CIPP/E exam

The implementation of appropriate *technical and organisational measures* to ensure and be able to *demonstrate* that the handling of personal data is performed in accordance with relevant law, an idea codified in the EU General Data Protection Regulation and other frameworks, including APEC's Cross Border Privacy Rules. Traditionally has been a *fair information practices principle*, that due diligence and reasonable steps will be undertaken to ensure that personal information will be protected and handled consistently with relevant law and other fair use principles.

Accountability

Organizations must take every *reasonable* step to ensure the data processed is this and, where *necessary*, kept up to date. Reasonable measures should be understood as implementing processes to prevent inaccuracies during the data collection process as well as during the ongoing data processing in relation to the specific use for which the data is processed. The organization must consider the type of data and the specific purposes to maintain the accuracy of personal data in relation to the purpose. Also embodies the responsibility to respond to data subject requests to correct records that contain incomplete information or misinformation.

Accuracy

A transfer of personal data from the European Union to a third country or an international organisation may take place where the European Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question, ensures this by taking into account the *following elements*: *(a)* the rule of law, respect for *human rights* and fundamental freedoms, both *general and sectoral legislation*, data protection rules, professional rules and security measures, effective and *enforceable data subject rights* and *effective administrative and judicial redress* for the data subjects whose personal data is being transferred; *(b)* the existence and *effective* functioning of independent *supervisory authorities* with responsibility for ensuring and enforcing compliance with the data protection rules; (c) the *international commitments* the third country or international organisation concerned has entered into in relation *to the protection of personal data*.

Adequate Level of Protection

The requirement under the GDPR that the European Data Protection Board and each supervisory authority *periodically report on their activities*. The supervisory authority report should include infringements and the activities that the authority conducted under their Article 58(2) powers. The EDPB report should include *guidelines, recommendations, best practices and binding decisions*. Additionally, the report should include the protection of natural persons with regard to processing in the EU and, where relevant, in third countries and international organisations. Shall be *made public and be transmitted to the European Parliament, to the Council and to the Commission*.

Annual Reports

In contrast to personal data, this is not related to an identified or an identifiable natural person and *cannot be combined with other information to re-identify individuals*. It has been rendered unidentifiable and, as such, is not protected by the GDPR.

Anonymous Information

*indications of special classes* of personal *data*. If there exists law protecting against discrimination based on a class or status, it is likely personal information relating to that class or status is *subject to more stringent* data protection regulation, under the GDPR or otherwise.

Anti-discrimination Laws

The GDPR refers to these in a number of contexts, *including* the *transfer* of personal data *to third countries* outside the European Union, the processing of *special categories* of data, *and* the processing of personal data in a *law enforcement* context. This generally refers to the application of the general data protection principles, in particular purpose limitation, data minimisation, limited storage periods, data quality, data protection by design and by default, legal basis for processing, processing of special categories of personal data, measures to ensure data security, and the requirements in respect of onward transfers to bodies not bound by the binding corporate rules. This *may* also *refer to* the use of *encryption or pseudonymization*, *standard* data protection *clause*s adopted by the Commission, contractual clauses authorized by a supervisory authority, or *certification schemes* or *codes of conduct* authorized by the Commission or a supervisory authority. Should ensure compliance with data protection requirements and the rights of the data subjects appropriate to processing within the European Union.

Appropriate Safeguards

The GDPR requires a *risk-based approach* to data protection, whereby organizations *take into account* the *nature*, *scope*, *context and purposes* of processing, as well as the risks of varying *likelihood* and *severity to* the *rights and freedoms* of natural persons, and institute policies, controls and certain technologies to mitigate those risks. These might help meet the obligation to keep personal data secure, including technical safeguards against accidents and negligence or deliberate and malevolent actions, or involve the implementation of data protection policies. These measures should be demonstrable on demand to data protection authorities and reviewed regularly.

Appropriate Technical and Organizational Measures

Was a European Union organization that functioned as an *independent advisory body* on data protection and privacy and consisted of the collected data protection authorities of the member states. It was *replaced by* the similarly constituted European Data Protection Board (*EDPB*) on May 25, 2018, *when* the *GDPR went into effect*.

Article 29 Working Party

The process by which an entity (such as a person or computer system) determines whether another entity is who it claims to be. *is required* by the GDPR *when* the data subject is *exercising certain rights*, such as the rights to *deletion or rectification*, and might include supplying log-in details or biometric information. However, the data controller should not be obliged to acquire additional information in order to identify the data subject for the sole purpose of complying with any provision of the Regulation.

Authentication

A processing operation that is performed without any human intervention. "Profiling" is defined in the GDPR, for example, as the automated processing of personal data to evaluate certain personal aspects relating to a natural person, in particular to *analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements*. Data subjects, under the GDPR, have a *right to object* to such processing.

Automated Processing

Data is this if it is *accessible when needed* by the organization or data subject. The GDPR requires that *a business* be able to ensure this of personal data and have the ability to *restore it and access* to personal data in a *timely manner* in the event of a physical or technical incident.

Availability

Organizations may want to verify an applicant's ability to function in the working environment as well as assuring the safety and security of existing workers. Range from checking a person's educational background to checking on past criminal activity. *Employee consent requirements* for such checks *vary by member state and may be negotiated with local works councils*.

Background Screening/Checks

Most often done via automated processing of personal data, or profiling, the GDPR requires that *data subjects* be able to *opt-out of any automated processing, to be informed of the logic involved in any automatic personal data processing and, at least when based on profiling, be informed of the consequences of such processing*. If cookies are used to store or access information for the purposes of behavioral advertising, the ePrivacy Directive requires that data subjects provide consent for the placement of such cookies, after having been provided with clear and comprehensive information.

Behavioral Advertising

An appropriate safeguard allowed by the GDPR to facilitate *cross-border transfers* of personal data *between* the various *entities of a corporate group worldwide*. They do so by ensuring that the same high level of protection of personal data is complied with by all members of the organizational group by means of a single set of binding and enforceable rules. Compel organizations to be able to demonstrate their compliance with all aspects of applicable data protection legislation and *are approved by a member state data protection authority*. To date, relatively few organizations have had these approved.

Binding Corporate Rules

Previously, the EU distinguished between these for controllers and processors. With the GDPR, there is *now no distinction* made between the two in this context and *Binding Corporate Rules are appropriate for both Controllers and Processors*.

Binding Safe Processor Rules

Data concerning the *intrinsic physical or behavioral characteristics* of an individual. Examples include *DNA, fingerprints, retina and iris patterns, voice, face, handwriting, keystroke technique* and *gait*. The GDPR, in Article 9, lists these for the purpose of uniquely identifying a natural person as a special category of data for which processing is not allowed other than in specific circumstances.

Biometrics

One of the four classes of privacy, along with information privacy, territorial privacy and communications privacy. It focuses on a person's physical being and any invasion thereof. Such an invasion can take the form of *genetic testing, drug testing* or *body cavity searches*.

Bodily Privacy

The requirement that a data controller *notify regulators*, potentially within *72 hours* of discovery, and/or victims, of incidents affecting the confidentiality and security of personal data, depending on the assessed risks to the rights and freedoms of affected data subjects.

