GDPR definitions

This is a glossary where you can find key GDPR definitions and the meaning of relevant terms and abbreviations used in articles on this site. Concepts are described from a GDPR context and may be explained differently outside this specific area.

AJAX progress indicator
Search:
(clear)

  • a

  • A secured storage of documents such that they are rendered inaccessible by authorised users in the ordinary course of business. Since GDPR applies to the processing of personal data in both(...)
  • Article 5 sets out the seven fundamental principles for the lawful processing of data. They are the principles of: 'lawfulness, fairness and transparency' (a). According to Recital 39 of(...)
  • Article 6 lists the six legal bases that data controllers can use to justify their use of personal data. Without a legal basis, processing cannot be done lawfully under the GDPR. The six(...)
  • Article 8 defines the conditions for children's consent in relation to information society services. It limits the age for when a child can consent on their own and puts special duties on(...)
  • This article regulates the processing of special category data. By special category data means data that needs more protection than regular data. Therefore, Art. 9 GDPR state that in order to(...)
  • Regulates the processing of personal data that is relating to criminal convictions and offences. The article says: "Processing of personal data relating to criminal convictions and offences or(...)
  • The controller needs to provide certain information to a data subject whose personal data have been collected. The article applies when the data regarding a data subject have been collected(...)
  • The information that a controller needs to provide to a data subject when the personal data have not been obtained from the data subject himself. This information must be provided to the data(...)
  • Article 22 gives data subjects the right to opt-out of automated decision-making if it is not strictly necessary. The data subject always has the right not to be subjected to decisions that(...)
  • Regulates the demands regarding a record of processing. The Art. states that all controllers need to keep a record of the processing activities they are responsible for. With except for(...)
  • Article 32 states the security measures that a controller must take. This is to protect the personal data they process. The article mainly approaches security measures that the controller(...)
  • Article 33 states that controllers must notify the supervisory authority if a personal data breach occurs. It also states that processors must notify controllers in case of a breach. All(...)
  • The controller must carry out a Data Protection Impact Assessment (DPIA) before they starts a processing that may lead to high risk for the data subjects. DPIA is particularly essential before(...)
  • Article 44 gives the main principle for the transfer of personal data outside of the EU. It prohibits all transfers that do not fulfil the requirements of the GDPR. There are several types(...)
  • Audit means the inspection or examination of the processor's activities and its facilities to ensure GDPR compliance. Art. 28(3)(h) GDPR state that the terms of the audit always should be(...)
  • The Datenschutz behörde is the Austrian Data Protection Authority (DSB). The Austrian Data Protection Authority is the responsible authority for data protection in Austria. Their objective(...)

  • d

  • The Datenschutz behörde is the Austrian Data Protection Authority (DSB). The Austrian Data Protection Authority is the responsible authority for data protection in Austria. Their objective(...)

  • b

  • The Autorité de protection des données, or Gegevensbeschermingsautoriteit, is the Belgian Data Protection Authority (ADP). The Belgian Data Protection Authority is the responsible data(...)

  • a

  • The Autorité de protection des données, or Gegevensbeschermingsautoriteit, is the Belgian Data Protection Authority (ADP). The Belgian Data Protection Authority is the responsible data(...)

  • b

  • The opportunity for international organisations established in the EU to transfer personal data outside of the EU within their group of undertakings or enterprises. The legal demands for the(...)
  • The opportunity for international organisations established in the EU to transfer personal data outside of the EU within their group of undertakings or enterprises. The legal demands for the(...)
  • Personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique(...)

  • c

  • National Commission on Informatics and Liberty (CNIL) is the data protection authority in France. Their main objectives are to provide guidance and advice as well as deal with complaints(...)
  • National Commission on Informatics and Liberty (CNIL) is the data protection authority in France. Their main objectives are to provide guidance and advice as well as deal with complaints(...)
  • The process of ensuring that an organisation follows applicable laws, rules and regulations. It is an on-going effort with constant reviews and updates. The ultimate goal is to always act as you(...)
  • The data subjects freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies(...)
  • Simplified the controller is the individual or legal person who determines the purposes for which and the means by which personal data is processed. According to the legal definition in Art. 4(...)
  • Cookies are text files that contain a small amount of data and are downloaded on your device when you visit a website. Cookies are useful because they allow a website to recognize your device,(...)
  • When a processing of personal data has a connection to more than one member state of the EU it is called cross-border processing. The meaning of cross-border processing is defined in the GDPR(...)

