Additional Resources
      Back to home
      1. Knowledge Base
      2. Additional Resources

      Glossary

       

      Trying out callouts


      • Accountability

        Accountability is the ability to demonstrate compliance with the GDPR. The regulation explicitly states that this is the organisations responsibility. In order to demonstrate compliance, appropriate technical and organisational measures have to be implemented. Best practice tools such as privacy impact assessments and privacy by design are now legally required in certain circumstances

      • Consent

        Consent is any: "freely given, specific, informed and unambiguous" indication of the individual's wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processes for one or more specific purposes. The affirmative action, or positive opt-in, means that the consent cannot be inferred from silence, pre-ticked boxes, or inactivity. It should also be separate from terms and conditions, and have a simple way to withdraw it. Public authorities and employers will need to pay special attention to ensure that consent is freely given. The existing consents do not have to be refreshed automatically in preparation for the GDPR, but they have to meet the GDPR standard for being specific, granular, clear, opt-in, properly documented and easily withdrawn. If not, change your consent mechanisms and seek fresh GDPR-compliant consent, or find an alternative to consent

      • Data Controller

        Any organisation, person, or body that determines the purposes and means of processing personal data, controls the data and is responsible for it, alone or jointly. Examples when the data controller is an individual include: general practitioners, pharmacists, and politicians, where these individuals keep personal information about their patients, clients, constituents etc. Examples of organisations can be data controllers: for profit or not for profit, private or government owned, large or small, where those organisations keep personal information about their employees, clients, etc.

      • Data Processor

        A data processor processes the data on behalf of the data controller. Examples include: payroll companies, accountants, and market research companies

      • Data Protection Officer

        An appointment of a data protection officer is obligatory if: 1) processing is carried out by a public authority; or 2) the "core activities" of a data controller / data processor either require "the regular and systematic monitoring of data subjects on a large scale", or consist of processing of special categories of data or data about criminal convictions "on a large scale" . The role is to guide the company towards compliance with the GDPR and advise the right measures to management and staff

      • Data Processing Agreement

        A data processing agreement (DPA) is a legally binding document to be entered into between the controller and the processor in writing or in electronic form. It regulates the particularities of data processing – such as its scope and purpose – as well as the relationship between the controller and the processor

      • Data Subject

        A natural person; an individual, a customer, a prospect, an employee, a contract person

      • One-Stop-Shop Concept

        If a business is established in more than one Member state, it will have a "lead authority" determined by the place of its "main establishment" in the EU. A supervisory authority that is not a lead authority may also have a regulatory role, for example, where processing impacts data subjects in the country where that supervisory authority is the national authority

      • Personal Data

        Any information relating to an identified / identifiable individual, whether it relates to his or her private, professional, or public life. Can be anything from a name, photo, email address, bank details, posts on social networking sites, medical information, IP address, or a combination of the data that directly or indirectly identifies the person

      • Personal Data - Sensitive or Special Category

        "Special categories of personal data" include: racial or ethnic origin, political opinions, religious or philosophical views, trade union membership, sexual orientation and health, genetic and biometric data where processed to uniquely identify an individual. Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing

      • Privacy Impact Assessment (PIA), OR Data Protection Impact Assessment (DPIA)

        The GDPR imposes a new obligation on data controllers and data processors to conduct a Data Protection Impact Assessment (also known as a privacy impact assessment) before undertaking any processing that presents a specific privacy risk by virtue of its nature, scope or purposes

      • Processing

        Processing is any operation performed on personal data (sets), such as creation, collection, storage, view, transport, use, modification, transfer, deletion, etc. whether or not by automated means

      • Profiling

        Profiling is any form of automated processing of personal data intended to evaluate certain personal aspects relating to an individual, or to analyse or predict particular that person's performance at work, economic situation, location, health, personal preferences, reliability, or behaviour

      • Recipient

        A recipient is defined as any person to whom the data are disclosed, including any person to whom they are disclosed in the course of processing the data for a Data Controller (for example, an employee of the data controller, a data processor or employee of the data processor)

      • Subject Access

        This is the data subject's right to obtain from the data controller, on request, certain information relating to the processing of his/her personal data

      • Territorial Scope (Of The GDPR)

        The territorial scope of the GDPR includes the European Economic Area (EEA - all 28 EU member states), Iceland, Lichtenstein, and Norway, and does not include Switzerland

      • Third Party

        A 3rd party is any natural or legal person, public authority, agency, or any other body other than the data subject, the controller, the processor, and the persons who, under the direct authority of the controller, or the processor, are authorised to process the data

      • Transfer

        The transfer of personal data to countries outside the EEA or to international organisations is subject to restrictions. As with the Data Protection Directive, data does not need to be physically transported to be transferred. Viewing data hosted in another location would amount to a transfer for GDPR purposes