Breach Disclosure (EU specific)

*Germany's federal data protection act*, implementing the GDPR. With the passage of the GDPR, it replaced a previous law with the same name and enhanced a series of other acts mainly in areas of law enforcement and intelligence services. Furthermore, the *new version suggests a procedure* for national data protection authorities *to challenge adequacy decisions* of the EU Commission.

Bundesdatenschutzgesetz-neu

The provision of *access* to personal data.

Disclosure

Has come to be shorthand for any video surveillance system. *Originally*, such systems relied on coaxial cable and was truly *only accessible on premise*. *Today*, most surveillance systems are *hosted via TCP/IP networks* and can be *accessed remotely*, and the footage much more *easily shared*, eliciting new and different privacy concerns.

CCTV

Introduced by the GDPR, a *new valid adequacy mechanism for* the *transfer* of personal data outside of the European Union *in* the *absence of an adequacy decision* and instead of other mechanisms such as binding corporate rules or contractual clauses. These *must be developed by certifying bodies*, *approved by data protection authorities or the EDPB* (European Data Protection Board), *and* have *a methodology for auditing* compliance. Similar to binding corporate rules, they compel organizations to be able to demonstrate their compliance with all aspects of applicable data protection legislation.

Certification Mechanisms

A treaty that consolidates human rights within the EU. The treaty states that *everyone has a right to protect their personal data*, that *data must be processed for legitimate and specified purposes* and that *compliance is subject to control by an authority*.

Charter of Fundamental Rights

In the context of consent, this refers to the idea that consent must be freely given and that data subjects must have a *genuine ____________* as to whether to provide personal data or not. If this is not truly given it is unlikely the consent will be deemed valid under the GDPR.

Choice

The provision of information technology services over the Internet. These services may be provided by a company for its internal users in private or by third-party suppliers. The *services can include software, infrastructure (i.e., servers), hosting and platforms (i.e., operating systems)*. Has numerous applications, from personal webmail to corporate data storage, and can be subdivided into different types of service models.

Cloud Computing

Introduced by the GDPR, these are a new valid adequacy mechanism for the transfer of personal data outside of the European Union in the absence of an adequacy decision and instead of other mechanisms such as binding corporate rules or contractual clauses. these must be *developed by industry trade groups, associations or other bodies* representing categories of controllers or processors. They *must be approved by supervisory authorities or the European Data Protection Board*, and have a methodology for auditing compliance. Similar to binding corporate rules, they compel organizations to be able to demonstrate their compliance with all aspects of applicable data protection legislation.

Codes of Conduct

A *fair information practices* principle, it is the principle stating *there should be limits to* the *collection* of personal data, that any such *data should be obtained by lawful and fair means and*, where appropriate, *with* the knowledge or consent* of the data subject.

Collection Limitation

One of the four classes of privacy, along with information privacy, bodily privacy and territorial privacy. It encompasses protection of the means of correspondence, including *postal mail, telephone conversations, electronic e-mail* and *other forms of communicative behavior and apparatus*.

Communications Privacy

Data is this if it is *protected against unauthorised or unlawful* processing. The GDPR requires that an organization be able to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services as part of its requirements for appropriate security. In addition, the GDPR requires that *persons authorised to process* the personal data *have committed* themselves *to confidentiality* or are under an appropriate statutory obligation of this.

Confidentiality

This privacy requirement is one of the *fair information practices*. In the GDPR, however, it is specifically one of the legal bases for processing personal data. According to the GDPR, *for it to be valid*, it must be: *clearly distinguishable* from other matters, intelligible, and in *clear and plain language*; *freely given*; as *easy to withdraw* as it was to provide; *specific; informed; and unambiguous*. Further, it must be a *positive, affirmative action* (e.g., checking opt-in or choosing technical settings for web applications), with pre-ticked boxes expressly not allowed. For certain *special categories of data*, as outlined in Article 9, *explicit _________ is required* for processing, a higher standard than unambiguous consent.

Consent (EU specific)

Because of the power imbalance between employer and employee, consent is generally not considered a legal basis for processing employee data.

Consent and Employee Personal Data

In order to ensure the consistent application of the GDPR throughout the European Union, the GDPR establishes this which *allows member state supervisory authorities to cooperate* with one another. The mechanism *applies particularly* where a supervisory authority intends to adopt a measure intended to produce legal effects as regards processing operations which *substantially affect a significant number of data subjects in several member states*. *When a* member state *supervisory authority* intends to take action, such as *approving a code of conduct or certification mechanism*, it shall *provide a draft to the EDPB* (European Data Protection Board, and the *EDPB's* members *shall* render an *opinion* on that draft, which the *supervisory authority* shall take into account and *then either amend or decide* to go forward with the *draft in its original form*. Should there be *significant difference in opinion*, the *dispute resolution mechanism* will be triggered.

Consistency Mechanism

The text, images, etc., contained within any communication message, such as an email, text, or instant message on any given communications platform. Specifically used often to distinguish from metadata. The *ePrivacy Directive and draft ePrivacy Regulation protect the confidentiality of this*.

Content Data

*Adopted either directly by the European Commission or by a supervisory authority* in accordance with the consistency mechanism *and then adopted by the Commission*, these are mechanisms by which organisations can commit to protect personal data to facilitate ongoing and systematic cross-border personal data transfers.

Contractual Clauses

A legally binding international instrument that requires signatory countries to take the *necessary steps* in their *domestic legislation* to *apply the principles* it lays down ensuring *fundamental human rights with regard to the processing of personal information*.

Convention 108

A small text file stored on a client machine that may later be retrieved by a web server from the machine. Allow web servers to keep track of the end user's browser activities, and connect individual web requests into a session. Can also be used to prevent users from having to be authorized for every password protected page they access during a session by recording that they have successfully supplied their username and password already. May be referred to as *"first-party"* (if they are *placed by the website that is visited*) or *"third-party"* (if they are *placed by a party other than the visited website*). Additionally, they may be referred to as *"session ___________"* if they are *deleted when a session ends*, *or "persistent ___________" if they remain longer*. Notably, the GDPR lists this latter category, so-called *"identifiers,"* as an example of *personal information*. The use is *regulated both by* the *GDPR* and the* ePrivacy Directive*

Cookie

An *amendment* made *to* the European Union's *Directive 2002/58*, also known as (*a.k.a*) the *ePrivacy Directive*, that *requires* organizations to get *consent before placing* and other tracking technologies on digital devices. With the passage of the GDPR, this definition of consent has changed and *opt-out consent is no longer viable in this area*.

Cookie Directive

Part of the *consistency mechanism* of the GDPR, this is required between *supervisory authorities* when working with controllers or processors handling the personal data of *data subjects in multiple member states*. This is often referred to as (*a.k.a.* the "*one-stop shop*," whereby a lead supervisory authority works with the supervisory authorities of other member states with affected data subjects.

Cooperation

A case in which the *ECHR* (European Court of Human Rights) held that *monitoring* an applicant's *email at work* was *contrary to Article 8* of the *Convention on Human Rights*.

Copland v. United Kingdom

Shorthand for (*a.k.a.*)the case where Costeja *successfully sued Google Spain, Google Inc. and La Vanguardia newspaper*. When the Court of Justice of the EU ruled that Google Spain must remove the links to the article, the "*right to be forgotten*" was effectively established in the European Union. The GDPR subsequently more formally granted data subjects the right to deletion in certain circumstances.

