GDPR Glossary




Adequacy Decision:  a decision by the European Commission to designate a country outside the EEA as an Adequate Jurisdiction. 


Adequate Jurisdiction:  one of the following jurisdictions that have been designated by the European Commission as providing an adequate level of protection for personal data: Andorra, Argentina, Canada (for organizations that are subject to Canada's PIPEDA law), Switzerland, the Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Uruguay.  These are also called ‘whitelisted’ countries.  U.S. organizations that are certified to the EU-US Privacy Shield are also deemed adequate for this purpose.


Article 29 Working Party:  an EU-level advisory body made up of representatives from national Data Protection Authorities and the European Data Protection Supervisor, created under Article 29 of the Data Protection Directive.


Binding Corporate Rules:  a set of binding rules adopted by an organization and approved by national Data Protection Authorities to ensure the protection of personal data in multiple jurisdictions.  This mechanism is endorsed by the European Commission for authorizing Cross-Border Data Transfers outside the EU.


Biometric data:  personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data. (Article 4, GDPR)


Code of Conduct:  a code adhered to by an organization, which may provide evidence of compliance with the requirements of EU data protection law. (Article 40, GDPR)


Controller:  the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. (Article 4, GDPR)


Concerned DPA:  a Data Protection Authority of an EU Member State, the residents of which are affected by an organization’s data processing activities (e.g., if Dutch residents are affected by the relevant processing, then the Dutch DPA is a Concerned DPA).


Consent of the Data Subject:  any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.  (Article 4, GDPR)


Consistency mechanism:  the mechanism set out in the GDPR which requires DPAs to ensure that they enforce the GDPR in a consistent manner.  (Article 63, GDPR)


Cross-border data transfer:  a transfer of personal data to a recipient in a country outside the EEA.


Cross-border processing:  means either

  1. processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or
  2. processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.  (Article 4, GDPR)


Data breach:  any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.  (Article 4, GDPR)


Data subject:  an individual about whom personal data is being processed.


Data exporter:  a controller (or, where permitted, a processor) established in the EU that transfers personal data to a data importer.


Data importer:  a controller or processor located in another country that receives personal data from a data exporter.


Data Protection Authority:  each EU Member State appoints one or more such Authorities to implement and enforce data protection law in that Member State. (The Directive and the GDPR both use the term "Supervisory Authority", but the terms Data Protection Authority and DPA are more commonly used in practice.)


Data Protection Directive:  Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.


Data Protection Impact Assessment (DPIA):  a structured review of a particular processing activity from a data protection compliance perspective. (Article 35, GDPR)


Data Protection Principles:  principles that govern the processing of personal data.


Derogation:  an exemption from a law or a rule.


European Data Protection Board: a body of the European Union established by the GDPR composed of the head of one supervisory authority from each State of the EU.  This body effectively replaces the Article 29 Working Party on May 25, 2018.


European Data Protection Supervisor:  a body responsible for ensuring that the EU institutions comply with EU data protection law.


EU-US Privacy Shield:  the mechanism providing a lawful basis for transfers of personal data from the EU to U.S. organizations that certify to the EU-US Privacy Shield, pursuant to Commission Decision C(2016) 4176.  The EU-US Privacy Shield Framework replaces the US-EU Safe Harbor Framework.


General Data Protection Regulation (GDPR):  The EU General Data Protection Regulation (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU).  This Regulation replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy.


General Data Quality Principles:  means personal data must be: (a) processed fairly and lawfully; (b) collected for specific, explicit and legitimate purposes and not processed in a manner incompatible with those purposes; (c) adequate, relevant and not excessive; (d) accurate and, where necessary, up to date; (e) kept in an identifiable form for no longer than necessary; and (f) kept secure (Article 5, GDPR).


Genetic data:  means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.  (Article 4, GDPR)


Information Commissioner’s Office (ICO):  The UK’s Data Protection Authority.


International organization:  means an organization and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.  (Article 4, GDPR)


Main establishment: (a) for a controller, the place of its central administration in the EU (or, if none, the place in the EU where its main processing decisions are taken); or (b) for a processor, the place of its central administration in the EU (or, if none, the place in the EU where its main processing operations take place).  (Article 4, GDPR)


Member State: a Member State of the European Union (i.e., Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the United Kingdom). Following the UK's submission of a notice of withdrawal under Article 50 of the Treaty of Lisbon the United Kingdom will remain an EU Member State until midnight (Brussels time) on 29 March 2019, unless the European Council decides unanimously to extend the two-year negotiating period.


