This is a glossary where you can find key GDPR definitions and the meaning of relevant terms and abbreviations used in articles on this site. Concepts are described from a GDPR context and may be explained differently outside this specific area.

- a
- ArchivingA secured storage of documents such that they are rendered inaccessible by authorised users in the ordinary course of business. Since GDPR applies to the processing of personal data in both(...)
- Article 9This article regulates the processing of special category data. By special category data means data that needs more protection than regular data. Therefore, Art. 9 GDPR state that in order to(...)
- Article 10Regulates the processing of personal data that is relating to criminal convictions and offences. The article says: "Processing of personal data relating to criminal convictions and offences or(...)
- Article 13The controller needs to provide certain information to a data subject whose personal data have been collected. The article applies when the data regarding a data subject have been collected(...)
- Article 14The information that a controller needs to provide to a data subject when the personal data have not been obtained from the data subject himself. This information must be provided to the data(...)
- Article 30Regulates the demands regarding a record of processing. The Art. states that all controllers need to keep a record of the processing activities they are responsible for. With except for(...)
- Article 35The controller must carry out a Data Protection Impact Assessment (DPIA) before they starts a processing that may lead to high risk for the data subjects. DPIA is particularly essential before(...)
- AuditAudit means the inspection or examination of the processor's activities and its facilities to ensure GDPR compliance. Art. 28(3)(h) GDPR state that the terms of the audit always should be(...)
- b
- BCRThe opportunity for international organisations established in the EU to transfer personal data outside of the EU within their group of undertakings or enterprises. The legal demands for the(...)
- Binding Corporate RulesThe opportunity for international organisations established in the EU to transfer personal data outside of the EU within their group of undertakings or enterprises. The legal demands for the(...)
- Biometric DataPersonal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique(...)
- c
- CJEUThe Court of Justice of the European Union (CJEU) is the highest court of the EU member states. The court interprets EU law and gives advice to national courts how to interpret EU law.
- CNILNational Commission on Informatics and Liberty (CNIL) is the data protection authority in France. Their main objectives are to provide guidance and advice as well as deal with complaints(...)
- Commission nationale de l'informatique et des libertésNational Commission on Informatics and Liberty (CNIL) is the data protection authority in France. Their main objectives are to provide guidance and advice as well as deal with complaints(...)
- ComplianceThe process of ensuring that an organisation follows applicable laws, rules and regulations. It is an on-going effort with constant reviews and updates. The ultimate goal is to always act as you(...)
- ConsentThe data subjects freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies(...)
- ControllerSimplified the controller is the individual or legal person who determines the purposes for which and the means by which personal data is processed. According to the legal definition in Art. 4(...)
- Cookies and similar technologiesCookies are text files that contain a small amount of data and are downloaded on your device when you visit a website. Cookies are useful because they allow a website to recognize your device,(...)
- Cross-border ProcessingWhen a processing of personal data has a connection to more than one member state of the EU it is called cross-border processing. The meaning of cross-border processing is defined in the GDPR(...)
- d
- Data Concerning HealthPersonal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status. 'Health(...)
- Data ControllerSimplified the data controller is the individual or legal person who determines the purposes for which and the means by which personal data is processed. According to the legal definition in(...)
- Data MinimisationData minimisation is a fundamental principle under the GDPR. It means that you only should collect and process personal data that is absolutely necessary to fulfil your purpose. You need to(...)
- Data PortabilityThe right for data subjects to receive and transfer their personal data between data controllers if the personal data has been provided by the data subject, and the processing is based on a(...)
- Data Processing AgreementA Data Processing Agreement is a legally binding document to be entered into between a data controller and a data processor when required by the GDPR. In article 28(3) GDPR it is stated that a(...)
- Data ProcessorThe natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. For a controller to use a processor, it must ensure that the(...)
- Data Protection Impact AssessmentData protection impact assessment (DPIA) is a process to identify and mitigate data protection risks. If a processing activity is likely to result in a high risk to individuals, you need to do a(...)
