GDPR
Data Processor
An individual or organization that processes data on behalf of the data controller.
Special Categories of Data
Often known as "sensitive data." The GDPR extends this to include both biometric and genetic data.
European Parliament
Only EU institution whose members are directly elected. Has 3 primary responsibilities: (1) Legislative development, (2) Supervisory oversight of the other institutions and (3) Development of the Budget.
General Data Protection Regulation ("GDPR")
Regulation (EU) 2016/679 on April 27, 2016.
European Commission
Responsible for proposing EU legislation, implementing it, and monitoring compliance. Composed of one commissioner per member state who pledges to respect the EU Treaties.
The European Data Protection Board ("EDPB")
The EDPB will replace the Article 29 Working Party and its functions and will ensure consistency in the application of the GDPR, advising the EU Commission, issuing guidelines, codes of practice and recommendations, accrediting certification bodies and issuing opinions on draft decisions of supervisory authorities.
Council of the European Union
The EU's primary policy-setting institution. Along with the Parliament, focuses on legislative decision-making. Meets attended by one minister from each member state that changes based on the policy issue to be discussed.
Data Protection Directive
The European Directive 95/46/EC previously governed the processing of personal data in the EU and will now be replaced by the GDPR.
Article 29 Working Party
"A29WP" consists of representatives of the EU's national supervisory authorities, the European Data Protection Supervisor ("EDPS") and the European Commission. It has been transformed into the "European Data Protection Board" ("EDPB"), with similar membership but an independent Secretariat.
Data Subject's Rights
(1) Access and rectification (2) Data Portability (3) Erasure (4) Restriction of processing (5) Right to object to processing (6) Decisions based on automated processing
Bodies of the European Union
(1) European Council, (2) European Parliament, (3) Council of the EU, (4) European Commission, (5) Court of Justice of the EU and (6) The European Data Protection Board.
Data Protection Principles
(1) Lawfulness, fairness and transparency: Personal data must be processed lawfully, fairly, and in a transparent manner in relation to the data subject. (2) Purpose limitation: Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Further processing of personal data for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes shall not be considered incompatible with the original processing purposes. However, conditions in Article 89(1) (which sets out safeguards and derogations in relation to processing for such purposes) must be met. (3) Data minimization: Personal data must be adequate, relevant and limited to those which are necessary in relation to the purposes for which they are processed. (4) Accuracy: Personal data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay. (5) Storage limitation: Personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Personal data may be stored for longer periods insofar as the data will be processed solely for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes in accordance with Article 89(1) and subject to implementation of appropriate technical and organizational measures. (6) Integrity and confidentiality: Personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. (7) Accountability: The Data controller shall be responsible for and be able to demonstrate compliance with these principles.
Data Protection Officer ("DPO")
A DPO's appointment is required under the GDPR if (i) processing is carried out by a public authority, or (ii) the "core activities" of a data controller / data processor either (a) require the "regular and systematic monitoring of data subjects on a large scale" or, (b) consist of a processing of special categories of data or data about criminal convictions "on a large scale."
Subject Access
A data subject's right to obtain from the data controller, on request, certain information relating to the processing of his/her personal data as detailed in GDPR Chapter III, Section 2.
Data Subject
A natural person, who can be identified, or is identifiable, directly or indirectly.
Data Controller
A person or body, alone or jointly, which determines the purposes and means of processing personal data.
Establishment [in EU]
An organisation may be "established" where it exercises "any real and effective activity - even a minimal one" - through "stable arrangements" in the EU. The presence of a single representative may be sufficient. The GDPR will apply to organisations which have EU "establishments", where personal data are processed "in the context of the activities" of such an establishment.
Personal Data
Any information relating to an identified or identifiable natural person. Breaks down to four elements (1) Any information (2) relating to (3) an identified or identifiable (4) natural person.
Process
Any operation or set of operations that is performed on personal data or sets of personal data, whether or not by automated means. Includes collections, recording, organization, storage, use and destruction of personal data.
Court of Justice of the European Union
Based in Luxembourg, this Court is the judicial body of the EU. Comprised of the European Court of Justice (ECJ) and the General Court. Makes decisions based on EU Law and enforces decisions. This Court provides clarification of EU law to national courts in order to assist the national courts to uphold EU law.
European Economic Area (EEA)
Common market created by the 28 EU member states, plus Iceland, Liechtenstein, and Norway. Does not include Switzerland.
European Convention on Human Rights (ECHR) (1953)
Contains Article 8, protecting rights of individuals and Article 10(1), protecting freedom of expression (similar to the UN's 1948 Universal Declaration on Human Rights) and to share information and ideas across national boundaries. Article 10(2) promotes balance between Art. 8 and Art. 10. Among Counsel of Europe. Required ratification and implementation by ratifying countries (compare vs. UN Declaration's non-binding nature).
United Nations Universal Declaration on Human Rights (1948)
Contains provisions on the right to a private life and freedom of expression. Influenced European Data Protection Laws. Article 12 contains right to private life and Article 19 contains freedom of expression. Like ECHR, Article 29(2) addresses that the rights are not absolute and a balance should be struck. "Declarations" are not binding (it's not a treaty). Came as a result of the atrocities of WWII. Translated over 464 languages (Bible 554 translations, Harry Potter 68 translations, so it's pretty widely viewed).
Anonymous Data
Data that is NOT related to an identified or identifiable nature person. Does not meet the definition of Personal Data and therefore not subject to GDPR. Different than pseudonymous data, which is subject to GDPR.
Supervisory Authority / Lead Authority
National data protection authorities, empowered to enforce the GDPR in their own member state. Where a business is established in more than one Member State, "lead authority" is determined by the place of its "main establishment" in the EU.
Data Protection Impact Assessment (or Privacy Impact Assessment or "PIA")
Required before undertaking any processing that presents a specific privacy risk by virtue of its nature, scope or purposes as set out in a non-exhaustive list of categories of processing in Chapter IV Section 3 of the Regulation.
Right to erasure / Right to be forgotten
The data subject's existing right to deletion of their personal data. GDPR Chapter III, Section 3.
European Council
The heads of state of EU members and the president of the European Commission
Pseudonymisation
The technique of processing personal data so that it can no longer be attributed to a specific individual without the use of additional information, which must be kept separately and be subject to technical and organizational measures to ensure non-attribution.
Transfer
The transfer of personal data to countries outside the EEA to international organizations, which is subject to restrictions detailed in Chapter V of the GDPR. As with the Data Protection Directive, data does not need to be physically transported to be transferred. Viewing data hosted in another location would amount to a transfer for GDPR purposes.
An Undertaking
Used in a variety of contexts in GDPR. Most often used to refer to a legal entity that is engaged in "economic activity." It has particular meaning in the context of the GDPR's provisions regarding financial penalties. Undertakings will be subject to penalties calculated as a percentage of their annual world wide turnover (revenue).