  • d

  • Datatilsynet, or the Danish Data Protection Agency, is the Danish Data Protection Authority. The Danish Data Protection Authority is called Datatilsynet. Their objective is to provide(...)
  • Personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status. 'Health(...)
  • Simplified the data controller is the individual or legal person who determines the purposes for which and the means by which personal data is processed. According to the legal definition in(...)
  • Data minimisation is a fundamental principle under the GDPR. It means that you only should collect and process personal data that is absolutely necessary to fulfil your purpose. You need to(...)
  • The right for data subjects to receive and transfer their personal data between data controllers if the personal data has been provided by the data subject, and the processing is based on a(...)
  • A Data Processing Agreement is a legally binding document to be entered into between a data controller and a data processor when required by the GDPR. In article 28(3) GDPR it is stated that a(...)
  • A Data Processing Agreement is a legally binding document to be entered into between a data controller and a data processor when required by the GDPR. In article 28(3) GDPR it is stated that a(...)
  • The natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. For a controller to use a processor, it must ensure that the(...)
  • The Data Protection Commission (DPC), or An Coimisiún um Chosaint Sonraí, is the Irish Data Protection Authority. The Data Protection Commissions objective is to provide guidance and(...)
  • The Data Protection Commission (DPC), or An Coimisiún um Chosaint Sonraí, is the Irish Data Protection Authority. The Data Protection Commissions objective is to provide guidance and(...)
  • Data protection impact assessment (DPIA) is a process to identify and mitigate data protection risks. If a processing activity is likely to result in a high risk to individuals, you need to do a(...)
  • Data protection impact assessment (DPIA) is a process to identify and mitigate data protection risks. If a processing activity is likely to result in a high risk to individuals, you need to do a(...)
  • Article 35 of the GDPR stipulates that a processor must carry out a Data Protection Impact Assessment (DPIA) before starting processing data that may lead to high risk for the data subjects. A(...)
  • The Data Protection Officer (DPO) is the function responsible for reviewing and monitoring the privacy practices of their organisation. The tasks of a DPO are many, but consist of at least the(...)
  • The Data Protection Officer (DPO) is the function responsible for reviewing and monitoring the privacy practices of their organisation. The tasks of a DPO are many, but consist of at least the(...)
  • A Data Sharing Agreement is a contract that documents what data is being shared and how it can be used. It can be used to make data sharing lawful. To lawfully use a processor or a(...)
  • A "data subject" is defined by GDPR as an "identified or identifiable natural person" from whom or about whom information is collected. A company or organisation cannot be a data subject.  A(...)
  • A physical or technical destruction meant to render the information contained in documents irretrievable by ordinary commercially available means. The destruction of data is an essential part(...)
  • The Dutch data protection authority is called Autoriteit persoonsgregevens (AP) and their objective is to provide guidance and advice as well as deal with complaints and make inspections(...)

  • a

  • The Dutch data protection authority is called Autoriteit persoonsgregevens (AP) and their objective is to provide guidance and advice as well as deal with complaints and make inspections(...)

  • e

  • An EU institution with the goal of ensuring that EU institutions and bodies respect individuals' right to privacy when processing personal data. EDPS has an essential role as advisors(...)
  • An EU institution with the goal of ensuring that EU institutions and bodies respect individuals' right to privacy when processing personal data. EDPS has an essential role as advisors(...)
  • A natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity.
  • The purpose of the ePrivacy directive is to ensure confidentiality and privacy in electronic communication. It complements the GDPR and is a form of specialisation, especially regarding(...)
  • The European Economic Area (EEA) is an extension of the single market of the European Union (EU). Part of EU law still applies within the EEA. The EEA includes the 27 member states of the EU(...)
  • The European Economic Area (EEA) is an extension of the single market of the European Union (EU). Part of EU law still applies within the EEA. The EEA includes the 27 member states of the EU(...)
  • The European Union (EU) is a union of 27 European states, which shares an internal single market and EU law applies. The EU was through the Maastricht Treaty, which was signed in 1992 and(...)
  • The European Union (EU) is a union of 27 European states, which shares an internal single market and EU law applies. The EU was through the Maastricht Treaty, which was signed in 1992 and(...)

  • f

  • Any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis. Since GDPR(...)
  • A first-party cookie is a cookie that the website provider creates and stores. It is stored directly on the user's device. The definition of a first party-cookie is the website providers'(...)

  • g

  • A regulation (set of rules) drafted by the EU. All EU Member States must follow these rules. It sets out rules for data protection and privacy for all individuals within the EU. The GDPR(...)
  • A regulation (set of rules) drafted by the EU. All EU Member States must follow these rules. It sets out rules for data protection and privacy for all individuals within the EU. The GDPR(...)
  • A controlling undertaking that has a dominant influence over another company. This influence can be exercised, for example, through: financial ownership of a company’s capital;controlling the(...)

  • i

  • A service defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council (19) as: "Any service normally provided for remuneration, at a distance,(...)
  • The Swedish Supervisory Authority is called Integritetsskyddsmyndigheten (IMY) and is based in Stockholm. Before 2021 the name was Datainspektionen (DI). Their main objectives are to provide(...)
  • The Swedish Supervisory Authority is called Integritetsskyddsmyndigheten (IMY) and is based in Stockholm. Before 2021 the name was Datainspektionen (DI). Their main objectives are to provide(...)
  • An organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries. For(...)

  • j

  • A joint controllership is when two controllers both determine the purposes and means of the processing of personal data, and both are jointly responsible for GDPR compliance. For this, the(...)
  • Joint Controllers are two or more parties that together decide the purposes and/or means of how personal data is used. Article 26(1) GDPR provides the definition of the joint(...)