Costeja

The CoE, launched in *1949*, is a *human rights organization* with *47 member* countries, including the *28 member states* of the European Union. The members have *all signed* the *European Convention on Human Rights and* are *subject to the ECHR* (European Court of Human Rights). The Council's *Convention 108* was the first legally binding international agreement to protect the human right of privacy and data protection.

Council of Europe

A council of ministers from the 28 member states, this is *the main decision-making body of the EU*, with a central role in both political and legislative decisions. The council was established by the treaties of the 1950s, which laid the foundations for the EU, and *works with* the *European Parliament* to *create EU law*.

Council of the European Union

Transfers of personal data to any country outside the European Economic Area (EEA) may only take place subject to the condition that the third country ensures an adequate level of protection for the personal data as determined by the European Commission. It *also applies to onward transfers* — from one third country or international organisation to another (outside the EEA). In the absence of an adequacy finding, organizations must use other mechanisms, such as binding corporate rules, contractual clauses, or certification, for lawful transfer.

Cross-border Data Transfers (EU specific)

The requirement that a data controller notify regulators, potentially within *72 hours* of discovery, and/or victims, of incidents affecting the confidentiality and security of personal data, depending on the assessed risks to the rights and freedoms of affected data subjects.

Data Breach Notification (EU specific)

The natural or legal person, public authority, agency or any other body which alone or jointly with others *determines the purposes and means* of the processing of personal data. Where the purposes and means of such processing are determined by EU or member state law, this or the specific criteria for its nomination may be provided for by EU or member state law.

Data Controller

A *unit of data* that cannot be broken down further or has a distinct meaning. This may be a *date of birth, a numerical identifier, or location coordinates*. In the context of data protection, it is important to understand that these in isolation *may* not be personal data but, *when combined, become personally identifiable* and therefore personal data.

Data Elements

In certain circumstances, generally where data processing is done on the basis of consent or a contract, data subjects have the right to receive their personal data, which they have provided to a controller, in a *structured, commonly used and machine-readable format* and have the right to transmit that data to another controller without hindrance from the controller to which the personal data has been provided.

Data Portability

A natural or legal person (*other than an employee* of the controller), public authority, agency or other body which *processes personal data on behalf of the controller*. An organization can be both a controller and a processor at the same time, depending on the function the organization is performing.

Data Processor

A term often used to refer to a *supervisory authority*

Data Protection Authority (EU specific)

The *title* given in *some member states* to the *supervisory authority*

Data Protection Commissioner

The process by which companies can *systematically assess and identify* the *privacy* and data protection *impacts of* any *products* they offer *and services* they provide. It enables them to *identify the impact* and *take* the *appropriate actions* to prevent or, at the very least, *minimise the risk* of those impacts. *are required* by the General Data Protection Regulation in some instances, particularly *where a* new *product or service is likely to result in a high risk* to the rights and freedoms of natural persons.

Data Protection Impact Assessment

While the title has long been in use, particularly in Germany and France, the GDPR introduced a *new legal definition of this with specific tasks*. Certain *organizations*, particularly those *that process personal data as part of their business model or* those who *process special categories* of data as outlined in Article 9, *are obligated to designate one* on the basis of *professional qualities* and, in particular, *expert knowledge* of data protection law and practices. Has a variety of *mandated tasks, including communication with* the *supervisory authority*, *conducting DPIAs*, and *advising the organization on* the mandates of the *GDPR* and how to comply with it.

Data Protection Officer

Outline the basic contours of the measures an organization takes in the processing and handling of personal data. Key matters the *policy should address* include: *Scope*, which explains both to whom the internal policy applies and the type of processing activities it covers; *Policy statement*; *Employee responsibilities*; *Management responsibilities*; *Reporting incidents*; *Policy compliance*.

Data Protection Policy

Article 5 of the GDPR lists: *L*awfulness, fairness and transparency; *P*urpose limitation; *D*ata minimisation; *A*ccuracy; *S*torage limitation; *I*ntegrity and confidentiality. *LPD ASI*

Data Protection Principles

The implementation of appropriate *technical and organisational* measures for ensuring *that, by default, only* personal *data* which are *necessary for each specific purpose* of the processing *are processed*. That obligation *applies to* the *amount* of personal data collected, the *extent* of their processing, the *period* of their storage and their *accessibility*. In particular, such measures shall ensure that by default personal data are *not made accessible* without the individual's intervention *to an indefinite number* of natural persons. Such organizational *measures could consist*, inter alia, *of minimising* the processing of personal data, *pseudonymising* personal data as soon as possible, *transparency* with regard to the functions and processing of personal data, *and enabling the data subject to monitor* the data processing.

Data Protection by Default

When developing, designing, selecting and using applications, services and products that are based on the processing of personal data or process personal data to fulfil their task, producers of the products, services and applications should be encouraged to *take into account the right to data protection when developing and designing* such *products, services and applications* and, *with due regard to* the *state of the art*, to make sure that controllers and processors are able to fulfil their data protection obligations.

Data Protection by Design

A natural or legal person, public authority, agency or another body, to which personal data is disclosed, whether a third party or not. *Public authorities that receive personal data in the framework of a particular inquiry in accordance with EU or member state law shall not be regarded as recipients*, however. The processing of that data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

Data Recipient

An identified or *identifiable* natural person.

Data Subject

An action that one takes to *remove identifying characteristics* from data.

De-identification

In the context of European Union legislation interacting with member state law, a place in an EU-wide regulation where *individual member states are left to make their own law or have the option to deviate*. Can also simply refer to an exception to a certain basic rule or principle.

Derogation

In the context of data protection law, can be defined as *personal data processed to communicate a marketing or advertising message*. This definition includes messages from commercial organisations, as well as from charities and political organisations. While it *is offered* in the GDPR as *an example* of processing for the *legitimate interest* of an organization, it also says the data subject shall have the *right to object at any time* to processing of personal data concerning him or her for such marketing, which *includes profiling* to the extent that it is related to such marketing.

Direct Marketing (EU specific)

In the context of the consistency mechanism (see Consistency Mechanism), the European Data Protection Board, *EDPB, can issue binding decisions on: objections to lead authority decisions*, on *disputes about* which supervisory authority should be *the lead authority*, and where there has been a *failure to request the EDPB's opinion* under Article 64 *or the opinion is not followed*.

Dispute Resolution

A court case in which the Court of Appeal of the United Kingdom *narrowed the definition of personal data* under the Data Protection Act of 1998. It established a *two-stage test*; the information must be biographical in a significant sense and the individual must be the focus of the information.

Durant v. Financial Services Authority

Was replaced by the GDPR in 2018. The Directive was adopted in 1995, became effective in 1998 and was the *first EU-wide legislation that protected individuals' privacy* and personal data use.

EU Data Protection Directive (*95/46/EC*)

An agreement that was *invalidated by the Court of Justice of the European Union in 2015*, that allowed for the legal transfer of personal data between in the absence of a comprehensive adequacy decision for the United States. It was replaced by the __________ Privacy Shield in 2016 (see Privacy Shield).

