Glossary of Key Terms:
For international data transfers, a decision made by the European Commission that a country or territory outside European Economic Area ensures an adequate level of protection. The Commission will issue the list of such countries which satisfy the said criteria.
A process to remove the data that would establish the identity of a person.
Article 29 Working Party
Article 29 Working party is the group of representatives from each EU Member State supervisory authority, as well as the European Data Protection Supervisor and the European Commission. Established by the Data Protection Directive of 1995, the mission of the Article 29 Working Party is:
To provide expert advice to EU members about data protection
To promote the consistent application of the Data Protection Directive in the EU
To give the European Commission opinions on laws affecting personal data, and
To make recommendations to the public about the processing of personal data and privacy in the EU.
Binding corporate rules
Personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in joint economic activity;
Binding corporate rules
Binding corporate rules allow multinational corporations, international organisations, and groups of companies to make intra-organizational transfers of personal data across borders in compliance with EU Data Protection Law. These rules must fulfil the conditions and requirements stipulated under Article 46 of GDPR and must follow the consistency mechanism set out in Article 63.
Biometric data is personal data that is created during a biometric process. It includes samples, models, fingerprints, facial images, similarity scores and all verification or identification data excluding the individual's name and demographics.
Permission given by the individual, which is freely given, specific, informed and explicit by statement or action, signifying agreement to the processing of their personal data.
A mechanism under GDPR for the supervisory authorities to cooperate with each other and with the Commission for the uniform/consistent application of GDPR throughout the Union.
Any individual or entity that, alone or jointly with others, exercises control over the processing of personal data of EU individuals. The data controller decides which personal data is to be collected, and also determines the purposes and means of the processing of personal data.
Code of conduct and certification mechanisms
If a code of conduct of an association or representative body is to be used to demonstrate compliance, it must first be approved by the appropriate supervisory authorities. It is advisable for organisations who are considering this method of compliance to get a head-start and find (or create) a representative body or association to develop a code of conduct for later approval.
Codes of conduct that only affect a single Member State must be submitted to the country’s appropriate supervisory authority for feedback and possible modification or elaboration.
Codes of conduct that cover data processing in numerous Member States need to be submitted to the EDPB – The European Data Protection Board – for prior comment or elaboration before being sent to the European Commission for approval.
(a) Processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or
(b) Processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.
Cross-border Data transfer
Transferring the personal data of EU citizens and residents to third countries and organisations outside the EEA. The GDPR allows the personal data transfer to third countries and organisations but the data controllers and processors have to follow certain rules. The GDPR allows for data transfers to countries whose legal regime is deemed by the European Commission to provide for an “adequate” level of personal data protection. In the absence of an adequacy decision, however, transfers are also allowed outside non-EU states under certain circumstances, such as by use of standard contractual clauses or binding corporate rules (BCRs). Derogations are also permitted under limited additional circumstances.
Data concerning health
Personal data which reveals information about an individual’s physical or mental health status. Health data is categorised as ‘sensitive data’.
A right provided to individuals under GDPR to obtain their data from one controller and transfer it to another controller without hindrance from the controller to which the data was originally provided. The data controller must provide the personal data to the individual in a commonly used, open-standard electronic format.
Under the GDPR, a data processor is an individual or entity that acts at the direction of a data controller to process personal data.
Data Protection Authorities (DPAs)
Authorities established by the individual EU Member States that are tasked with protecting the personal information of their citizens by enforcing EU data protection law. Each DPA is a member of the Article 29 Working Party.
Data Protection Directive
The data protection directive regulated the processing of personal data of EU individuals.
It was adopted in 1995 and first established the Data Protection Authorities in each EU Member State. Because it was a directive, implementation was left up to the discretion of EU Member States. The GDPR came into force on 25 May 2018 and as such the Data Protection Directive has been repealed in an effort to harmonise the data protection laws across the EU.
Data Protection Officer (DPO)
The GDPR necessitates a mandatory appointment of Data Protection Officers for organisations with certain attributes. A DPO is an independent expert on data privacy appointed to advise on and ensure compliance with the GDPR.
A data subject’s request that an organisation deletes his/her personal data when it is no longer needed for its original purpose.