- Data Protection Impact AssessmentArticle 35 of the GDPR stipulates that a processor must carry out a Data Protection Impact Assessment (DPIA) before starting processing data that may lead to high risk for the data subjects. A(...)
- Data Protection OfficerThe Data Protection Officer (DPO) is responsible for reviewing and monitoring the internal privacy work carried out by an organisation. The tasks of a DPO is many, but consist of at least the(...)
- Data SubjectA natural person (i.e. not a company or organisation) who resides in the European Union, whose personal data is being processed by a controller. The primary purposes of GDPR are to protect(...)
- DestructionA physical or technical destruction meant to render the information contained in documents irretrievable by ordinary commercially available means. The destruction of data is an essential part(...)
- DPAA Data Processing Agreement is a legally binding document to be entered into between a data controller and a data processor when required by the GDPR. In article 28(3) GDPR it is stated that a(...)
- DPIAData protection impact assessment (DPIA) is a process to identify and mitigate data protection risks. If a processing activity is likely to result in a high risk to individuals, you need to do a(...)
- DPOThe Data Protection Officer (DPO) is responsible for reviewing and monitoring the internal privacy work carried out by an organisation. The tasks of a DPO is many, but consist of at least the(...)
- e
- EDPSAn EU institution with the goal of ensuring that EU institutions and bodies respect individuals' right to privacy when processing personal data. EDPS has an essential role as advisors(...)
- EnterpriseA natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity.
- ePrivacy DirectiveThe purpose of the ePrivacy directive is to ensure confidentiality and privacy in electronic communication. It complements the GDPR and is a form of specialisation, especially regarding(...)
- f
- Filing SystemAny structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis. Since GDPR(...)
- g
- GDPRA regulation (set of rules) drafted by the EU. All EU Member States must follow these rules. It sets out rules for data protection and privacy for all individuals within the EU. The GDPR(...)
- General Data Protection RegulationA regulation (set of rules) drafted by the EU. All EU Member States must follow these rules. It sets out rules for data protection and privacy for all individuals within the EU. The GDPR(...)
- Group of UndertakingsA controlling undertaking that has a dominant influence over another company. This influence can be exercised, for example, through: financial ownership of a company’s capital;controlling the(...)
- i
- IMYThe Swedish Supervisory Authority is called Integritetsskyddsmyndigheten (IMY) and is based in Stockholm. Before 2021 the name was Datainspektionen (DI). Their main objectives are to provide(...)
- Information Society ServiceA service defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council (19) as: "Any service normally provided for remuneration, at a distance,(...)
- IntegritetsskyddsmyndighetenThe Swedish Supervisory Authority is called Integritetsskyddsmyndigheten (IMY) and is based in Stockholm. Before 2021 the name was Datainspektionen (DI). Their main objectives are to provide(...)
- International OrganisationAn organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries. For(...)
- j
- Joint ControllersJoint Controllers are two or more parties that together decide the purposes and/or means of how personal data is used. Article 26(1) GDPR provides the definition of the joint(...)
- l
- Legal BasisLegal basis is one of the criteria for a lawful processing of data under the GDPR. The legal basis is stated in article 6 GDPR and in there are six available legal basis to motivate a(...)
- legitimate interestLegitimate interest is one of the legal basis and is stated in Art. 6 (f) GDPR. This legal basis can be used when the data controller can conclude that the processing is necessary for their(...)
- m
- Main EstablishmentMain establishment means (a) as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes(...)
- p
- Personal DataSimplified it is the data relating to a psychical person who with this data can be identified directly or indirectly. The GDPR definition of personal data is stated in Art. 4(1) GDPR as: "Any(...)
- Personal Data BreachCan be defined as any security incident that affects the confidentiality, integrity or availability of personal data. Therefore a data breach, for example, can occur every time data is lost,(...)
