)
• Data Processing Agreement
  A Data Processing Agreement is a legally binding document to be entered into between a data controller and a data processor when required by the GDPR. In article 28(3) GDPR it is stated that a(...)
• Data Processor
  The natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. For a controller to use a processor, it must ensure that the(...)
• Data Protection Commission
  The Data Protection Commission (DPC), or An Coimisiún um Chosaint Sonraí, is the Irish Data Protection Authority. The Data Protection Commissions objective is to provide guidance and(...)
• Data Protection Impact Assessment
  Data protection impact assessment (DPIA) is a process to identify and mitigate data protection risks. If a processing activity is likely to result in a high risk to individuals, you need to do a(...)
• Data Protection Impact Assessment
  Article 35 of the GDPR stipulates that a processor must carry out a Data Protection Impact Assessment (DPIA) before starting processing data that may lead to high risk for the data subjects. A(...)
• Data Protection Officer
  The Data Protection Officer (DPO) is the function responsible for reviewing and monitoring the privacy practices of their organisation. The tasks of a DPO are many, but consist of at least the(...)
• Data Sharing Agreement
  A Data Sharing Agreement is a contract that documents what data is being shared and how it can be used. It can be used to make data sharing lawful. To lawfully use a processor or a(...)
• Data Subject
  A "data subject" is defined by GDPR as an "identified or identifiable natural person" from whom or about whom information is collected. A company or organisation cannot be a data subject.  A(...)
• Destruction
  A physical or technical destruction meant to render the information contained in documents irretrievable by ordinary commercially available means. The destruction of data is an essential part(...)
• DPA
  A Data Processing Agreement is a legally binding document to be entered into between a data controller and a data processor when required by the GDPR. In article 28(3) GDPR it is stated that a(...)
• DPC
  The Data Protection Commission (DPC), or An Coimisiún um Chosaint Sonraí, is the Irish Data Protection Authority. The Data Protection Commissions objective is to provide guidance and(...)
• DPIA
  Data protection impact assessment (DPIA) is a process to identify and mitigate data protection risks. If a processing activity is likely to result in a high risk to individuals, you need to do a(...)
• DPO
  The Data Protection Officer (DPO) is the function responsible for reviewing and monitoring the privacy practices of their organisation. The tasks of a DPO are many, but consist of at least the(...)
• dsb
  The Datenschutz behörde is the Austrian Data Protection Authority (DSB). The Austrian Data Protection Authority is the responsible authority for data protection in Austria. Their objective(...)
• Dutch Supervisory Authority for Data Protection
  The Dutch data protection authority is called Autoriteit persoonsgregevens (AP) and their objective is to provide guidance and advice as well as deal with complaints and make inspections(...)
• e
• EDPS
  An EU institution with the goal of ensuring that EU institutions and bodies respect individuals' right to privacy when processing personal data. EDPS has an essential role as advisors(...)
• EEA
  The European Economic Area (EEA) is an extension of the single market of the European Union (EU). Part of EU law still applies within the EEA. The EEA includes the 27 member states of the EU(...)
• Enterprise
  A natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity.
• ePrivacy Directive
  The purpose of the ePrivacy directive is to ensure confidentiality and privacy in electronic communication. It complements the GDPR and is a form of specialisation, especially regarding(...)
• EU
  The European Union (EU) is a union of 27 European states, which shares an internal single market and EU law applies. The EU was through the Maastricht Treaty, which was signed in 1992 and(...)
• European Economic Area
  The European Economic Area (EEA) is an extension of the single market of the European Union (EU). Part of EU law still applies within the EEA. The EEA includes the 27 member states of the EU(...)
• European Union
  The European Union (EU) is a union of 27 European states, which shares an internal single market and EU law applies. The EU was through the Maastricht Treaty, which was signed in 1992 and(...)
• f
• Filing System
  Any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis. Since GDPR(...)
• First-party cookie
  A first-party cookie is a cookie that the website provider creates and stores. It is stored directly on the user's device. The definition of a first party-cookie is the website providers'(...)
• g
• GDPR
  A regulation (set of rules) drafted by the EU. All EU Member States must follow these rules. It sets out rules for data protection and privacy for all individuals within the EU. The GDPR(...)
• General Data Protection Regulation
  A regulation (set of rules) drafted by the EU. All EU Member States must follow these rules. It sets out rules for data protection and privacy for all individuals within the EU. The GDPR(...)
• Group of Undertakings
  A controlling undertaking that has a dominant influence over another company. This influence can be exercised, for example, through: financial ownership of a company’s capital;controlling the(...)
• i
• IMY
  The Swedish Supervisory Authority is called Integritetsskyddsmyndigheten (IMY) and is based in Stockholm. Before 2021 the name was Datainspektionen (DI). Their main objectives are to provide(...)
• Information Society Service
  A service defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council (19) as: "Any service normally provided for remuneration, at a distance,(...)
• Integritetsskyddsmyndigheten
  The Swedish Supervisory Authority is called Integritetsskyddsmyndigheten (IMY) and is based in Stockholm. Before 2021 the name was Datainspektionen (DI). Their main objectives are to provide(...)
• International Organisation
  An organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries. For(...)
• j
• Joint Controller
  A joint controllership is when two controllers both determine the purposes and means of the processing of personal data, and both are jointly responsible for GDPR compliance. For this, the(...)
• Joint Controllers
  Joint Controllers are two or more parties that together decide the purposes and/or means of how personal data is used. Article 26(1) GDPR provides the definition of the joint(...)