Transfer of personal data outside European Economic Area is prohibited under GDPR. Derogations are exemptions from such prohibition under limited circumstances. International transfer of personal data is allowed when it is:
The first three derogations are not available for the activities of public authorities in the exercise of their public powers.
Data flow refers to the flow of personal data throughout an organisation’s technical infrastructure, including how it enters an organisation, who has access to it, where the data is held and for how long, and whether it is transferred to or from third parties.
Organisations benefit from “mapping” their data flows (i.e. creating diagrams that illustrate the paths on which personal data flows).
This means a natural person whose personal data is processed by a controller or processor.
DPIA - Data Protection Impact Assessment
ePrivacy Directive (2002/58/EC)
Also known as the EU Cookie Directive, it regulates how companies collect individuals’ data online and give people more choice over how their cookies are used to track them.
It deals with the regulation of some important issues such as confidentiality of information, treatment of traffic data, spam and cookies.
EDPB - European Data Protection Board
The Article 29 Working Party, which was established by Directive 95/46/EC (the “Data Protection Directive”) and consists of representatives from EU Member State supervisory authorities together with the Commission and the EDPS, will be abolished by the GDPR. It is to be replaced by the EDPB, which will similarly be made up of the heads of national supervisory authorities (or their representatives) and the EDPS. The EDPB is given a long and detailed list of tasks, but its primary role is to contribute to the consistent application of the GDPR throughout the Union. It advises the Commission, in particular on the level of protection offered by third countries or international organisations, and promotes cooperation between national supervisory authorities. It issues guidelines, recommendations and statements of best practice: for example, on matters such as when a data breach is “likely to result in a high risk to the rights and freedoms” of individuals, or on the requirements for Binding Corporate Rules. It is to encourage Codes of Practice and Certification, both of which will assist controllers and processors in demonstrating compliance with the GDPR. Finally, the EDPB has to prepare an Annual Report.
EDPS - European Data Protection Supervisor
The European Data Protection Supervisor is an independent supervisory authority whose primary objective is to ensure that European institutions and bodies respect the right to privacy and data protection.
The process of converting information or data into code, especially to prevent unauthorised access.
Erasure is also known as the right to be forgotten. It entitles the data subject to have the data controller erase his or her personal data, cease further dissemination of the data, and potentially have third parties cease processing of the data.
Any structured set of personal data which is accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;
General Data Protection Regulation
In force since May 25, 2018 and approved by the European Parliament, the Council of the European Union, and the European Commission in 2016, the General Data Protection Regulation (“GDPR”) is intended to unify and harmonise data protection regulations for all citizens of the EU, as well as regulate citizen data exported outside of the EU.
Personal data relating to the genetic characteristics of a natural person which gives unique information about the physiology or the health of that natural person.
Information society service (Directive 98/34/EC)
Any service usually provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services. Examples of information society services: web shops and marketplaces, search engines, online advertising, video sharing sites, blogs, hosting, video-on-demand, online consultancy, online marketplaces, social networking.
An organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.
It is a ground on which processing is allowed under GDPR.
Legitimate interest means the stake that the organisation may have in collecting and processing of personal data. It may be a benefit inherent in processing for the organisation itself, for a third party, or for society in general. One example is the processing of data for further offers and processed once that data is collected from the customer during the transaction. Legitimate interest is one of the six lawful bases for the processing of personal data. It is the most flexible lawful basis. However, it should not override individuals interests, rights and freedoms.
Any information that can uniquely identify a natural person, and includes the name, date of birth, biometric data, fingerprints, DNA, health record, identification numbers, online identifiers such as location, IP address, and cookies data, social, cultural, or economic identity.
Personal data breach
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Processing refers to any operation performed on personal data, whether or not by automated means, including collecting, recording, organising, structuring, storing, modifying, consulting, using, publishing, combining, erasing, and destroying data.
A processor is the person or entity responsible for processing personal data on behalf of the controller.