EU-U.S. Safe Harbor Agreement

Transmission systems, and, where applicable, switching or routing equipment and other resources that permit the conveyance of signals by wire, radio, optical or other electromagnetic means, including satellite networks; fixed and mobile terrestrial networks; electricity cable systems, to the extent that they are used for the purpose of transmitting signals; networks used for radio and television broadcasting, and cable television networks, irrespective of the type of information conveyed. *In the* discussions surrounding the *update of the ePrivacy Directive* to the ePrivacy Regulation, *so-called "over the top" providers, like app-based messaging services, are beginning to be considered as part of the ECN*.

Electronic Communications Network

*Article 88 of the General Data Protection Regulation recognises that member states may provide for more specific rules around processing this*. These rules must include suitable and specific measures to safeguard the data subject's human dignity, legitimate interests and fundamental rights, with particular regard to the transparency of processing, the transfer of personal data within a group of undertakings, or a group of enterprises engaged in a joint economic activity and monitoring systems at the workplace.

Employee Personal Data

*Article 17(1)* of the GDPR establishes that data subjects have this right of their personal data *if*: the data is *no longer needed* for its *original purpose* and no new lawful purpose exists; the *lawful basis* for the processing *is* the data subject's *consent, the data subject withdraws that consent*, and no other lawful ground exists; the data subject *exercises the right to object*, and the controller has *no overriding grounds* for continuing the processing; the data has been *processed unlawfully*; *or this* is *necessary for compliance with* EU *law* or the national law of the relevant member state.

Erasure

The GDPR establishes *direct legal obligations applicable to service providers acting as "processors"*, whilst giving an increased emphasis to the contractual obligations in place between customers and data processing service providers.

Established Service Provider

Implies the *effective and real exercise of activity through stable arrangements*. The *legal form* of such arrangements, whether *through a branch or a subsidiary with a legal personality, is not the determining factor* in that respect.

Establishment

The *executive body of the European Union*. Its main function is to implement the EU's decisions and policies, along with other functions. *It initiates legislation* in the EU, proposing initial drafts that are then undertaken by the Parliament and Council of the European Union. It is also *responsible for making adequacy determinations* with regard to data transfers to third-party countries.

European Commission

The collection of heads of states of European Union member states. It provides general political direction for the EU and *does not exercise legislative functions*.

European Council

In *Strasbourg*, France, upholds privacy and data protection laws through its *enforcement* of the *European Convention on Human Rights* and *Convention 108*. Applies the Convention and ensures that signatory states respect the rights and guarantees set out in the Convention.

European Court of Human Rights

The successor to the Article 29 Working Party, it *consists of* the *heads of the supervisory authorities* of the member states and *the European Data Protection Supervisor* (see European Data Protection Supervisor), and *the Commission is entitled to send a delegate* to its meetings. It's role is to ensure the consistent application of the Regulation and, in addition to supporting cooperation between the regulators and applying the consistency mechanism, it shall publish advice, guidance, recommendations and best practices. The supervisory authorities elect a chairperson, with certain powers, from amongst their membership.

European Data Protection Board

An independent supervisory authority for the European Union as an entity, ensuring the EU institutions, such as the Parliament, Commission, and Council of the European Union, protect the rights and freedoms of data subjects. Acts as secretariat to the European Data Protection Board* (see European Data Protection Board). *Giovanni Buttarelli* and Wojciech Wiewiórowski have been appointed Supervisor and Assistant Supervisor respectively by a joint decision of the European Parliament and the Council. Appointed for a five-year term, they took office on 4 December 2014.

European Data Protection Supervisor

A 1989 case brought before the European Court of Justice which established the *precedence of EU law over national laws of member states* in areas where the EU has competence. Spanish fisherman

Factortame

An economic region that includes the *European Union (EU) and Iceland, Norway and Liechtenstein*—which are not official members of the EU but are closely linked by economic relationship. *Non-EU countries in this are required to adopt EU legislation regarding the single market.*

European Economic Area

Created by the *Treaty of Rome*, was a predecessor to the European Union that promoted a single economic market across Europe.

European Economic Community

The *only EU institution* whose *members* are *directly elected* by citizens of individual member states, has *four responsibilities*—*legislative development*, *supervisory oversight* of other institutions, *democratic representation* and *budget development*.

European Parliament

*replaced the EEC, which was created by the Treaty of Rome* and first promoted a *single economic market across Europe*. Currently comprises *28 member states*: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and the United Kingdom.

European Union

One of three requirements established by the GDPR for the processing of personal data: The first principle of processing personal data is "lawfulness, fairness, and transparency," which states that personal data should be processed lawfully, fairly and in a transparent manner in relation to the data subject. Linked most often with transparency, *means data subjects must be aware of the fact that their personal data will be processed*, including how the data will be collected, kept and used, to allow them to make an *informed decision* about whether they agree with such processing and to enable them to exercise their data protection rights. Consent notices should not contain unfair terms and supervisory authority powers should similarly be exercised fairly.

Fairness

*bodily* privacy (invasion - genetic / drug testing*, body cavity searches) *communications* privacy (protection of correspondence) *information* privacy (when, how, extent data is shared) *territorial* privacy (intrude into another individual's environment)

Four Classes of Privacy

The GDPR requires that *consent* be a *freely given, specific, informed and unambiguous* indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. The data subject *must have* a *genuine choice*, must be able to refuse or withdraw consent without fear of consequence. *Where* there is a *power imbalance*, as in an employer-employee relationship, for example, it's likely that *consent cannot be freely given*.

Freely Given

This and POST HTML method attributes specify how form data is sent to a web page. Appends the form data to the URL in name/value pairs allowing passwords and other sensitive information collected in a form to be visible in the browser's address bar, and is thus *less secure than the POST method*.

GET Method

A judgment delivered by the ECHR (European Court of Human Rights) in 1989 held that the *restriction of* the applicant's *access to* his *personal file* was *contrary to Article 8* of the Convention, citing a breach of *right to respect for his family and private life*. Case related to *abuse whilst in social services care*

Gaskin v. United Kingdom

Replaced the Data Protection Directive in 2018. The aim is to provide one set of data protection rules for all EU member states and the European Economic Area (EEA). The document comprises *173 recitals* and *99 articles*.

General Data Protection Regulation

Organized following an OECD (Organisation for Economic Co-operation and Development - an intergovernmental economic organisation) recommendation for cooperation among member countries on enforcement of privacy laws, is *collection of data protection authorities dedicated to discussing aspects of privacy law enforcement cooperation*, the sharing of best practices, development of shared enforcement priorities, and the support of joint enforcement initiatives and awareness campaigns. As of 2018, counted *50 member countries*

Global Privacy Enforcement Network

The *ECHR* (European Court of Human Rights) decided in 2009 that the *Article 8 right to respect for private life and family life* had been *violated when* the applicant *sought access* to the *secret service file* on him drawn up in the days of Communist rule in Romania and was made to wait six years. The court awarded 6,000 euros.

Haralambie v. Romania

The standard is a *code of practice for implementing* an *information security management system*, against which organizations can be *certified*.

