GDPR definitions

This is a glossary where you can find key GDPR definitions and the meaning of relevant terms and abbreviations used in articles on this site. Concepts are described from a GDPR context and may be explained differently outside this specific area.

AJAX progress indicator
Search:
(clear)
  • a
  • Archiving
    A secured storage of documents such that they are rendered inaccessible by authorised users in the ordinary course of business. Since GDPR applies to the processing of personal data in both(...)
  • Article 9
    This article regulates the processing of special category data. By special category data means data that needs more protection than regular data. Therefore, Art. 9 GDPR state that in order to(...)
  • Article 10
    Regulates the processing of personal data that is relating to criminal convictions and offences. The article says: "Processing of personal data relating to criminal convictions and offences or(...)
  • Article 13
    The controller needs to provide certain information to a data subject whose personal data have been collected. The article applies when the data regarding a data subject have been collected(...)
  • Article 14
    The information that a controller needs to provide to a data subject when the personal data have not been obtained from the data subject himself. This information must be provided to the data(...)
  • Article 30
    Regulates the demands regarding a record of processing. The Art. states that all controllers need to keep a record of the processing activities they are responsible for. With except for(...)
  • Article 35
    The controller must carry out a Data Protection Impact Assessment (DPIA) before they starts a processing that may lead to high risk for the data subjects. DPIA is particularly essential before(...)
  • Audit
    Audit means the inspection or examination of the processor's activities and its facilities to ensure GDPR compliance. Art. 28(3)(h) GDPR state that the terms of the audit always should be(...)
  • b
  • BCR
    The opportunity for international organisations established in the EU to transfer personal data outside of the EU within their group of undertakings or enterprises. The legal demands for the(...)
  • Binding Corporate Rules
    The opportunity for international organisations established in the EU to transfer personal data outside of the EU within their group of undertakings or enterprises. The legal demands for the(...)
  • Biometric Data
    Personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique(...)
  • c
  • CJEU
    The Court of Justice of the European Union (CJEU) is the highest court of the EU member states. The court interprets EU law and gives advice to national courts how to interpret EU law.
  • CNIL
    National Commission on Informatics and Liberty (CNIL) is the data protection authority in France. Their main objectives are to provide guidance and advice as well as deal with complaints(...)
  • Commission nationale de l'informatique et des libertés
    National Commission on Informatics and Liberty (CNIL) is the data protection authority in France. Their main objectives are to provide guidance and advice as well as deal with complaints(...)
  • Compliance
    The process of ensuring that an organisation follows applicable laws, rules and regulations. It is an on-going effort with constant reviews and updates. The ultimate goal is to always act as you(...)
  • Consent
    The data subjects freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies(...)
  • Controller
    Simplified the controller is the individual or legal person who determines the purposes for which and the means by which personal data is processed. According to the legal definition in Art. 4(...)
  • Cookies and similar technologies
    Cookies are text files that contain a small amount of data and are downloaded on your device when you visit a website. Cookies are useful because they allow a website to recognize your device,(...)
  • Cross-border Processing
    When a processing of personal data has a connection to more than one member state of the EU it is called cross-border processing. The meaning of cross-border processing is defined in the GDPR(...)
  • d
  • Data Concerning Health
    Personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status. 'Health(...)
  • Data Controller
    Simplified the data controller is the individual or legal person who determines the purposes for which and the means by which personal data is processed. According to the legal definition in(...)
  • Data Minimisation
    Data minimisation is a fundamental principle under the GDPR. It means that you only should collect and process personal data that is absolutely necessary to fulfil your purpose. You need to(...)
  • Data Portability
    The right for data subjects to receive and transfer their personal data between data controllers if the personal data has been provided by the data subject, and the processing is based on a(...)
  • Data Processing Agreement
    A Data Processing Agreement is a legally binding document to be entered into between a data controller and a data processor when required by the GDPR. In article 28(3) GDPR it is stated that a(...)
  • Data Processor
    The natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. For a controller to use a processor, it must ensure that the(...)
