A “natural person” who can be directly or indirectly identified by information such as a name, an identification number, location data, an online identifier (such as a username), or their physical, genetic, or other identity.
This concerns the right of data subjects to obtain from the data controller, upon request, certain information relating to the processing of their personal data, as indicated in Section 2, Chapter III of the GDPR.
Any information relating to an identified or identifiable data subject.
Personal data that cannot be tied to a specific data subject without additional information that is stored separately, with technological measures to ensure the data is not combined with that additional information.
Particular categories of data
Often referred to as "sensitive data", are personal data pertaining to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, information about health, sex life and sexual orientation.
The GDPR extended the definition to include both biometric and genetic data.
This broad term refers to any transaction or set of transactions carried out on personal data or sets of personal data, via automated means or not. Examples of processing include the collection, recording, organization, storage, use and destruction of personal data.
A technique for the processing of personal data permitting that personal data can no longer be attributed to a specific individual without the use of additional information, and which must be kept separately and subject to technical and organizational measures in order to to guarantee the non-attribution.
Transfer of personal data to countries outside the EEA or to international organizations, which is subject to the restrictions set out in Chapter V of the GDPR. Identical to the provisions of the Data Protection Directive, it is not necessary for the data to be physically transported to be considered as legally transferred. Accessing data from the EEA from a country outside the EEA is considered as a transfer within the meaning of the GDPR.
This term is used in several contexts within the GDPR, most often to designate a legal entity carrying out an "economic activity". This term has special meaning in the context of the GDPR provisions on financial sanctions. Companies may be subject to penalties calculated as a percentage of their annual worldwide turnover. In this context, the term refers to the principles developed in the context of European competition law.
Any person or body which, alone or together with others, determines the purposes and means of the processing of personal data.
Any entity or person who processes personal data on behalf of the controller.
Right to data erasure / Right to be forgotten
The right to erase personal data of an existing data subject has, in some cases, been extended to a new "right to erasure" in the cases set out in Section 3 Chapter III of the GDPR.
Supervisory Authority / Lead Authority
Supervisory authorities are national data protection authorities, which are empowered to enforce the GDPR in their own Member State. "One stop shop" concept: When a company is established in more than one Member State, it will be attached to a "lead authority", which will be determined by the location of its "principal place of business" within the EU. A supervisory authority that is not a lead authority may also have powers of action as a regulator, for example in cases where the treatment has consequences for relevant persons in the country within the country. of which this supervisory authority is the national authority
The European Data Protection Supervisor; it will replace the Article 29 Working Party, and its functions will be to ensure consistency in the application of the GDPR, to advise the EU Commission, to issue guidelines, codes of practice and recommendations, to accredit the certification bodies, as well as to issue opinions on the decision proposals of the supervisory authorities.
Directive on data protection
European Directive 95/46 / EC previously governed the processing of personal data within the EU, and will now be replaced by the GDPR.
Data Protection Officer; it is mandatory to designate one under the GDPR when:
(i) the processing is carried out by a public authority or;
(ii) the "core business" of the controller and the processor
(a) consist of "large-scale processing of particular categories of data" or;
(b) consist of large-scale processing of particular categories of data or
data relating to criminal convictions and offenses.
EIVP or PIA
The GDPR imposes a new obligation on processors and subcontractors to carry out a privacy impact assessment (PIA) before undertaking any treatment presenting a specific risk for privacy because of its nature, scope or purpose. Section 3 of Chapter IV sets out a non-exhaustive list of treatment categories falling under this provision.
Article 29 Working Group
The Article 29 Working Party (G29) consists of representatives of the EU National Supervisory Authorities, the European Data Protection Supervisor and the European Commission. It has been replaced in the GDPR and is now called the European Data Protection Supervisor (EDPS) composed in a similar way but with an independent Secretariat (please refer to the chapter on the "European Data Protection Supervisor" ).
The European Economic Area comprises all 28 EU Member States as well as Iceland, Liechtenstein and Norway. EEA does not include Switzerland
European Regulation on the Protection of Personal Data
European Regulation 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and the free movement of such data, and repealing Directive 95/46 / EC (GDPR for General Data Protection Regulation). It will come into effect on May 25, 2018.