The GDPR Glossary

Understand every technical and legal concept of the GDPR.


Automated Decision Making & Profiling

A decision which significantly affects a person and which is based solely on automated processing of personal data in order to evaluate this person. For example, it can relate to performance at work, creditworthiness, reliability, conduct, etc.

Binding Corporate Rules (BCR)

Legal tool that can be used by multinational companies to ensure an adequate level of protection for the intra-group transfers of personal data from a country in the EU/EEA to a third country. The use of BCRs requires, in principle, the approval of each of the EU/EEA data protection authorities from whose country the data are to be transferred.

Communication To The Data Subject

If a privacy breach is likely to result in a high risk to the rights and freedoms of data subjects, you must inform those concerned directly and without undue delay, particularly if there is a need to mitigate an immediate risk of damage to them. One of the main reasons for informing data subjects is to help them take steps to protect themselves from the effect of a breach.


Any freely given, specific and informed indication of the wishes of a data subject, by which he/she agrees to personal data relating to him/her being processed.


The data controller is the party that, alone or jointly with others, determines the purposes and means of the processing of personal data. The controller is responsible for the lawfulness of the processing, for the protection of the data, and respecting the rights of the data subject.


Short text files stored on the userโ€™s device by a web site. Cookies are normally used to provide a more personalized experience and to remember user profiles without the need of a specific login.

Data Subject

The data subject is the natural person whose personal data is collected, held or processed.

European Data Protection Board (EDPB)

Independent European body which contributes to the consistent application of data protection rules throughout the European Economic Area (EEA), and promotes cooperation between the EEAโ€™s data protection authorities.

Legal Basis

To process personal data a valid lawful basis is necessary. There are six available lawful bases for processing : consent, contract, legal obligation, vital interests, public task, legitimate interests. No single basis is โ€™betterโ€™ or more important than the others โ€“ which basis is most appropriate to use will depend on your purpose and relationship with the individual.

Notification To The Supervisory Authority

When a personal data breach occurs, you need to establish the likelihood of the risk to peopleโ€™s rights and freedoms. If a risk is likely, you must notify the supervisory authority of your Member State. If a risk is unlikely, you donโ€™t have to report it. However, if you made the decision not to notify the breach, you need to be able to justify this decision, so you should document it in a Data Breach Record.

Personal Data

Any information that identifies or can be used to identify an individual directly or indirectly. Examples of Personal Information include, but are not limited to, first and last name, date of birth, email address, gender, occupation, or other demographic information.

Personal Data Breach

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Privacy Impact Assessment (PIA)

A process designed to help organisations identify and mitigate privacy risks associated with proposed data processing activities.

Privacy Information Notice

Everyone has the right to know that their personal data are processed and for which purpose. The right to be informed is essential because it determines the exercise of other rights. A Privacy Information Notice is a document specifying the information which shall be provided to a data subject whether or not the data have been obtained from the data subject.

Processing Activity

Any operation or set of operations that can be performed on personal data or on sets of personal data. This includes, for example, collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure and destruction.


A processor processes personal information on behalf of a controller based on the controller's instructions.


A natural or legal person, public authority, agency or another body, to which the personal data are disclosed.

Retention Period

Data retention refers to all obligations on the part of controllers to retain personal data for certain purposes. Data minimisation imposes to store data "as long as necessary, as short as possible", taking into account legal rules that may impose fixed periods.

Right Of Access

The right for a data subject to obtain from the controller the confirmation that data related to him/her are being processed, the purpose(s) for which they are processed, as well as the logic involved in any automated decision process concerning him or her. This right also allows the data subject to receive communication in an intelligible form of the personal data processed.

Right Of Data Portability

Itโ€™s the right for data subjects to receive personal data they have provided to a controller in a structured, commonly used and machine readable format. It also gives them the right to request that a controller transmits this data directly to another controller.

Right Of Erasure

Data subjects have the right to have personal data erased from a system or a website. This is also known as the โ€˜right to be forgottenโ€™. The right is not absolute and only applies in certain circumstances.

Right Of Rectification

Itโ€™s the right to obtain from the controller the rectification without delay of inaccurate or incomplete personal data.

Right Request

This is a request made by a data subject to obtain the exercise of one of his/her rights under the GDPR. The GDPR does not specify how data subjects should make requests, whether it is verbally or in writing. They can also be made to any part of your organisation and do not have to be to a specific person or contact point, or to include as object "right request under the GDPR".

Right To Object

Itโ€™s the right for a data subject to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (a) of Article 5(1), including profiling based on that provision. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.

Right To Restriction Of Processing

Itโ€™s the marking of stored personal data with the aim of limiting their processing in the future.

Sensitive Data

Special categories of personal data include data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural's sex life or sexual orientation. The processing of such information is in principle prohibited, except in specific circumstances. It is possible to process sensitive data for instance if the processing is necessary for the purpose of medical diagnosis, or with specific safeguards in the field of employment law, or with explicit consent of the data subject.

Service Providers

A service provider is an individual or entity that provides services to another party. It is not necessarily a processor, legal qualification depending on the situation.

Standard Contractual Clauses (SCC)

Legal tools to provide adequate safeguards for data transfers from the EU or the European Economic Area (EEA) to third countries. They are model contracts adopted by the European Commission.

Supervisory Authority

Independent body which is in charge of monitoring the processing of personal data within its jurisdiction (in each Member State of the Union), of providing advice to the competent legislative and administrative bodies, and of hearing complaints lodged by citizens.

Become GDPR compliant in minutes!

Privacyboard helps you comply with GDPR easily so you can focus on what's really important for your business.
Start for free