  • Data Protection Impact Assessment
    Data protection impact assessment (DPIA) is a process to identify and mitigate data protection risks. If a processing activity is likely to result in a high risk to individuals, you need to do a(...)
  • Data Protection Impact Assessment
    Article 35 of the GDPR stipulates that a processor must carry out a Data Protection Impact Assessment (DPIA) before starting processing data that may lead to high risk for the data subjects. A(...)
  • Data Protection Officer
    The Data Protection Officer (DPO) is the function responsible for reviewing and monitoring the privacy practices of their organisation. The tasks of a DPO are many, but consist of at least the(...)
  • Data Subject
    A natural person (i.e. not a company or organisation) who resides in the European Union, whose personal data is being processed by a controller. The primary purposes of GDPR are to protect(...)
  • Destruction
    A physical or technical destruction meant to render the information contained in documents irretrievable by ordinary commercially available means. The destruction of data is an essential part(...)
  • DPA
    A Data Processing Agreement is a legally binding document to be entered into between a data controller and a data processor when required by the GDPR. In article 28(3) GDPR it is stated that a(...)
  • DPIA
    Data protection impact assessment (DPIA) is a process to identify and mitigate data protection risks. If a processing activity is likely to result in a high risk to individuals, you need to do a(...)
  • DPO
    The Data Protection Officer (DPO) is the function responsible for reviewing and monitoring the privacy practices of their organisation. The tasks of a DPO are many, but consist of at least the(...)
  • e
  • EDPS
    An EU institution with the goal of ensuring that EU institutions and bodies respect individuals' right to privacy when processing personal data. EDPS has an essential role as advisors(...)
  • Enterprise
    A natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity.
  • ePrivacy Directive
    The purpose of the ePrivacy directive is to ensure confidentiality and privacy in electronic communication. It complements the GDPR and is a form of specialisation, especially regarding(...)
  • f
  • Filing System
    Any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis. Since GDPR(...)
  • g
  • GDPR
    A regulation (set of rules) drafted by the EU. All EU Member States must follow these rules. It sets out rules for data protection and privacy for all individuals within the EU. The GDPR(...)
  • General Data Protection Regulation
    A regulation (set of rules) drafted by the EU. All EU Member States must follow these rules. It sets out rules for data protection and privacy for all individuals within the EU. The GDPR(...)
  • Group of Undertakings
    A controlling undertaking that has a dominant influence over another company. This influence can be exercised, for example, through: financial ownership of a company’s capital;controlling the(...)
  • i
  • IMY
    The Swedish Supervisory Authority is called Integritetsskyddsmyndigheten (IMY) and is based in Stockholm. Before 2021 the name was Datainspektionen (DI). Their main objectives are to provide(...)
  • Information Society Service
    A service defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council (19) as: "Any service normally provided for remuneration, at a distance,(...)
  • Integritetsskyddsmyndigheten
    The Swedish Supervisory Authority is called Integritetsskyddsmyndigheten (IMY) and is based in Stockholm. Before 2021 the name was Datainspektionen (DI). Their main objectives are to provide(...)
  • International Organisation
    An organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries. For(...)
  • j
  • Joint Controllers
    Joint Controllers are two or more parties that together decide the purposes and/or means of how personal data is used. Article 26(1) GDPR provides the definition of the joint(...)
  • l
  • Legal Basis
    Legal basis is one of the criteria for a lawful processing of data under the GDPR. The legal basis is stated in article 6 GDPR and in there are six available legal basis to motivate a(...)
  • legitimate interest
    Legitimate interest is one of the legal basis and is stated in Art. 6 (f) GDPR. This legal basis can be used when the data controller can conclude that the processing is necessary for their(...)
  • m
  • Main Establishment
    Main establishment means (a) as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes(...)
  • p
  • Personal Data
    Simplified it is the data relating to a physical person who with this data can be identified directly or indirectly. The GDPR definition of personal data is stated in Art. 4(1) GDPR as: "Any(...)
  • Personal Data Breach
    Can be defined as any security incident that affects the confidentiality, integrity or availability of personal data. Therefore a data breach, for example, can occur every time data is lost,(...)