ISO (International Organization for Standardization) 27001

The standard is a *code of practice* for information security with hundreds of potential controls and control mechanisms. The standard is intended to provide a guide for the development of "organizational security standards and effective security management practices and to help build confidence in inter-organizational activities". It can be considered *a guide to implementing ISO 27001*

ISO (International Organization for Standardization) 27002

It is *fair information practices principle* that an individual should have the right: a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to them; b) to have data relating to them communicated to them within a reasonable time; at a charge, if any, that is not excessive; in a reasonable manner, and in a form that is readily intelligible to them; c) to be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be able to challenge such denial; and d) to challenge data relating to them and, if the challenge is successful, to have the data erased, rectified, completed or amended.

Individual Participation

Recognizes that data has different value, and requires approaches, as it moves through an organization from collection to deletion. The stages are generally considered to be: *Collection, processing, use, disclosure, retention, and destruction*.

Information Life Cycle

One of the four classes of privacy, along with territorial privacy, bodily privacy, and communications privacy. The *claim of individuals*, groups or institutions *to determine for themselves when, how and to what extent information about them is communicated to others*.

Information Privacy

The protection of information for the purposes of preventing *loss*, *unauthorized access* and/or *misuse*. It is also the process of assessing threats and risks to information and the procedures and controls to preserve confidentiality, integrity and availability of information.

Information Security

The GDPR requires that controllers and processors implement measures to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services. This refers to the *consistency, accuracy and trustworthiness* of the data (see Accuracy).

Integrity

Listed within the GDPR as a form of personal information, a unique string of numbers that identifies a computer on the Internet or other TCP/IP network. The address is expressed in four groups of up to three numbers, separated by periods. For example: 123.123.23.2. An address may be *"dynamic," meaning that it is assigned temporarily* whenever a device logs on to a network or an Internet service provider and consequently may be different each time a device connects. Alternatively, an address may be *"static," meaning that it is assigned to a particular device* and does not change, but remains assigned to one computer or device.

Internet Protocol Address (EU specific)

A company that provides Internet access to homes and businesses through *modem dial-up, DSL, cable modem broadband, dedicated T1/T3 lines or wireless connections*.

Internet Service Provider

A reference to *joint investigations and* joint *enforcement measures* in which members or staff from the *supervisory authorities of multiple member states* are involved. The GDPR requires supervisory authorities to work with one another when processing operations affect data subjects in multiple member states.

Joint Operations

A body sanctioned by local, regional or national governments to enforce laws and apprehend those who break them. In Europe, are *governed by* strict *rules of criminal procedure designed to protect the fundamental human right to privacy* enshrined in *Article 8 of the European Convention on Human Rights (ECHR)*. In the arena of data protection, law enforcement is governed by the *Directive on the Protection of Natural Persons with Regard to the Processing of Personal Data by Competent Authorities for the Purpose of Law Enforcement (Directive 2016/680)*, which came into force in April 2016.

Law Enforcement Authority (EU specific)

Technically *Directive 2016/680*, or the *Directive on the Protection of Natural Persons with Regard to the Processing of Personal Data by Competent Authorities for the Purposes of Law Enforcement*, this is the EU law governing the handling of personal data by competent law enforcement authorities. Each member state has a law that translates this directive into national law. The directive *covers* the *cross-border and national processing of data* by member states' competent authorities *for the purpose of law enforcement*. This includes the prevention, investigation, detection and prosecution of criminal offences, as well as the safeguarding and prevention of threats to public security. *It does not cover activities by EU institutions, bodies, offices and agencies, nor activities falling outside the scope of EU law*.

Law Enforcement Directive

One of three requirements established by the GDPR for the processing of personal data. Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject. Data subjects must be aware of the fact that their personal data will be processed, including how the data will be collected, kept and used, to allow them to make an informed decision about whether they agree with such processing and to enable them to exercise their data protection rights. The GDPR outlines *six bases for processing* of personal data.

Lawfulness

A privacy notice designed to respond to problems with a excessively long notices. A short notice — the *top layer* — provides a user with the *key elements of the privacy notice*. The full notice — the *bottom layer* — covers all the *intricacies in full*. In its guidance on complying with the GDPR, the *Article 29 Working Party*, which has now been replaced by the European Data Protection Board, *recommended a layered notice* in order to meet requirements of the GDPR that privacy notices be easily accessible and easy to understand, and that clear and plain language be used.

Layered Notice

A layered approach defines three levels of security policies. The *top layer* is a high-level document *containing the controller's policy statement*. The *next layer* is a more detailed document that *sets out the controls* that will be *implemented* to achieve the *policy statements*. The *third layer* is the most detailed and *contains the operating procedures*, which explain how the policy statements will be achieved in practice.

Layered Security Policy

The *supervisory authority of the main establishment* or of the single establishment of the controller or processor *shall* be competent to *act as lead supervisory authority for the cross-border processing* carried out by that controller or processor. Shall be the *sole interlocutor* (person who takes part in a dialogue or conversation) of the controller or processor for the cross-border processing carried out by that controller or processor.

Lead Supervisory Authority

The GDPR requires data controllers to demonstrate one of these six bases for processing: *consent*, *contract* requirement, *legal obligation*, protection of data subject's *vital interests*, *public task*, or *legitimate interest* of the controller. The controller is required to provide a privacy notice, specify in the privacy notice the legal basis for the processing personal data in each instance of processing, and when relying on the legitimate interest ground must describe the legitimate interests pursued.

Legal Basis for Processing

One of the six legal bases for processing personal data in the GDPR, *including those of a controller to which the personal data may be disclosed, or of a third party*, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller.

Legitimate Interests of Controller

Same as "*Legal basis* for processing"

Legitimate Processing Criteria

A case in which the European Court of Justice ruled that *a woman* who identified and *included information about fellow church volunteers on her website* was in *breach of the Data Protection Directive 95/46/EC*. The ECJ held that *the creation of a personal website was not a personal activity allowing the woman to be exempted from the data protection rules*. Some observers *wonder whether Recital 18* of the GDPR, which says *the law does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity* and thus with no connection to a professional or commercial activity, *might affect this precedent ruling*. Recital 18 says personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities.

Lindqvist Judgement

*If a person can be identified, directly or indirectly, by* reference to *this data*, *then that data is classified* by the GDPR *as personal data*. Might consist of coordinates, addresses, or any other data that specifies a position in space.

Location Data

Services that utilize information about location to deliver, in various contexts, a wide array of applications and services, including social networking, gaming and entertainment. Such services typically *rely upon GPS, RFID, Wi-Fi*, or similar technologies in which *geolocation is used to identify the real-world geographic location* of an object, such as a mobile device or an internet-connected computer terminal.

Location-Based Service

A resolution *adopted in 2009 by the International Conference of Data Protection and Privacy Commissioners*, consisting of 80 data protection authorities from 42 countries around the world. The resolutions *proposes international standards on the protection of privacy with regard to the processing of personal data*, to include: lawfulness and fairness; purpose specification; proportionality; data quality; openness; and accountability.

