GDPR definitions

This is a glossary where you can find key GDPR definitions and the meaning of relevant terms and abbreviations used in articles on this site. Concepts are described from a GDPR context and may be explained differently outside this specific area.

Search:

Search

(clear) All CategoriesAuthoritiesGDPR legal provisionsGDPR rightsGeneric termsLegal definitionsOrganisationsPolicies and Notices

• a

• ADP The Autorité de protection des données, or Gegevensbeschermingsautoriteit, is the Belgian Data Protection Authority (ADP). The Belgian Data Protection Authority is the responsible data(...)
• AP The Dutch data protection authority is called Autoriteit persoonsgregevens (AP) and their objective is to provide guidance and advice as well as deal with complaints and make inspections(...)
• ArchivingA secured storage of documents such that they are rendered inaccessible by authorised users in the ordinary course of business. Since GDPR applies to the processing of personal data in both(...)
• Article 5 Article 5 sets out the seven fundamental principles for the lawful processing of data. They are the principles of: 'lawfulness, fairness and transparency' (a). According to Recital 39 of(...)
• Article 6 Article 6 lists the six legal bases that data controllers can use to justify their use of personal data. Without a legal basis, processing cannot be done lawfully under the GDPR. The six(...)
• Article 8 Article 8 defines the conditions for children's consent in relation to information society services. It limits the age for when a child can consent on their own and puts special duties on(...)
• Article 9This article regulates the processing of special category data. By special category data means data that needs more protection than regular data. Therefore, Art. 9 GDPR state that in order to(...)
• Article 10Regulates the processing of personal data that is relating to criminal convictions and offences. The article says: "Processing of personal data relating to criminal convictions and offences or(...)
• Article 13The controller needs to provide certain information to a data subject whose personal data have been collected. The article applies when the data regarding a data subject have been collected(...)
• Article 14The information that a controller needs to provide to a data subject when the personal data have not been obtained from the data subject himself. This information must be provided to the data(...)
• Article 22 Article 22 gives data subjects the right to opt-out of automated decision-making if it is not strictly necessary. The data subject always has the right not to be subjected to decisions that(...)
• Article 30Regulates the demands regarding a record of processing. The Art. states that all controllers need to keep a record of the processing activities they are responsible for. With except for(...)
• Article 32 Article 32 states the security measures that a controller must take. This is to protect the personal data they process. The article mainly approaches security measures that the controller(...)
• Article 33 Article 33 states that controllers must notify the supervisory authority if a personal data breach occurs. It also states that processors must notify controllers in case of a breach. All(...)
• Article 35The controller must carry out a Data Protection Impact Assessment (DPIA) before they starts a processing that may lead to high risk for the data subjects. DPIA is particularly essential before(...)
• Article 44 Article 44 gives the main principle for the transfer of personal data outside of the EU. It prohibits all transfers that do not fulfil the requirements of the GDPR. There are several types(...)
• AuditAudit means the inspection or examination of the processor's activities and its facilities to ensure GDPR compliance. Art. 28(3)(h) GDPR state that the terms of the audit always should be(...)
• Austrian Data Protection Authority The Datenschutz behörde is the Austrian Data Protection Authority (DSB). The Austrian Data Protection Authority is the responsible authority for data protection in Austria. Their objective(...)

• b

• BCRThe opportunity for international organisations established in the EU to transfer personal data outside of the EU within their group of undertakings or enterprises. The legal demands for the(...)
• Belgian Data Protection Authority The Autorité de protection des données, or Gegevensbeschermingsautoriteit, is the Belgian Data Protection Authority (ADP). The Belgian Data Protection Authority is the responsible data(...)
• Binding Corporate RulesThe opportunity for international organisations established in the EU to transfer personal data outside of the EU within their group of undertakings or enterprises. The legal demands for the(...)
• Biometric DataPersonal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique(...)