  • Privacy by Design
    Privacy by design means that the privacy protection rules are taken into account already when IT systems and procedures are designed. To comply with the Privacy by design demands, who is(...)
  • Privacy Policy
    A policy or information sheet provided by the Controller to the data subjects. It is usually a written text where the data subject can read about the processing in question. Privacy policies(...)
  • Privacy Shield
    The Privacy Shield was an international agreement between the EU and the US with requirements to ensure an adequate level of protection of personal data exported to the US. The Privacy(...)
  • Processing
    The actual usage of the personal data which can be anything from collecting, storing or destroying the personal data. Processing of data is a primary condition for GDPR to be(...)
  • Processor
    The natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. For a controller to use a processor, it must ensure that the(...)
  • Profiling
    Simplified Profiling can be defined as a automated processing that based on aspects of an individual's characteristics can make predictions and decisions about this individual. Profiling is(...)
  • Pseudonymisation
    The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such(...)
  • r
  • Recipient
    The natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive(...)
  • Relevant and Reasoned Objection
    An objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation,(...)
  • Representative
    Representative means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor(...)
  • Restriction of Processing
    Restriction of processing means the marking of stored personal data to limit their processing in the future. The right to restriction is one of the data subject rights and means that the(...)
  • Retention
    The maintenance of documents in a production or live environment that can be accessed by an authorised user in the ordinary course of business. Retention is an essential part of being(...)
  • Right to Access
    The right of access gives individuals the right to obtain a copy of their personal data as well as other supplementary information. The purpose of this right is to help data subjects understand(...)
  • Right to Erasure
    The right to erasure, also known as "the right to be forgotten" is stated in article 17 GDPR and means that individuals have the right to have personal data erased. This right is not an absolute(...)
  • Right to Objection
    The right to objection means that individuals have the right to object to the processing of their personal data. This is not an absolute right which means that the controllers only is forced to(...)
  • Right to Rectification
    The right to rectification means that individuals have the right to have inaccurate data rectified. This right is stated in Article 16, that says: "The data subject shall have the right to(...)
  • Right to Restriction
    The right to restriction means that the individuals have the right to restrict the processing of their personal data in certain circumstances. This means that an individual can limit the way the(...)
  • s
  • SA
    Each Member State in the EU has a supervisory authority (also known as Data Protection Authority) with the task of supervising GDPR-compliance. The supervisory authority has many(...)
  • SCC
    SCCs are a contract that can be used for data transfers between EU and non-EU countries. The SCC are a form of appropriate safeguards that can be used when there is no adequacy decision(...)
  • Special Categories of Data
    Means personal data that is more sensitive and therefore require more protection then "regular" personal data. Special category data is often referred to as "sensitive data". The different types(...)
  • Standard Contractual Clauses
    SCCs are a contract that can be used for data transfers between EU and non-EU countries. The SCC are a form of appropriate safeguards that can be used when there is no adequacy decision(...)
  • Sub-Processor
    A Sub-Processor is a third party data processor engaged by a Data Processor who has or will have access to or process personal data from a Data Controller. In order to use a sub-processor, the(...)
  • Supervisory Authority
    Each Member State in the EU has a supervisory authority (also known as Data Protection Authority) with the task of supervising GDPR-compliance. The supervisory authority has many(...)
  • Supervisory Authority Concerned
    The supervisory authority which is concerned by the processing of personal data because: the controller or processor is established on the territory of the Member State of that supervisory(...)
  • t
  • The Court of Justice of the European Union
    The Court of Justice of the European Union (CJEU) is the highest court of the EU member states. The court interprets EU law and gives advice to national courts how to interpret EU law.
  • Third Country
    In the context of GDPR, this means countries that are not members of the European Economic Area (EEA). This area includes all member countries of the EU and Iceland, Liechtenstein and(...)
  • Third Party
    Is defined as the natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or(...)
  • Transparency
    In sum, transparent processing means that organisations are open and clear with: who they are how they process personal data why they process personal data Transparency is(...)