Madrid Resolution

Should be *the place of its central administration in the EU*, *unless* the *decisions on* the *purposes and means* of the processing of personal data *are taken in another establishment of the controller in the EU* in which case that other establishment should be considered to be the main establishment. Should be the place of its central administration in the EU or, if it has no central administration in the EU the place where the main processing activities take place in the EU. The member state *location of the main establishment determines the* controller or processor's *lead supervisory authority*

Main Establishment

The actions covered by a particular law or regulation. The *processing* of personal data *wholly or partly* by *automated means and* to the processing *other than by automated means* of personal data which form *part of a filing system* or are *intended* to *form part of a filing system*, *other than* that processing that falls *outside of the scope of EU law*, is *done for personal or household* use, *or* is done for *law enforcement* purposes.

Material Scope (EU specific)

Chairman and *founder of noyb*, a "*privacy enforcement platform*" that *brings data protection cases to the courts* under the GDPR. Schrems first came notoriety as an Austrian law student, who *complained* to the *Irish Data Commissioner* that *Facebook Ireland* was illegally *sharing* his personal data *with the U.S. government*, following the revelations of Edward Snowden. ," Eventually *caused* the *invalidation* of the Safe Harbor* data-transfer agreement between the EU and U.S. A second case brought by Schrems, known as *Schrems 2.0* or Schrems II, *seeks to invalidate standard contractual clauses* when *used to transfer* data to the *United States from the EU*.

Max Schrems, The case, known as "The Schrems case" or "*Schrems I*

Of the European Union, formally created by the *Maastricht Treaty in 1992*. As of the last addition of member states in 2013, the EU consists of: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the United Kingdom. The *U.K.* submitted a *notice of withdrawal under Article 50* of the *Treaty of Lisbon* in 2016 and will leave the European on March 29, 2019, unless the European Council decides to extend the two-year negotiating period by unanimous vote.

Member State

The *only directly elected body* of the European Union, the Parliament represents *one half of the legislative arm of the EU*, *alongside* the *Council of the European Union*. Elected by citizens of the member states, in *proportion* to the *size* of each *country*, every *five years*. Those *MEPs* then *elect* the *president* of the *European Commission*. Its *three primary responsibilities* are *legislative development*, supervisory *oversight of the other institutions*, and development of the *budget*. As of 2018, the Parliament had *751* members.

Members of the European Parliament

A process that requires more than one verification method, such as a password and biometric identifier, or log-in credentials and a code sent to an email address or phone number supplied by a data subject.

Multi-Factor Authentication

*along with proportionality*, *is one of two factors* data controllers should consider as they apply the principle of *data minimization*, as required by the GDPR. *considers the amount* of data to be collected *and whether it is necessary in relation to the stated purposes* for which it is being processed.

Necessity

First released in *1980*, and then *updated in 2013*, these guidelines represent perhaps the most *widely accepted* and circulated *set of internationally agreed* upon *privacy principles* along with guidance for countries as they develop regulations *surrounding cross-border data flows and law-enforcement access to personal data*. The principles, *widely emulated in national privacy laws*, include *Collection Limitation*, *Data Quality*, *Purpose Specification*, *Use Limitation*, *Security Safeguards*, *Openness*, *Individual Participation*, and *Accountability*

OECD (Organisation for Economic Co-operation and Development) Guidelines

Used to distinguish from sectorial laws, to mean *laws that cover a broad spectrum of organizations or natural persons*, rather than simply a certain market sector or population.

Omnibus Laws

A somewhat *colloquial description* of the General Data Protection Regulation's *consistency mechanism*, referring to the *specific instance* in which a *supervisory authority* should *refer a complaint or investigation* to an organization's *lead supervisory authority* if the data *processing affects* data subjects in *multiple EU member states*. The lead supervisory authority can choose to accept the case, and provide the originating supervisory authority and the rest of the European Data Protection Board (EDPB) with the opportunity for input, or refer the case back to the originating supervisory authority.

One-stop Shop

Websites or online *advertising services* that engage in the *tracking or analysis* of search terms, browser or user profiles, preferences, demographics, online activity, offline activity, location data, etc., and *offer advertising based on* that *tracking*.

Online Behavioral Advertising

A *transfer* of personal data *to a fourth party or beyond*. For instance, the first party is the data subject, the second party is the controller, the third party is the processor, and the fourth party is *a sub-contractor of the processor*. *In* the context of binding corporate rules (*BCRs*), this *might mean* the third party is *another unit of the controller* organization *outside* of the *EEA* and the fourth party is a processor. *If one occurs, the controller remains accountable* for processing of the personal data.

Onward Transfer

A *fair information practices* principle. There should be a general policy of this about developments, practices and policies with respect to personal data. Means should be *readily available* to *establish the existence and nature* of personal data, and the main *purposes* of their use, as well as the *identity and usual residence of the data controller*. Closely linked with transparency.

Openness

Various opinions will be relevant even after the body's transition into the European Data Protection Board (EDPB). They continue to *provide guidance and context* as to the stance of European Union member state regulators *in how data protection law should be interpreted*.

Opinions of the Article 29 Working Party

One of two central concepts of choice. It means an individual makes an *active affirmative indication of choice*; i.e., *checking a box* signaling a desire to share his or her information with third parties. The GDPR's definition of consent as requiring a "clear affirmative act" makes *opt-in* the *default standard for consent acquisition*.

Opt-In (EU specific)

One of two central concepts of choice. It means an individual's *lack of action implies that a choice has been made*; i.e., unless an individual checks or unchecks a box, their information will be shared with third parties. The GDPR's definition of consent as requiring a "clear affirmative act" makes *opt-out unacceptable for the acquisition of consent*.

Opt-Out (EU Specific)

An international organization that *promotes policies* designed *to achieve* the highest *sustainable economic growth*, *employment* and a *rising standard of living* in both *member and non-member countries*, while contributing to the world economy.

Organization for Economic Cooperation and Development (OECD)

Contracting business processes, which may include the processing of personal information, to a third party. The GDPR establishes *direct legal obligations applicable to service providers acting as "processors"* and places an *increased emphasis* to the *contractual obligations* that must be *established* between *organizations* and their data *processing service providers*.

Outsourcing (EU-specific)

Any information relating to an *identified or identifiable* natural person; an identifiable person is one who can be identified, *directly or indirectly* — in particular *by reference* to an *identification number or* to one or more *factors specific to* their *physical*, *physiological*, *mental*, *economic*, *cultural* or *social identity*.

Personal Data (EU specific)

A synonym for "personal data"

Personal Information (EU specific)

Direct marketing to postal addresses. Just as with other forms of direct marketing, marketers must ensure they establish the lawful basis for processing personal data when postal marketing to those in the EEA under the GDPR.

Postal Marketing (EU specific)

Under the General Data Protection Regulation, *a processor may not engage another processor without this* of the data controller. This authorization may be *general or specific*. *If it is general*, the *processor* is required to *give the controller* an *opportunity to object* to the addition or replacement of other processors.

Prior Authorization

*Four* main *areas of privacy* are of particular interest with regard to data protection and privacy laws and practices: *information* privacy, *bodily* privacy, *territorial* privacy, and *communications* privacy.

Privacy

A *statement* made to a *data subject* that describes *how* an organization *collects, uses, retains and discloses* personal information. may be referred to as a privacy statement, a fair processing statement or, sometimes, a privacy policy. The GDPR requires a controller to provide this *prior to processing* and to *specify* in the privacy notice the *legal basis* for the processing, in addition to other details, such as the *contact information for* the organization's *Data Protection Officer*. When relying on the legitimate interest ground, the controller must describe *the legitimate interests pursued*.