Model clauses or model contracts: the various sets of Standard Contractual Clauses for Cross-Border Data Transfers published by the European Commission.  Set out in Commission Decision C(2010) 593, Commission Decision C(2004) 5271 and Commission Decision C(2001) 1539.


One-Stop-Shop: the GDPR principle that an organization operating in multiple Member States should have a lead DPA, also called a Lead Supervisory Authority (“LSA’)   that provides a single regulatory point of contact, based on the place of its main establishment in the EU.


Personal data: any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.  It is also called Personally Identifiable Information.  Examples of personal data include name, location, personal identification number, the color of your hair, the list of customers names and their addresses, IT usage data, traffic data, information about education, income, and license plate.  (Article 4, GDPR)


Privacy and Electronic Communications Directive: Directive 2002/58/EC of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector as amended by the Citizens' Rights Directive 2009/136/EC.


Processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (Article 4, GDPR)


Processor:  a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. (Article 4, GDPR)


Profiling: any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements (Article 4, GDPR)


Pseudonymisation: the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.  (Article 4, GDPR)


Recipient: a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing. (Article 4, GDPR)


Records of processing:  all the processing activities regarding personal data of enterprises with more than 250 persons or with a risk to the rights and freedoms of the data subjects shall be recorded.  For example, if an organization is using either employee data or customer data. They have to record it and present in a documentation form that is called records of processing activity.  (Article 30, GDPR)


Representative (or EU Representative):  a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation.  (Article 4, GDPR)


Restriction of Processing:  the marking of stored personal data with the aim of limiting their processing in the future. (Article 4, GDPR)


Safe Harbor:  a data transfer mechanism agreed between the US and the EU, and ratified pursuant to Commission Decision 2000/520/EC. That Commission Decision was subsequently held to be invalid by the CJEU in the Schrems decision, October 6, 2015. 


Sensitive Personal Data: personal data, revealing race or ethnicity, political opinions, religion or beliefs, trade union membership, physical or mental health or sex life.  The GDPR adds genetic data.  (Article 9, GDPR) Data relating to criminal convictions or related security measures are also treated as sensitive in many EU jurisdictions.


Swiss-US Privacy Shield:  a valid legal mechanism approved by the Swiss Federal Data Protection and Information Commissioner and the U.S. Department of Commerce on January 12, 2017 for U.S. companies to comply with Swiss requirements when transferring personal data from Switzerland to the United States.  The Swiss-US Privacy Shield Framework replaces the US-Swiss Safe Harbor Framework.


Third party: means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data. (Article 4, GDPR)


Whitelisted (adequate) country:  see Adequate Jurisdiction, above.




BCRs mean Binding Corporate Rules

CFR means the Charter of Fundamental Rights of the European Union (2000/C 364/01).

CJEU means the Court of Justice of the European Union.

Commission means the European Commission.

Council means the Council of the European Union.

Directive means EU Directive 95/46/EC.

DPA means a Data Protection Authority.  

DPIA means a Data Protection Impact Assessment.

DPO means a Data Protection Officer.

ECHR means the European Convention on Human Rights.

EDPB means the European Data Protection Board.

EDPS means the European Data Protection Supervisor.

EEA means the European Economic Area, which is made up of the 28 EU Member States, together with Iceland, Liechtenstein and Norway.

GDPR means Regulation (EU) 2016/679 (the General Data Protection Regulation).

GDPR Effective Date means 25 May 2018 (i.e., the date from which the provisions of the GDPR apply—which is effectively the date on which enforcement of the GDPR begins).

ICO means the UK Information Commissioner’s Office.

Lead DPA means the DPA for the Member State in which an organization has its main establishment.

PII means personally identifiable information, or personal data. 

‘Schrems’ refers to the decision of the CJEU in Schrems v Data Protection Commissioner (Case C-362/14).

TFEU means the Treaty on the Functioning of the European Union.

WP29 means the Article 29 Working Party.  Under the GDPR, the WP29 is effectively replaced by the EDPB.