• c

• CJEU The Court of Justice of the European Union (CJEU) is the highest court of the EU member states. The court interprets EU law and gives advice to national courts how to interpret EU law.
• CNIL National Commission on Informatics and Liberty (CNIL) is the data protection authority in France. Their main objectives are to provide guidance and advice as well as deal with complaints(...)
• Commission nationale de l'informatique et des libertés National Commission on Informatics and Liberty (CNIL) is the data protection authority in France. Their main objectives are to provide guidance and advice as well as deal with complaints(...)
• ComplianceThe process of ensuring that an organisation follows applicable laws, rules and regulations. It is an on-going effort with constant reviews and updates. The ultimate goal is to always act as you(...)
• ConsentThe data subjects freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies(...)
• ControllerSimplified the controller is the individual or legal person who determines the purposes for which and the means by which personal data is processed. According to the legal definition in Art. 4(...)
• Cookies and similar technologiesCookies are text files that contain a small amount of data and are downloaded on your device when you visit a website. Cookies are useful because they allow a website to recognize your device,(...)
• Cross-border ProcessingWhen a processing of personal data has a connection to more than one member state of the EU it is called cross-border processing. The meaning of cross-border processing is defined in the GDPR(...)

• d

• Danish Data Protection Authority Datatilsynet, or the Danish Data Protection Agency, is the Danish Data Protection Authority. The Danish Data Protection Authority is called Datatilsynet. Their objective is to provide(...)
• Data Concerning HealthPersonal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status. 'Health(...)
• Data ControllerSimplified the data controller is the individual or legal person who determines the purposes for which and the means by which personal data is processed. According to the legal definition in(...)
• Data MinimisationData minimisation is a fundamental principle under the GDPR. It means that you only should collect and process personal data that is absolutely necessary to fulfil your purpose. You need to(...)
• Data PortabilityThe right for data subjects to receive and transfer their personal data between data controllers if the personal data has been provided by the data subject, and the processing is based on a(...)
• Data Processing AgreementA Data Processing Agreement is a legally binding document to be entered into between a data controller and a data processor when required by the GDPR. In article 28(3) GDPR it is stated that a(...)
• Data ProcessorThe natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. For a controller to use a processor, it must ensure that the(...)
• Data Protection Commission The Data Protection Commission (DPC), or An Coimisiún um Chosaint Sonraí, is the Irish Data Protection Authority. The Data Protection Commissions objective is to provide guidance and(...)
• Data Protection Impact AssessmentData protection impact assessment (DPIA) is a process to identify and mitigate data protection risks. If a processing activity is likely to result in a high risk to individuals, you need to do a(...)
• Data Protection Impact Assessment Article 35 of the GDPR stipulates that a processor must carry out a Data Protection Impact Assessment (DPIA) before starting processing data that may lead to high risk for the data subjects. A(...)
• Data Protection OfficerThe Data Protection Officer (DPO) is the function responsible for reviewing and monitoring the privacy practices of their organisation. The tasks of a DPO are many, but consist of at least the(...)
• Data Sharing Agreement A Data Sharing Agreement is a contract that documents what data is being shared and how it can be used. It can be used to make data sharing lawful. To lawfully use a processor or a(...)
• Data SubjectA "data subject" is defined by GDPR as an "identified or identifiable natural person" from whom or about whom information is collected. A company or organisation cannot be a data subject.  A(...)
• DestructionA physical or technical destruction meant to render the information contained in documents irretrievable by ordinary commercially available means. The destruction of data is an essential part(...)
• DPAA Data Processing Agreement is a legally binding document to be entered into between a data controller and a data processor when required by the GDPR. In article 28(3) GDPR it is stated that a(...)
• DPC The Data Protection Commission (DPC), or An Coimisiún um Chosaint Sonraí, is the Irish Data Protection Authority. The Data Protection Commissions objective is to provide guidance and(...)
• DPIAData protection impact assessment (DPIA) is a process to identify and mitigate data protection risks. If a processing activity is likely to result in a high risk to individuals, you need to do a(...)
• DPOThe Data Protection Officer (DPO) is the function responsible for reviewing and monitoring the privacy practices of their organisation. The tasks of a DPO are many, but consist of at least the(...)
• dsb The Datenschutz behörde is the Austrian Data Protection Authority (DSB). The Austrian Data Protection Authority is the responsible authority for data protection in Austria. Their objective(...)
• Dutch Supervisory Authority for Data Protection The Dutch data protection authority is called Autoriteit persoonsgregevens (AP) and their objective is to provide guidance and advice as well as deal with complaints and make inspections(...)