Privacy Notice (EU specific)

An *internal statement* that governs an organization or entity's handling of personal information. It is *directed at those* members of the organization *who* might *handle or make decisions* regarding the personal information, *instructing* them *on* the *collection, use, storage and destruction of the data*, as well as any *specific rights* the *data subjects* may have. May also be referred to (*a.k.a.*) as a *data protection policy*.

Privacy Policy

First outlined in a framework in the mid-1990s by then-Information and *Privacy Commissioner of Ontario*, Canada, Ann Cavoukian, with *seven foundational principles*.

Privacy by Design

Any form of *automated processing* of personal data consisting of the use of personal data *to evaluate certain personal aspects*, in particular *to analyze or predict* aspects concerning that person's *performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements*.

Profiling

*along with necessity*, is *one of two factors* data controllers should consider as they apply the principle of *data minimization*, as required by the GDPR. *considers* the *amount of data* to be collected and *whether it is adequate and relevant* in relation to the purposes for which it is being processed. Is the processing suitable and reasonably *likely to achieve* the *stated objectives?* *Are* any *adverse consequences* that the processing creates *justified* in view of the importance of the objective pursued*?*

Proportionality

The processing of personal data in such a manner that the personal data *can no longer be attributed* to a specific data subject *without* the use of *additional information*, provided that such additional information is *kept separately* and is subject to *technical and organizational measures* to ensure that the personal data are *not attributed* to an *identified or identifiable* natural person.

Pseudonymisation

One of the six legal bases for processing personal data outlined by the GDPR is *processing* necessary for the *performance* of a *task carried out* in this or in the *exercise of official authority* vested in the controller.

Public Interest

*Information collected* and maintained *by a government entity* and *available to the general public*. In the General Data Protection Regulation, *one of the derogations* left to *member states* is an* allowance for restrictions* on *certain data subject rights*, such as the *right to erasure*, for the keeping of *public records kept* for reasons of *general public interest*.

Public Records (EU specific)

A *fair information practices* principle, *part of* the original *OECD Guidelines*, and a piece of many privacy and data protection regulations, this is the principle that the *purposes* for which personal data are collected *should be specified* no later than *at the time of data collection* and the *subsequent use* of that personal data is *limited to* the fulfillment of *those purposes or* such others as are *not incompatible* with those *purposes* and as are specified to the individual on each occasion of change of purpose, or for which there is a further legal basis that would not require notification.

Purpose Limitation

*Article 30* of the GDPR specifies circumstances that will trigger this. These include, for organizations of *250 or more employees*, all processing of personal data. *Or, regardless of* the organization's *size*, controllers and processors are obligated to keep *records* of the processing *if* it *is likely to result in a risk* to the rights and freedoms of data subjects; *is not occasional*; *or includes special categories* of data *or* data relating to *criminal convictions and offences*.

Record-Keeping Obligation

Closely intertwined with access, the *right* or ability of a data subject *to correct erroneous information* that is stored about them. Under the General Data Protection Regulation, data subjects have this right for inaccurate personal data, and *controllers must ensure* that *inaccurate or incomplete data is erased, amended or rectified*.

Rectification (EU specific)

*Chapter VII* of the General Data Protection Regulation *outlines* the *remedies* available to data subjects and their *right to compensation*, the *liability for damage* caused by processing for both controllers and processors, *and* the *penalties* available to supervisory authorities *for infringement* of the law.

Remedies, Liability and Penalties

The *ability to withstand and recover from threats*. The General Data Protection Regulation requires that controllers and processors, in *proportion to risk*, be able to ensure the resilience of processing systems and services.

Resilience

Within the information life cycle the concept that organizations should retain personal information only as long as necessary to fulfill the stated purpose. Under the General Data Protection Regulation, the "*right to be forgotten*" *exists where* the personal *data is no longer necessary* in relation to the purposes for which it was collected or otherwise processed, where a *data subject has withdrawn their consent or objects* to the processing of personal data concerning them, *or* where the *processing* of their personal data *does not otherwise comply* with the GDPR, *unless* there are other *legal obligations* or reasons of the *public interest to retain* their personal data.

Retention (EU specific)

Under *Article 15* of the Data Protection Directive, individuals are entitled to *object* to this. The right, however, does not allow an individual to object to automated processing that then leads to a human decision.

Right Not To Be Subject to Fully Automated Decisions

Under GDPR, data subjects have this right and their personal data deleted, *where* the personal data is *no longer necessary* in relation to the purposes for which it was collected or otherwise processed, where *a data subject has withdrawn* their *consent or objects* to the processing of personal data concerning them, *or* where the *processing* of their personal data *does not* otherwise *comply with* the *GDPR*, *unless* there are other *legal obligations or* reasons of the *public interest to retain* their personal *data*.

Right To Be Forgotten

In the GDPR, *applies if* such a *decision* is based *solely on automated processing* and produces *legal effects* concerning the data subject or similarly significantly affects them. If a decision-making process falls within these parameters, *the* underlying *processing* of personal data is *only allowed if* it is *authorized by law*, *necessary for* the preparation and execution of a *contract*, *or* done with the data subject's *explicit consent*, provided that the controller has put *sufficient safeguards in place*.

Right To Object to Automated Decision-Making

*Whenever* a controller justifies data processing on the *basis* of its *legitimate interests* (such as direct marketing), *or* on the basis of the *public interest*, data subjects *can object* to such processing. As a consequence, the controller is *no longer allowed to process* the data subject's personal data *unless* it can demonstrate *compelling, legitimate grounds* for the processing. These grounds must be sufficiently compelling to override the interests, rights and freedoms of the data subject, *such as to establish, exercise or defend against legal claims*

Right to Object

Under the GDPR, data subjects have this right for the processing of their personal data *if the accuracy* of the data *is contested* (and only for as long as it takes to verify that accuracy); the *processing is unlawful*, and the data subject requests restriction (as opposed to exercising the right to erasure); the *controller no longer needs* the data for its original purpose, *but* the *data* is still *required* by the controller t*o establish, exercise or defend legal rights*; or verification of overriding grounds is pending *in* the *context of an erasure request*. *might include temporarily moving* selected *data to another processing system*, *making* the selected personal *data unavailable to users*, or *temporarily removing* published data *from a website*. In automated filing systems,should in principle be ensured by technical means in such a manner that the personal data is not subject to further processing and cannot be changed. The fact that the processing of personal data is restricted should be clearly indicated in the system.

Right to Restriction

A *United States law*, passed in 2002, *regulating* the *transparency of publicly held companies*. In particular, public *companies must establish a way* for the company *to confidentially receive and deal with complaints about* actual or potential *fraud from misappropriation of assets* and/or material misstatements *in financial reporting* *from* so-called *"whistle-blowers"*. *U.S. companies with EU subsidiaries or affiliates are bound by both SOX and EU data protection law*, thus potentially *leading to conflicting obligations*, specifically *in regards to protecting the identity of the whistle-blower* (SOX) *vs.* protecting the personal *data of the employee accused of wrongdoing* (EU data protection law).

