This
glossary is designed to provide a clear and concise understanding of the terminology
and definitions contained within Article 4 of Regulation (EU) 2016/679,
commonly known as the General Data Protection Regulation (GDPR). This regulation,
which has played a pivotal role in shaping data protection and privacy laws in
the European Union, encompasses a wide array of terms and concepts that are
crucial in the realm of personal data security. This glossary aims to serve as
a valuable resource, offering insights and explanations to help individuals, organizations,
and legal professionals navigate the intricacies of the GDPR and its associated
terminology. Whether you are new to the GDPR or seeking a reference guide for
its terminology, this glossary is your go-to source for clarity and comprehension.
Personal Data
Personal data refers to any information concerning an
identified or identifiable natural person ('data subject'). An identifiable
natural person is someone who can be directly or indirectly distinguished,
notably through the use of an identifier like a name, identification number,
location data, online identifier, or by one or more distinctive factors
pertaining to the individual's physical, physiological, genetic, mental,
economic, cultural, or social identity.
Processing
Processing
denotes any operation or set of operations which is performed on personal data
or on sets of personal data, whether or not by automated means, such as
collection, recording, organization, structuring, storage, adaptation or
alteration, retrieval, consultation, use, disclosure by transmission,
dissemination or otherwise making available, alignment or combination,
restriction, erasure or destruction.
Restriction Of Processing
Restriction
of processing signifies the act of marking of stored personal data with the intention
of limiting their processing in the future.
Profiling
Profiling
denotes any type of automated processing of personal data that involves the use
of personal data to assess specific personal characteristics related to a
natural person. This includes the analysis or prediction of aspects concerning
the individual's performance at work, economic situation, health, personal
preferences, interests, reliability, behaviour, location, or movements.
Pseudonymisation
Pseudonymisation
refers to the processing of personal data in such a manner that the personal
data can no longer be attributed to a specific data subject without the use of
additional information, provided that such additional information is kept
separately and is subject to technical and organizational measures to ensure
that the personal data are not attributed to an identified or identifiable
natural person.
Filing System
Filing
system signifies any structured set of personal data which are accessible
according to specific criteria, whether centralised, decentralised or dispersed
on a functional or geographical basis.
Controller
Controller
refers to the natural or legal person, public authority, agency or other body
which, alone or jointly with others, determines the purposes and means of the
processing of personal data; where the purposes and means of such processing
are determined by Union or Member State law, the controller or the specific
criteria for its nomination may be provided for by Union or Member State law.
Processor
Processor
denotes a natural or legal person, public authority, agency or other body which
processes personal data on behalf of the controller.
Recipient
Recipient
refers to a natural or legal person, public authority, agency or another body,
to which the personal data are disclosed, whether a third party or not.
However, public authorities which may receive personal data in the 4.5.2016 EN
Official Journal of the European Union L 119/33 framework of a particular
inquiry in accordance with Union or Member State law shall not be regarded as
recipients; the processing of those data by those public authorities shall be
in compliance with the applicable data protection rules according to the
purposes of the processing.
Third Party
Third
party refers to a natural or legal person, public authority, agency or body
other than the data subject, controller, processor and persons who, under the
direct authority of the controller or processor, are authorised to process
personal data.
Consent
Consent
in the context of the data subject refers to any freely given, specific,
informed and unambiguous indication of the data subject's wishes by which he or
she, by a statement or by a clear affirmative action, signifies agreement to
the processing of personal data relating to him or her.
Personal Data Breach
Personal
Data Breach denotes a security breach that results in the accidental or
unlawful destruction, loss, alteration, unauthorised disclosure of, or access
to, personal data transmitted, stored or otherwise processed.
Genetic Data
Genetic
data refers to personal data associated with the inherited or acquired genetic
characteristics of a natural person which give unique information about the
physiology or the health of that natural person and which result, in
particular, from an analysis of a biological sample from the natural person in
question.
Biometric Data
Biometric
data refers to personal data resulting from specific technical processing
relating to the physical, physiological or behavioural characteristics of a
natural person, which allow or confirm the unique identification of that
natural person, such as facial images or dactyloscopic data.
Data Concerning Health
Data
concerning health refers to personal data related to the physical or mental
health of a natural person, including the provision of health care services,
which reveal information about his or her health status.
Main Establishment
Main
Establishment refers to:
(a)For a
controller with establishments in more than one Member State, the place of its
central administration in the Union, unless the decisions on the purposes and
means of the processing of personal data are taken in another establishment of
the controller in the Union and the latter establishment has the power to have
such decisions implemented, in which case the establishment having taken such
decisions is to be considered to be the main establishment;
(b)For a
processor with establishments in more than one Member State, the place of its
central administration in the Union, or, if the processor has no central
administration in the Union, the establishment of the processor in the Union
where the main processing activities in the context of the activities of an
establishment of the processor take place to the extent that the processor is
subject to specific obligations under this Regulation.
Representative
Representative
refers to a natural or legal person established in the Union who, designated by
the controller or processor in writing pursuant to Article 27, represents the
controller or processor with regard to their respective obligations under this
Regulation.
Enterprise
Enterprise
signifies a natural or legal person engaged in an economic activity,
irrespective of its legal form, including partnerships or associations
regularly engaged in an economic activity.
Group Of Undertakings
Group of undertakings refers
to a controlling undertaking and the undertakings under its control.
Binding Corporate Rules
Binding
corporate rules refers to personal data protection policies which are adhered
to by a controller or processor established on the territory of a Member State
for transfers or a set of transfers of personal data to a controller or
processor in one or more third countries within a group of undertakings, or
group of enterprises engaged in a joint economic activity.
Supervisory Authority
Supervisory
authority denotes an independent public authority which is established by a
Member State pursuant to Article 51.
Supervisory Authority Concerned
Supervisory
authority concerned refers to a supervisory authority which is concerned by the
processing of personal data due to one or more of the following reasons:
(a)the
controller or processor is established on the territory of the Member State of
that supervisory authority;
(b)data
subjects residing in the Member State of that supervisory authority are
substantially affected or likely to be substantially affected by the
processing; or
(c)a
complaint has been lodged with that supervisory authority.
Cross-Border Processing
Cross-border processing
encompasses two scenarios:
(a)The processing
of personal data which takes place in the context of the activities of
establishments in more than one Member State of a controller or processor in
the Union where the controller or processor is established in more than one
Member State;
(b)The processing
of personal data which takes place in the context of the activities of a single
establishment of a controller or processor in the Union but which substantially
affects or is likely to substantially affect data subjects in more than one
Member State.
Relevant And Reasoned Objection
Relevant
and Reasoned Objection signifies an objection to a draft decision as to whether
there is an infringement of this Regulation, or whether envisaged action in
relation to the controller or processor complies with this Regulation, which
clearly demonstrates the significance of the risks posed by the draft decision
as regards the fundamental rights and freedoms of data subjects and, where
applicable, the free flow of personal data within the Union.
Information Society Service
Information
society service refers to a service as defined in point (b) of Article 1(1) of
Directive (EU) 2015/1535 of the European Parliament and of the Council.
International Organization
International
organization refers to an organization and its subordinate bodies governed by
public international law, or any other body which is set up by, or on the basis
of, an agreement between two or more countries.