• l
• Legal Basis
  Legal basis is one of the criteria for a lawful processing of data under the GDPR. The legal basis is stated in article 6 GDPR and in there are six available legal basis to motivate a(...)
• legitimate interest
  Legitimate interest is one of the legal basis and is stated in Art. 6 (f) GDPR. This legal basis can be used when the data controller can conclude that the processing is necessary for their(...)
• m
• Main Establishment
  Main establishment means (a) as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes(...)
• p
• Personal Data
  Simplified it is the data relating to a physical person who with this data can be identified directly or indirectly. The GDPR definition of personal data is stated in Art. 4(1) GDPR as: "Any(...)
• Personal Data Breach
  Can be defined as any security incident that affects the confidentiality, integrity or availability of personal data. Therefore a data breach, for example, can occur every time data is lost,(...)
• Personally Identifiable Information
  Personally Identifiable Information (PII) is any information about a person that can be used to identify them. This could be the date and place of birth or biometric records. The term is a(...)
• PII
  Personally Identifiable Information (PII) is any information about a person that can be used to identify them. This could be the date and place of birth or biometric records. The term is a(...)
• Privacy by Design
  Privacy by design means that the privacy protection rules are taken into account already when IT systems and procedures are designed. To comply with the Privacy by design demands, who is(...)
• Privacy Policy
  A policy or information sheet provided by the Controller to the data subjects. It is usually a written text where the data subject can read about the processing in question. Privacy policies(...)
• Privacy Shield
  The Privacy Shield was an international agreement between the EU and the US with requirements to ensure an adequate level of protection of personal data exported to the US. The Privacy(...)
• Processing
  The actual usage of the personal data which can be anything from collecting, storing or destroying the personal data. Processing of data is a primary condition for GDPR to be(...)
• Processor
  The natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. For a controller to use a processor, it must ensure that the(...)
• Profiling
  Simplified Profiling can be defined as a automated processing that based on aspects of an individual's characteristics can make predictions and decisions about this individual. Profiling is(...)
• Pseudonymisation
  The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such(...)
• r
• Recipient
  The natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive(...)
• Relevant and Reasoned Objection
  An objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation,(...)
• Representative
  Representative means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor(...)
• Restriction of Processing
  Restriction of processing means the marking of stored personal data to limit their processing in the future. The right to restriction is one of the data subject rights and means that the(...)
• Retention
  The maintenance of documents in a production or live environment that can be accessed by an authorised user in the ordinary course of business. Retention is an essential part of being(...)
• Right to Access
  The right of access gives individuals the right to obtain a copy of their personal data as well as other supplementary information. The purpose of this right is to help data subjects understand(...)
• Right to Erasure
  The right to erasure, also known as "the right to be forgotten" is stated in article 17 GDPR and means that individuals have the right to have personal data erased. This right is not an absolute(...)
• Right to Objection
  The right to objection means that individuals have the right to object to the processing of their personal data. This is not an absolute right which means that the controllers only is forced to(...)
• Right to Rectification
  The right to rectification means that individuals have the right to have inaccurate data rectified. This right is stated in Article 16, that says: "The data subject shall have the right to(...)
• Right to Restriction
  The right to restriction means that the individuals have the right to restrict the processing of their personal data in certain circumstances. This means that an individual can limit the way the(...)
• s
• SA
  Each Member State in the EU has a supervisory authority (also known as Data Protection Authority) with the task of supervising GDPR-compliance. The supervisory authority has many(...)
• SCC
  SCCs are a contract that can be used for data transfers between EU and non-EU countries. The SCC are a form of appropriate safeguards that can be used when there is no adequacy decision(...)
• Special Categories of Data
  Means personal data that is more sensitive and therefore require more protection then "regular" personal data. Special category data is often referred to as "sensitive data". The different types(...)
• Standard Contractual Clauses
  SCCs are a contract that can be used for data transfers between EU and non-EU countries. The SCC are a form of appropriate safeguards that can be used when there is no adequacy decision(...)
• Strictly necessary cookie
  A strictly necessary cookie is a cookie that is vital for the functioning of a website and does not require user consent. Strictly necessary cookies are a necessary tool for the user to(...)
• Sub-Processor
  A Sub-Processor is a third party data processor engaged by a Data Processor who has or will have access to or process personal data from a Data Controller. In order to use a sub-processor, the(...)
• Supervisory Authority
  Each Member State in the EU has a supervisory authority (also known as Data Protection Authority) with the task of supervising GDPR-compliance. The supervisory authority has many(...)
• Supervisory Authority Concerned
  The supervisory authority which is concerned by the processing of personal data because: the controller or processor is established on the territory of the Member State of that supervisory(...)
• t
• The Court of Justice of the European Union
  The Court of Justice of the European Union (CJEU) is the highest court of the EU member states. The court interprets EU law and gives advice to national courts how to interpret EU law.
• Third Country
  In the context of GDPR, this means countries that are not members of the European Economic Area (EEA). This area includes all member countries of the EU and Iceland, Liechtenstein and(...)
• Third Party
  Is defined as the natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or(...)
• Third-party cookie
  A third-party cookie is a cookie that is created by another website than the one that the user is visiting. They allow third parties to track the user. Per definition, a third-party cookie(...)
• Transfer Impact Assessment
  A data Transfer Impact Assessment (TIA) is an assessment of the privacy protections of the laws and regulations of a recipient country outside of the EU/EEA. Transfer Impact Assessments(...)
• Transparency
  In sum, transparent processing means that organisations are open and clear with: who they are how they process personal data why they process personal data Transparency is(...)