Sarbanes-Oxley Act (EU specific)

Colloquial term for *Schrems v. Data Protection Commission (Ireland)*. After revelations by *Edward Snowden* of *NSA surveillance in the U.S.* allegedly *involving Facebook*'s cooperation, Schrems *complained* to the *Irish DPC* that *Facebook Ireland*, the company's European subsidiary, *was improperly transferring* his data *to the U.S*. where it could be *accessed by the NSA*. The data *transfers* from Facebook Ireland to the U.S. *were allowed under* the *Safe Harbor* adequacy decision. *However, because Safe Harbor did not limit such U.S. government access for national security purposes, the CJEU struck down the Safe Harbor agreement as inconsistent with the European right to privacy*. As a result, adequacy is based on the concept of essential equivalence: There must be an adequate level of protection of personal data essentially equivalent to the protection of personal data in the EU.

Schrems I

Colloquial term for *Data Protection Commission (Ireland) v. Facebook & Schrems*. Being considered by the CJEU at the time of this writing, the *case challenges the validity of standard contractual clauses for the transfer of personal data from the EU to the United States*, on the same grounds Schrems used to challenge the Safe Harbor adequacy agreement.

Schrems II (aka Schrems 2.0)

Used to distinguish from omnibus laws, to mean *laws that cover a a specific market sector or population*, rather than a broad portion of the market or citizenry.

Sectorial Laws

A *fair information practices* principle, it is the principle that personal data should be protected by *reasonable security safeguards against* such *risks as loss or unauthorized access, destruction, use, modification or disclosure of data*.

Security Safeguards

As defined in *Article 9* of the GDPR, includes: *race and ethnic origin*; *religious or philosophical beliefs*; *political opinions*; *trade union* memberships; *biometric data used to identify* an individual; *genetic* data; *health* data; and data related to *sexual preferences, sex life, and/or sexual orientation*. cannot be processed except under specific circumstances.

Special Categories of Data

Same as Contractural Clauses - *adopted either directly by the European Commission or* by a *supervisory authority* in accordance with the consistency mechanism *and then adopted by the Commission*, contractual clauses are mechanisms by which organisations can commit to protect personal data to facilitate ongoing and systematic *cross-border personal data transfers*.

Standard Model Clauses

The GDPR permits "visualisation" to be used to provide fair processing information to data subjects where appropriate and makes provision for the use of these to give an easily visible, understandable and meaningful overview of the processing; *Article 12(7)*

Standardized Icons

The principle that personal data must be kept in a form that *permits identification* of data subjects for *no longer than is necessary* for the purposes for which the personal data is processed. Personal data *may be stored for longer* periods if it will be processed solely *for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes*, *subject to* implementation of the appropriate *technical and organizational measures* required *to safeguard* the rights and freedoms of the data subject.

Storage Limitation

An independent public authority established by an EU member state, responsible for monitoring the application of the GDPR

Supervisory Authority

One of the four classes of privacy, along with information privacy, bodily privacy and communications privacy. It is concerned with placing limitations on the ability of one to *intrude into another individual's environment*. Environment is not limited to the home; it may be defined as the workplace or public space and environmental considerations can be extended to an international level. Invasion into an individual's territorial privacy *typically* comes in the form of *video surveillance, ID checks and use of similar technology and procedures*.

Territorial Privacy

In the case of the GDPR, it applies to organizations *established in the EU and to their third-party processors* of personal data, *wherever they happen to be located*, *and* to those *organizations that offer goods or services* to, *or monitor, individuals in the EU*."

Territorial Scope, "jurisdictional reach"

- European Parliament - European Council - European Commission - Court of Justice of the European Union - European Central Bank - Court of Auditors

The Six Major European Union Institutions

This refers to any data processed for the purpose of the conveyance of a communication on an Electronic Communications Network or for the billing thereof. Traffic data includes *information about the type, format, time, duration, origin, destination, routing, protocol used and the originating and terminating network of a communication*. For example, in relation to a telephone call, traffic data includes, among other information, the phone numbers of the caller and call recipient; in relation to an e-mail, the e-mail addresses of the sender and recipient' and the size of any attachments.

Traffic Data

The movement of personal data from one organization to another.

Transfer

The automatic forwarding of data packets from one server to another.

Transit

Taking appropriate measures to provide any information relating to processing to the data subject in a *concise*, *intelligible* and *easily accessible* form, using clear and *plain language*.

Transparency

Signed in *2007*, and effective in *2009*, its main aim was to *strengthen* and improve the *core structures* of the *European Union* to enable it to function more efficiently. *amends the EU's two core treaties*, the *Treaty on European Union* and the *Treaty Establishing the European Community*. The treaty *ensures* that *all institutions* of the European Union *must protect individuals* when processing *personal data*. It *also established* a *European Data Protection Supervisor* whose role is *to regulate compliance* with data protection law within the institutions of the European Union, but its references to "authorities"' implies that the national data protection authorities may also have jurisdiction in such matters.

Treaty of Lisbon

Where actions by a data subject lead to an *unmistakable conclusion that consent has been provided*; where consent meets the standard of being a "freely given, specific and informed" indication of an individual's wishes. This is the baseline standard for consent in the GDPR

Unambiguous Consent

Also called the Human Rights Declaration, the declaration *recognized the* universal *values* and traditions *of inherent dignity, freedom, justice and peace*. It was *adopted by the General Assembly of the United Nations* on 10 December *1948*. This declaration formally announced that *"[n]o one shall be subjected to arbitrary interference with his privacy, family, home or correspondence [.]"* The statement was intended to encompass a wide range of conduct, as evidenced by *Article 12 of the Declaration*, which *describes* both the *territorial and* the *communications notions of privacy*.

Universal Declaration of Human Rights

According to the GDPR, in exceptional cases *where* there is an *urgent need* to protection individuals' *rights and freedoms*, a *supervisory authority* can *bypass* the *cooperation* procedures *and consistency mechanism* to adopt *provisional measures* in its country, after which it should *notify other regulators* who have an interest in the matter, *the Commission and* the *EDPB* (European Data Protection Board). The supervisory authority can apply to the EDPB for an *urgent opinion or decision* where it feels that final measures are needed, and any regulator can apply for an urgent opinion or decision where it feels that another regulator has failed to take appropriate action in a case of urgency.

Urgency Procedure

Protecting these refers to circumstances of *life or death* — in other words, where the processing of personal data contemplated is *vital to an individual's survival*. For example, under the GDPR, processing of personal data that necessary in order to protect this of the data subject or of another natural person is one of the six legal bases for processing personal data. This criterion will be relevant only in *rare emergency situations* such as *health care settings, humanitarian response, and law enforcement*.

Vital Interests

If illegal or improper activity is taking place within an organization, employees may first observe it and report it to individuals with more authority or an agency outside of the organization. In setting up procedures to make it possible for an employee to report such activity, per laws in a variety of jurisdictions that *protect the rights of*, an organization will want to be sure that appropriate privacy safeguards are put in place.

Whistleblowing

primarily in the European Union, are *bodies that represent employees* and have certain *rights under local law* that affect the use of employee data by employers. can *have a role in deciding whether employees' personal data can be processed* because they typically have an obligation to safeguard employee rights, which include data protection and privacy rights. They are *most likely to be encountered in a data protection setting in Germany*.

Works Councils