  • l

  • Legal basis is one of the criteria for a lawful processing of data under the GDPR. The legal basis is stated in article 6 GDPR and in there are six available legal basis to motivate a(...)
  • Legitimate interest is one of the legal basis and is stated in Art. 6 (f) GDPR. This legal basis can be used when the data controller can conclude that the processing is necessary for their(...)

  • m

  • Main establishment means (a) as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes(...)

  • p

  • Simplified it is the data relating to a physical person who with this data can be identified directly or indirectly. The GDPR definition of personal data is stated in Art. 4(1) GDPR as: "Any(...)
  • Can be defined as any security incident that affects the confidentiality, integrity or availability of personal data. Therefore a data breach, for example, can occur every time data is lost,(...)
  • Personally Identifiable Information (PII) is any information about a person that can be used to identify them. This could be the date and place of birth or biometric records. The term is a(...)
  • Personally Identifiable Information (PII) is any information about a person that can be used to identify them. This could be the date and place of birth or biometric records. The term is a(...)
  • Privacy by design means that the privacy protection rules are taken into account already when IT systems and procedures are designed. To comply with the Privacy by design demands, who is(...)
  • A policy or information sheet provided by the Controller to the data subjects. It is usually a written text where the data subject can read about the processing in question. Privacy policies(...)
  • The Privacy Shield was an international agreement between the EU and the US with requirements to ensure an adequate level of protection of personal data exported to the US. The Privacy(...)
  • The actual usage of the personal data which can be anything from collecting, storing or destroying the personal data. Processing of data is a primary condition for GDPR to be(...)
  • The natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. For a controller to use a processor, it must ensure that the(...)
  • Simplified Profiling can be defined as a automated processing that based on aspects of an individual's characteristics can make predictions and decisions about this individual. Profiling is(...)
  • The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such(...)

  • r

  • The natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive(...)
  • An objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation,(...)
  • Representative means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor(...)
  • Restriction of processing means the marking of stored personal data to limit their processing in the future. The right to restriction is one of the data subject rights and means that the(...)
  • The maintenance of documents in a production or live environment that can be accessed by an authorised user in the ordinary course of business. Retention is an essential part of being(...)
  • The right of access gives individuals the right to obtain a copy of their personal data as well as other supplementary information. The purpose of this right is to help data subjects understand(...)
  • The right to erasure, also known as "the right to be forgotten" is stated in article 17 GDPR and means that individuals have the right to have personal data erased. This right is not an absolute(...)
  • The right to objection means that individuals have the right to object to the processing of their personal data. This is not an absolute right which means that the controllers only is forced to(...)
  • The right to rectification means that individuals have the right to have inaccurate data rectified. This right is stated in Article 16, that says: "The data subject shall have the right to(...)
  • The right to restriction means that the individuals have the right to restrict the processing of their personal data in certain circumstances. This means that an individual can limit the way the(...)

  • s

  • Means personal data that is more sensitive and therefore require more protection then "regular" personal data. Special category data is often referred to as "sensitive data". The different types(...)
  • SCCs are a contract that can be used for data transfers between EU and non-EU countries. The SCC are a form of appropriate safeguards that can be used when there is no adequacy decision(...)
  • SCCs are a contract that can be used for data transfers between EU and non-EU countries. The SCC are a form of appropriate safeguards that can be used when there is no adequacy decision(...)
  • A strictly necessary cookie is a cookie that is vital for the functioning of a website and does not require user consent. Strictly necessary cookies are a necessary tool for the user to(...)
  • A Sub-Processor is a third party data processor engaged by a Data Processor who has or will have access to or process personal data from a Data Controller. In order to use a sub-processor, the(...)
  • Each Member State in the EU has a supervisory authority (also known as Data Protection Authority) with the task of supervising GDPR-compliance. The supervisory authority has many(...)
  • Each Member State in the EU has a supervisory authority (also known as Data Protection Authority) with the task of supervising GDPR-compliance. The supervisory authority has many(...)
  • The supervisory authority which is concerned by the processing of personal data because: the controller or processor is established on the territory of the Member State of that supervisory(...)

  • t

  • The Court of Justice of the European Union (CJEU) is the highest court of the EU member states. The court interprets EU law and gives advice to national courts how to interpret EU law.

  • c

  • The Court of Justice of the European Union (CJEU) is the highest court of the EU member states. The court interprets EU law and gives advice to national courts how to interpret EU law.

  • t

  • In the context of GDPR, this means countries that are not members of the European Economic Area (EEA). This area includes all member countries of the EU and Iceland, Liechtenstein and(...)
  • Is defined as the natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or(...)
  • A third-party cookie is a cookie that is created by another website than the one that the user is visiting. They allow third parties to track the user. Per definition, a third-party cookie(...)
  • A data Transfer Impact Assessment (TIA) is an assessment of the privacy protections of the laws and regulations of a recipient country outside of the EU/EEA. Transfer Impact Assessments(...)
  • In sum, transparent processing means that organisations are open and clear with: who they are how they process personal data why they process personal data Transparency is(...)