PIA - Privacy Impact Assessment
PIA is an analysis of how personally identifiable information is collected, used, shared, and maintained. The purpose of a PIA is to demonstrate that program managers and system owners have consciously incorporated privacy protections throughout the development life cycle of a system or program. PIAs allow us to communicate more clearly with the public about how we handle information, including how we address privacy concerns and safeguard information. Privacy impact assessments (PIAs) are a tool which can help organisations identify the most effective way to comply with their data protection obligations and meet individuals’ expectations of privacy. An effective PIA will allow organisations to identify and fix problems at an early stage, reducing associated costs and damage to the reputation which might otherwise occur. PIAs are an integral part of taking privacy by design approach.
Privacy by design and by default
Privacy by design and by default is an approach to systems and application design that takes privacy into account during the engineering process for any system that collects, processes, or stores personal data. The GDPR article 25 states that data controllers, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures which are designed to implement data-protection principles and to integrate the necessary safeguards into the processing. The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which is necessary for each specific purpose of the processing is processed. That obligation applies to the amount of personal data collected, the extent of the processing, the period of storage and accessibility.
Benefits of Privacy by Design
Privacy by design is a tool to reduce privacy risk by creating systems, products, processes and projects with privacy at the outset. Benefits include:
Pseudonymization is a procedure by which the most identifying fields within a data record are replaced by one or more artificial identifiers, or pseudonyms so that the personal data are not attributed to a natural person. Such additional information or pseudonyms is kept separately.
The welfare of the general public (in contrast to the selfish interest of a person, group, or firm) in which the whole society has a stake and which warrants recognition, promotion, and protection by the government and its agencies. It is approximated by comparing expected gains and potential costs or losses associated with a decision, policy, program, or project.
PECR - Privacy and Electronic Communications Regulation
The Privacy and Electronic Communications (EC Directive) Regulations 2003 is a law in the United Kingdom which made it unlawful to, amongst other things, transmit an automated recorded message for direct marketing purposes via a telephone, without the prior consent of the subscriber.
Recipient, in relation to personal data, means any person to whom the data is disclosed, but does not include any person to whom disclosure is or may be made as a result of, or with a view to, a particular inquiry by or on behalf of that person made in the exercise of any power conferred by law.
A mandatory appointment of a person or entity by the non-EU data controller or processor, to represent themselves in the EU Member State, whose citizens' personal data they are processing. The representative will act as a contact point between the non-EU data controller or processor, and the Member State supervisory authority.
Restriction of processing
The marking of stored personal data with the aim of limiting their processing in the future.
Right of access to the data subject
Under the GDPR, a data subject may make a written request to any data controller to confirm whether their personal data is being processed, where it is being processed, for what purpose it is being processed and whether it will be shared between other organisations or people. The individual has the right to gain access to this data.
Right to data portability
A data subject must be able to obtain and reuse their personal data by transferring it from one processing system to another without interference from the data controller. The regulation also requires that the data be provided in a commonly used open standard electronic format by the data controller.
Right to erasure
The GDPR allows individuals to request that data controllers erase their personal data when it is no longer necessary for its original purpose, if there is a withdrawal of consent to the organisation having this data, where the data is being used unlawfully, or the data does not comply with other regulations.
Special Categories of Personal Data
This was previously referred to as sensitive personal data in the DPA and includes the processing of any personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. As with personal data, the definition of special categories of personal data is broader than the DPA’s sensitive personal data with the main additions being:
Personal data concerning the characteristics of an individual which are inherited or acquired which give unique information about the health or physiology of the individual.
Any personal data relating to the physical, physiological, or behavioural characteristics of an individual which allows their unique identification.
Data concerning health
Any personal data relating to the physical, or mental health of an individual or the provision of health services to them.
Subject Access Right
This right of access entitles the data subject to have access to and information about the personal data that a controller has concerning them.
Sensitive personal data
Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; data concerning health or sex life and sexual orientation; genetic data or biometric data.
An authority established by its Member State to supervise the compliance with a specific regulation. In regards to GDPR, each country will have its own authority, for the UK the Information Commissioner’s Office (ICO) will be the Supervisory Authority.
The role of the supervisory authority is:
A natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
This is one of the six legal bases to process personal data. Vital interests of data subjects are ‘life or death" scenario. This legal basis can be used to process the personal data to protect someone’s life. But ‘vital interest’ as a legal basis cannot be used for health data or other special category data if the individual is capable of giving consent, even if they refuse their consent.