• e

• EDPSAn EU institution with the goal of ensuring that EU institutions and bodies respect individuals' right to privacy when processing personal data. EDPS has an essential role as advisors(...)
• EEA The European Economic Area (EEA) is an extension of the single market of the European Union (EU). Part of EU law still applies within the EEA. The EEA includes the 27 member states of the EU(...)
• EnterpriseA natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity.
• ePrivacy Directive The purpose of the ePrivacy directive is to ensure confidentiality and privacy in electronic communication. It complements the GDPR and is a form of specialisation, especially regarding(...)
• EU The European Union (EU) is a union of 27 European states, which shares an internal single market and EU law applies. The EU was through the Maastricht Treaty, which was signed in 1992 and(...)
• European Economic Area The European Economic Area (EEA) is an extension of the single market of the European Union (EU). Part of EU law still applies within the EEA. The EEA includes the 27 member states of the EU(...)
• European Union The European Union (EU) is a union of 27 European states, which shares an internal single market and EU law applies. The EU was through the Maastricht Treaty, which was signed in 1992 and(...)

• f

• Filing SystemAny structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis. Since GDPR(...)
• First-party cookie A first-party cookie is a cookie that the website provider creates and stores. It is stored directly on the user's device. The definition of a first party-cookie is the website providers'(...)

• g

• GDPRA regulation (set of rules) drafted by the EU. All EU Member States must follow these rules. It sets out rules for data protection and privacy for all individuals within the EU. The GDPR(...)
• General Data Protection RegulationA regulation (set of rules) drafted by the EU. All EU Member States must follow these rules. It sets out rules for data protection and privacy for all individuals within the EU. The GDPR(...)
• Group of UndertakingsA controlling undertaking that has a dominant influence over another company. This influence can be exercised, for example, through: financial ownership of a company’s capital;controlling the(...)

• i

• IMY The Swedish Supervisory Authority is called Integritetsskyddsmyndigheten (IMY) and is based in Stockholm. Before 2021 the name was Datainspektionen (DI). Their main objectives are to provide(...)
• Information Society ServiceA service defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council (19) as: "Any service normally provided for remuneration, at a distance,(...)
• Integritetsskyddsmyndigheten The Swedish Supervisory Authority is called Integritetsskyddsmyndigheten (IMY) and is based in Stockholm. Before 2021 the name was Datainspektionen (DI). Their main objectives are to provide(...)
• International OrganisationAn organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries. For(...)

• j

• Joint Controller A joint controllership is when two controllers both determine the purposes and means of the processing of personal data, and both are jointly responsible for GDPR compliance. For this, the(...)
• Joint Controllers Joint Controllers are two or more parties that together decide the purposes and/or means of how personal data is used. Article 26(1) GDPR provides the definition of the joint(...)

• l

• Legal Basis Legal basis is one of the criteria for a lawful processing of data under the GDPR. The legal basis is stated in article 6 GDPR and in there are six available legal basis to motivate a(...)
• legitimate interest Legitimate interest is one of the legal basis and is stated in Art. 6 (f) GDPR. This legal basis can be used when the data controller can conclude that the processing is necessary for their(...)

• m

• Main EstablishmentMain establishment means (a) as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes(...)

• p

• Personal DataSimplified it is the data relating to a physical person who with this data can be identified directly or indirectly. The GDPR definition of personal data is stated in Art. 4(1) GDPR as: "Any(...)
• Personal Data BreachCan be defined as any security incident that affects the confidentiality, integrity or availability of personal data. Therefore a data breach, for example, can occur every time data is lost,(...)
• Personally Identifiable Information Personally Identifiable Information (PII) is any information about a person that can be used to identify them. This could be the date and place of birth or biometric records. The term is a(...)
• PII Personally Identifiable Information (PII) is any information about a person that can be used to identify them. This could be the date and place of birth or biometric records. The term is a(...)
• Privacy by DesignPrivacy by design means that the privacy protection rules are taken into account already when IT systems and procedures are designed. To comply with the Privacy by design demands, who is(...)
• Privacy PolicyA policy or information sheet provided by the Controller to the data subjects. It is usually a written text where the data subject can read about the processing in question. Privacy policies(...)
• Privacy Shield The Privacy Shield was an international agreement between the EU and the US with requirements to ensure an adequate level of protection of personal data exported to the US. The Privacy(...)
• ProcessingThe actual usage of the personal data which can be anything from collecting, storing or destroying the personal data. Processing of data is a primary condition for GDPR to be(...)
• ProcessorThe natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. For a controller to use a processor, it must ensure that the(...)
• ProfilingSimplified Profiling can be defined as a automated processing that based on aspects of an individual's characteristics can make predictions and decisions about this individual. Profiling is(...)
• PseudonymisationThe processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such(...)

