EU Data Protection – glossary

Thanking CORDERY, we gladly publish the

EU Data Protection – glossary

(originally published by Cordery at

We’ve put together this glossary to help explain some of the terms used in data protection and in the GDPR. If there’s a term you think we should add let us know.

Agencia de Proteccción de Datos = the Spanish data protection regulator, often known as the AEPD.

Anonymisation = the method of processing personal data in order to irreversibly prevent identification.  Organisations try and anonymise data to make it more secure and to help them comply with their data protection responsibilities.  It is a complicated topic however – for example in 2014 the Article 28 Working Party issued a detailed Opinion (approx. 37 pages long) on anonymisation.

Article 29 Working Party (sometimes known as WP29) = was set up under the 1995 European Directive as an advisory body. It comprises representatives of the supervisory authorities for each EU member state, representatives of the EU institutions and a representative of the European Commission. It issues Opinions on matters of common interest involving data protection across the EU but those opinions are advisory and need not be followed by any local Data Protection Regulator.

Article 31 Committee = The Article 31 Committee was established by the 1995 EU Data Protection Directive.  It is made up of representatives of each of the Member States who cooperate in taking decisions whenever Member States approval is required under the Directive.  The Article 31 Committee have been active in the process for adoption of the adequacy decision for Privacy Shield.

Autoriteit Persoonsgegevens = the Dutch Data Protection Regulator.  The Autoriteit Persoonsgegevens (AP) replaced the former Dutch Data Protection Regulator, The College Bescherming Persoonsgegevens (CBP), in January 2016.

Binding Corporate Rules = a binding global code of practice based on EU privacy standards, reinforced by an organisation’s internal compliance system, and which national regulators approve in accordance with their own legislation. More information at An international summer: are binding corporate rules the way forward?  BCRs receive statutory footing for the first time in GDPR.  BCRs are defined by Article 4(20) as “personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings or a group of enterprises engaged in joint economic activity”.  The system of BCRs under GDPR is set out in article 47 of GDPR.

Biometric Data = Biometric Data has its own definition within GDPR which is “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.”.

Commission Nationale de I’Informatique et des Libertés = the French data protection regulator, often referred to as CNIL.

Data = information which: (i) is processed electronically, including computer, CCTV, card access data; (ii) is not processed electronically but forms part of a relevant filing system, structured to allow easy access to information; or (iii) is part of an accessible record, relating, broadly, to health, education or other public service.

Data Controller = any person, partnership or company who determines how and for what purposes personal data is processed. A third party may carry out processing on the controller’s behalf, although the data controller remains responsible for the processing.

Data Processor = a person who processes personal data for a data controller, other than the controller’s employee. Outsourced IT and HR service providers may be processors.

Data Protection Impact Assessment = DPIA.  The successor to the PIA.  See Privacy Impact Assessment below.

Data Subject = an individual, of any nationality and age, who is the subject of the personal data.

Datainspektionen = the Swedish data protection regulator.

Datatilsynet = the data protection regulator in Denmark.

European Data Protection Board = a new body which will be created by GDPR.  This should be an independent new body to replace the current Article 29 Working Party.  One of its functions will be to act as a dispute resolution authority for disputes between data protection regulators in each country.

Garante = the Italian data protection authority, more formally known as the Garante per la protezione dei dati personali.

GDPR = General Data Protection Regulation.

Generalny Inspektor Ochrony Danych Osobowych = the Polish data protection authority, often referred to as GIODO.

Genetic Data = Genetic data has its own definition in GDPR which is “personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.”.

The Information Commissioner’s Office = the data protection regulator for the UK, often referred to as the ICO.

IDPC = The Office of the Information and Data Protection Commissioner, the data protection regulator in Malta.

Model Contract Clauses = obligations imposed on both the exporter and the importer of data between the EU and third countries to ensure that data transfer arrangements protect the rights and freedoms of data subjects.

NIS Directive = new EU legislation adopted by the European Parliament on 6 July 2016 dealing with cyber security.  The NIS Directive is not part of GDPR but has some overlapping provisions in areas like data breach reporting.

Notification = data protection notification is essentially a form of data protection registration – see registration below.

Personal Data = data relating to a living individual who can be identified from that data, either alone or with other information in the data controller’s possession. It includes opinions about, and intentions in relation to the data subject. Personal data can therefore include names, addresses, National Insurance (social security) numbers and CCTV images of individuals.