- Privacy by DesignPrivacy by design means that the privacy protection rules are taken into account already when IT systems and procedures are designed. To comply with the Privacy by design demands, who is(...)
- Privacy PolicyA policy or information sheet provided by the Controller to the data subjects. It is usually a written text where the data subject can read about the processing in question. Privacy policies(...)
- Privacy ShieldThe Privacy Shield was an international agreement between the EU and the US with requirements to ensure an adequate level of protection of personal data exported to the US. The Privacy(...)
- ProcessingThe actual usage of the personal data which can be anything from collecting, storing or destroying the personal data. Processing of data is a primary condition for GDPR to be(...)
- ProcessorThe natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. For a controller to use a processor, it must ensure that the(...)
- ProfilingSimplified Profiling can be defined as a automated processing that based on aspects of an individual's characteristics can make predictions and decisions about this individual. Profiling is(...)
- PseudonymisationThe processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such(...)
- r
- RecipientThe natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive(...)
- Relevant and Reasoned ObjectionAn objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation,(...)
- RepresentativeRepresentative means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor(...)
- Restriction of ProcessingRestriction of processing means the marking of stored personal data to limit their processing in the future. The right to restriction is one of the data subject rights and means that the(...)
- RetentionThe maintenance of documents in a production or live environment that can be accessed by an authorised user in the ordinary course of business. Retention is an essential part of being(...)
- Right to AccessThe right of access gives individuals the right to obtain a copy of their personal data as well as other supplementary information. The purpose of this right is to help data subjects understand(...)
- Right to ErasureThe right to erasure, also known as "the right to be forgotten" is stated in article 17 GDPR and means that individuals have the right to have personal data erased. This right is not an absolute(...)
- Right to ObjectionThe right to objection means that individuals have the right to object to the processing of their personal data. This is not an absolute right which means that the controllers only is forced to(...)
- Right to RectificationThe right to rectification means that individuals have the right to have inaccurate data rectified. This right is stated in Article 16, that says: "The data subject shall have the right to(...)
- Right to RestrictionThe right to restriction means that the individuals have the right to restrict the processing of their personal data in certain circumstances. This means that an individual can limit the way the(...)
- s
- SAEach Member State in the EU has a supervisory authority (also known as Data Protection Authority) with the task of supervising GDPR-compliance. The supervisory authority has many(...)
- SCCSCCs are a contract that can be used for data transfers between EU and non-EU countries. The SCC are a form of appropriate safeguards that can be used when there is no adequacy decision(...)
- Special Categories of DataMeans personal data that is more sensitive and therefore require more protection then "regular" personal data. Special category data is often referred to as "sensitive data". The different types(...)
- Standard Contractual ClausesSCCs are a contract that can be used for data transfers between EU and non-EU countries. The SCC are a form of appropriate safeguards that can be used when there is no adequacy decision(...)
- Sub-ProcessorA Sub-Processor is a third party data processor engaged by a Data Processor who has or will have access to or process personal data from a Data Controller. In order to use a sub-processor, the(...)
- Supervisory AuthorityEach Member State in the EU has a supervisory authority (also known as Data Protection Authority) with the task of supervising GDPR-compliance. The supervisory authority has many(...)
- Supervisory Authority ConcernedThe supervisory authority which is concerned by the processing of personal data because: the controller or processor is established on the territory of the Member State of that supervisory(...)
- t
- The Court of Justice of the European UnionThe Court of Justice of the European Union (CJEU) is the highest court of the EU member states. The court interprets EU law and gives advice to national courts how to interpret EU law.
- Third CountryIn the context of GDPR, this means countries that are not members of the European Economic Area (EEA). This area includes all member countries of the EU and Iceland, Liechtenstein and(...)
- Third PartyIs defined as the natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or(...)
- TransparencyIn sum, transparent processing means that organisations are open and clear with: who they are how they process personal data why they process personal data Transparency is(...)