• r

• RecipientThe natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive(...)
• Relevant and Reasoned ObjectionAn objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation,(...)
• RepresentativeRepresentative means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor(...)
• Restriction of ProcessingRestriction of processing means the marking of stored personal data to limit their processing in the future. The right to restriction is one of the data subject rights and means that the(...)
• RetentionThe maintenance of documents in a production or live environment that can be accessed by an authorised user in the ordinary course of business. Retention is an essential part of being(...)
• Right to AccessThe right of access gives individuals the right to obtain a copy of their personal data as well as other supplementary information. The purpose of this right is to help data subjects understand(...)
• Right to ErasureThe right to erasure, also known as "the right to be forgotten" is stated in article 17 GDPR and means that individuals have the right to have personal data erased. This right is not an absolute(...)
• Right to ObjectionThe right to objection means that individuals have the right to object to the processing of their personal data. This is not an absolute right which means that the controllers only is forced to(...)
• Right to RectificationThe right to rectification means that individuals have the right to have inaccurate data rectified. This right is stated in Article 16, that says: "The data subject shall have the right to(...)
• Right to RestrictionThe right to restriction means that the individuals have the right to restrict the processing of their personal data in certain circumstances. This means that an individual can limit the way the(...)

• s

• SAEach Member State in the EU has a supervisory authority (also known as Data Protection Authority) with the task of supervising GDPR-compliance. The supervisory authority has many(...)
• SCC SCCs are a contract that can be used for data transfers between EU and non-EU countries. The SCC are a form of appropriate safeguards that can be used when there is no adequacy decision(...)
• Special Categories of DataMeans personal data that is more sensitive and therefore require more protection then "regular" personal data. Special category data is often referred to as "sensitive data". The different types(...)
• Standard Contractual Clauses SCCs are a contract that can be used for data transfers between EU and non-EU countries. The SCC are a form of appropriate safeguards that can be used when there is no adequacy decision(...)
• Strictly necessary cookie A strictly necessary cookie is a cookie that is vital for the functioning of a website and does not require user consent. Strictly necessary cookies are a necessary tool for the user to(...)
• Sub-ProcessorA Sub-Processor is a third party data processor engaged by a Data Processor who has or will have access to or process personal data from a Data Controller. In order to use a sub-processor, the(...)
• Supervisory AuthorityEach Member State in the EU has a supervisory authority (also known as Data Protection Authority) with the task of supervising GDPR-compliance. The supervisory authority has many(...)
• Supervisory Authority ConcernedThe supervisory authority which is concerned by the processing of personal data because: the controller or processor is established on the territory of the Member State of that supervisory(...)

• t

• The Court of Justice of the European Union The Court of Justice of the European Union (CJEU) is the highest court of the EU member states. The court interprets EU law and gives advice to national courts how to interpret EU law.
• Third CountryIn the context of GDPR, this means countries that are not members of the European Economic Area (EEA). This area includes all member countries of the EU and Iceland, Liechtenstein and(...)
• Third PartyIs defined as the natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or(...)
• Third-party cookie A third-party cookie is a cookie that is created by another website than the one that the user is visiting. They allow third parties to track the user. Per definition, a third-party cookie(...)
• Transfer Impact Assessment A data Transfer Impact Assessment (TIA) is an assessment of the privacy protections of the laws and regulations of a recipient country outside of the EU/EEA. Transfer Impact Assessments(...)
• TransparencyIn sum, transparent processing means that organisations are open and clear with: who they are how they process personal data why they process personal data Transparency is(...)