GDPR - Terms & Definitions

The General Data Protection Regulation (GDPR) is a European Union regulation that sets strict standards for the processing and protection of personal data. It grants individuals greater control over their information, requires organizations to be transparent about data practices, and imposes significant fines for non-compliance. The GDPR aims to enhance privacy rights and unify data protection laws across the EU.

The General Data Protection Regulation (GDPR) contains numerous terms and definitions relevant to data protection and privacy. Here are few of those terms (in alphabetical order) mentioned below:

• Automated Decision-Making: The use of algorithms or automated processes to make decisions about individuals. GDPR provides rights for data subjects regarding automated decisions, including the right to human intervention.

• Binding Corporate Rules: These are a set of binding rules that allow multinational companies and organizations to transfer personal data they control from the EU to their affiliates outside the EU (but within the same organization).

• Biometric Data: Refers to personal data resulting from specific technical processing related to the physical, physiological, or behavioral characteristics of a natural person. Examples include facial images or dactyloscopic data (fingerprint data).

• Children’s Data: Special protections apply to the processing of personal data of children under the age of 16 (or 13 in some EU member states). Parental consent is required for online services targeting children.

• Consent: It’s any freely given, specific, informed, and unambiguous indication of a data subject’s wishes. Consent signifies agreement to the processing of personal data related to them.

• Cross-Border Data Transfers: GDPR imposes restrictions on transferring personal data outside the EU. Organizations must ensure that data transfers to non-EU countries comply with specific conditions (such as adequacy decisions, standard contractual clauses, or binding corporate rules).

• Data Breach Notification: Organizations must notify the relevant supervisory authority within 72 hours of becoming aware of a personal data breach. Data subjects must also be informed if the breach poses a high risk to their rights and freedoms.

• Data Breach Response Plan: A documented plan outlining steps to take in the event of a data breach. It includes communication protocols, containment measures, and reporting procedures.

• Data Concerning Health: Personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.

• Data Controller: The natural or legal person, public authority, agency, or other body that determines the purposes and means of processing personal data. If Union or Member State law determines these purposes and means, the controller may be specified by that law.

• Data Minimization: The principle of collecting and processing only the minimum amount of personal data necessary for a specific purpose. Organizations should avoid excessive data collection.

• Data Portability: Data subjects have the right to receive their personal data in a structured, commonly used, and machine-readable format. They can also request that this data be transmitted to another data controller.

• Data Processor: A natural or legal person, public authority, agency, or other body that processes personal data on behalf of the data controller.

• Data Protection Authority (DPA): Another term for supervisory authority. DPAs are responsible for enforcing data protection laws and providing guidance to organizations.

• Data Protection Impact Assessment (DPIA): A systematic assessment of the potential impact of data processing activities on individuals’ privacy. DPIAs help identify and mitigate risks before implementing new processes.

• Data Protection Officer (DPO): An individual or role responsible for ensuring an organization’s compliance with data protection laws, including GDPR. The DPO monitors data processing activities, advises on privacy matters, and acts as a point of contact for data subjects and supervisory authorities.

• Data Retention: Refers to how long personal data is stored by an organization. GDPR requires clear retention policies and limits on data storage.

• Data Subject Consent Management: Organizations must maintain records of consent obtained from data subjects. This includes details about when and how consent was given, the specific purpose, and the right to withdraw consent.

• Data Subject Rights: GDPR grants several rights to data subjects, including the right to access, rectification, erasure, restriction of processing, data portability, and objection.

• Data Subject: A natural person whose personal data is processed by a data controller or processor.

• Genetic Data: Personal data related to inherited or acquired genetic characteristics of a natural person. This data provides unique information about the individual’s physiology or health and results from analyzing biological samples.

• Joint Controllership: When two or more entities jointly determine the purposes and means of processing personal data. GDPR provides guidelines for their responsibilities and cooperation.

• Legitimate Interests: One of the legal bases for processing personal data under GDPR. Organizations can process data based on their legitimate interests, provided it does not override the rights and freedoms of data subjects.

• One-Stop-Shop: A mechanism that allows organizations with establishments in multiple EU member states to deal with a single supervisory authority (the lead authority) for cross-border data processing.

• Personal Data Breach: A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data transmitted, stored, or otherwise processed.

• Personal Data: Any information related to an identified or identifiable natural person (the data subject). Identifiable individuals can be directly or indirectly identified using identifiers like names, identification numbers, location data, or online identifiers.

• Principles: Fundamental principles embedded within the GDPR that outline main responsibilities for organizations.

• Privacy by Design and Default: Organizations must integrate data protection principles into their systems and processes from the outset (privacy by design) and ensure that default settings prioritize privacy (privacy by default).

• Privacy Impact Assessment (PIA): A systematic assessment of the potential impact of data processing activities on individuals’ privacy. DPIAs help identify and mitigate risks before implementing new processes.

• Privacy Notice (Privacy Policy): A document that informs data subjects about how their personal data is processed. It outlines the purposes, legal basis, retention periods, and rights related to data processing.

• Privacy Shield: A framework for transferring personal data between the EU and the United States. It ensures that companies comply with EU data protection standards when transferring data across the Atlantic.

• Processing of Personal Data: Any operation or set of operations performed on personal data or sets of personal data, whether by automated means or not. This includes collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction of personal data.

• Profiling: The automated processing of personal data to evaluate certain aspects of an individual, such as their behavior, preferences, interests, or location. Profiling can be used for targeted advertising, credit scoring, and other purposes.

• Pseudonymization: The process of replacing direct identifiers (such as names or email addresses) with a pseudonym or code. Pseudonymized data can still be linked back to an individual using additional information.

• Recipient: A natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.

• Restriction of processing: The process of marking of stored personal data with the aim of limiting their processing in the future.

• Right to Access: Data subjects have the right to obtain confirmation from the data controller whether their personal data is being processed and, if so, access to that data. This right allows individuals to be aware of and verify the lawfulness of data processing.

• Right to Data Portability: Data subjects have the right to receive their personal data in a structured, commonly used, and machine-readable format. They can also request that this data be transmitted to another data controller.

• Right to Erasure (Right to Be Forgotten): Data subjects have the right to request the erasure of their personal data from an organization’s records under certain conditions. This right allows individuals to have their data deleted when it is no longer necessary or when they withdraw consent.

• Right to Rectification: Data subjects can request the correction of inaccurate or incomplete personal data held by a data controller. Organizations must promptly rectify any inaccuracies.

• Sensitive Personal Data: Also known as “special categories of personal data,” this includes information about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or sexual orientation.

• Supervisory Authority Decisions: DPAs issue decisions and impose fines for GDPR violations. Organizations can appeal these decisions through legal channels.

• Supervisory Authority: National data protection authorities within EU member states responsible for enforcing data protection laws and monitoring compliance. Examples include the Information Commissioner’s Office (ICO) in the UK and the CNIL in France.

• Third-Party: A natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.