Privacy Impact Assessment = a privacy impact assessment (often known as a PIA) is a process to identify data protection and privacy risk.  PIAs were developed by the UK ICO who first published their PIA handbook in December 2007.  The GDPR features PIAs (to be called data protection impact assessments or DPIAs) in Article 33 of the current draft of the GDPR.  Article 33 says: “where processing operations present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes, the controller or the processor acting on the controller’s behalf shall carry out an assessment of the impact of the envisaged processing operations on the protection of personal data”.  In some cases (outlined in Article 33) DPIAs will be mandatory.  They are effectively a risk assessment looking at data protection risks.  There is no set format but we have provided tailored made DPIA processes for organisations and handbooks and training.  DPIAs are subject to inspection by  data protection regulators and in some cases prior authorisation to data processing will be required where a DPIA shows an unacceptable level of risk.  There is more information on DPIAs in our GDPR FAQs.

Privacy Shield = the replacement scheme for Safe Harbor which the European Commission launched in July 2016. More information here.

Processing = obtaining, recording, holding, or carrying out any operation on personal data. It includes organisation or alteration; retrieval or use; disclosure and anonymisation, blocking or destruction. Most operations in relation to personal data will constitute processing.

Pseudonymisation = often confused with anonymisation but with pseudonymisation the individual can still be identified – for example at its most basic level changing an employee’s name to an identification number instead and removing all of their other personal details could be pseudonymisation.  The Article 29 Working Party in its paper on anonymisation have warned of the dangers of confusing pseudonymisation and anonymisation.  They say “pseudonymisation is not a method of anonymisation.  It merely reduces the linkability of a data set with the original identity of a data subject, and is accordingly a useful security measure.”

Registration = it is a requirement of national data protection law in a number of countries (for example Ireland, Malta, Poland, The Netherlands and UK) to register with the data protection authority.  It is important to remember that broadly there can be two types of registration – the registration of data collection and the registration of data transfer. Some countries have one of these systems but not the other, some both and some neither.  Usually a registration has to be done prior to data processing commencing although there are some exemptions which again appear in national law. The general data protection requirement is set to be abolished across Europe by the GDPR although some registration obligations may remain, for example, where a DPIA discloses substantial risk which cannot be mitigated.

Right to be Forgotten = the Right to be Forgotten (also called RTBF or the Right to Erasure) is contained in Article 17 of GDPR.  The statutory Right to be Forgotten in GDPR is not to be confused with the Right to be Forgotten created by the 13 May 2014 ruling of the European Court of Just (CJEU) in the Google case which you can read about here.  Article 17 of GDPR creates the right of a data subject “to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay” subject to a number of grounds laid down in GDPR.  In some circumstances the Right to be Forgotten also obliges the data controller to contact other data controllers asking them to erase the data.

Safe Harbor = the arrangement between the US Department of Commerce and the European Commission designed to allow personal data to be exported from the EU to the US which, further to the European Court judgment in the 6 October 2015 case of Maximillian Schrems -v- Data Protection Commissioner, was held invalid in particular due to the lack of protection it afforded EU personal data in the US. More information here.

SAR = A Subject Access Request.  This is a request made by an individual who wants to see a copy of the information an organisation holds about them.  More specifically, an individual is entitled to the following: to be told whether any personal data is being processed; to be given a description of the personal data, the reasons it is being processed, and, whether it will be given to any other organisations or people; to be given a copy of the information comprising the data; and, to be given the details of the source of the data, where this is available.  Some types of personal data are exempt from the right of subject access and so cannot be obtained by making a SAR.  SARs currently exist under domestic data protection legislation – see for example s.7 of the UK Data Protection Act 1998.  From 25 May 2018 SARs will be governed by Article 12 of GDPR and its subsequent provisions.  Under GDPR, responses to a SAR should be “in a concise, transparent, intelligible and easily accessible form, using clear and plain language…“.  You can find out more about a recent UK court case looking at SARs here

Sensitive Personal Data = this is defined currently in local data protection legislation. The precise definition can vary slightly from country to country. In the UK Data Protection Act 1998 the definition includes personal data consisting of information relating to the racial or ethnic origin of the data subject, political or religious beliefs, trade union membership, physical or mental health or condition, sexual life, any offence the data subject has actually or allegedly committed and any resulting proceedings. There is a slightly different definition in GDPR which now calls Sensitive Personal Data “Special Categories of Personal Data”.

Special Categories of Personal Data = see “Sensitive Personal Data” above.