A decision which significantly affects a person and which is based solely on automated processing of personal data in order to evaluate this person. For example, it can relate to performance at work, creditworthiness, reliability, conduct, etc.

Legal tool that can be used by multinational companies to ensure an adequate level of protection for the intra-group transfers of personal data from a country in the EU/EEA to a third country. The use of BCRs requires, in principle, the approval of each of the EU/EEA data protection authorities from whose country the data are to be transferred.

If a privacy breach is likely to result in a high risk to the rights and freedoms of data subjects, you must inform those concerned directly and without undue delay, particularly if there is a need to mitigate an immediate risk of damage to them. One of the main reasons for informing data subjects is to help them take steps to protect themselves from the effect of a breach.

Any freely given, specific and informed indication of the wishes of a data subject, by which he/she agrees to personal data relating to him/her being processed.

The data controller is the party that, alone or jointly with others, determines the purposes and means of the processing of personal data. The controller is responsible for the lawfulness of the processing, for the protection of the data, and respecting the rights of the data subject.

Short text files stored on the user’s device by a web site. Cookies are normally used to provide a more personalized experience and to remember user profiles without the need of a specific login.

The data subject is the natural person whose personal data is collected, held or processed.

Independent European body which contributes to the consistent application of data protection rules throughout the European Economic Area (EEA), and promotes cooperation between the EEA’s data protection authorities.

To process personal data a valid lawful basis is necessary. There are six available lawful bases for processing : consent, contract, legal obligation, vital interests, public task, legitimate interests. No single basis is ’better’ or more important than the others – which basis is most appropriate to use will depend on your purpose and relationship with the individual.

When a personal data breach occurs, you need to establish the likelihood of the risk to people’s rights and freedoms. If a risk is likely, you must notify the supervisory authority of your Member State. If a risk is unlikely, you don’t have to report it. However, if you made the decision not to notify the breach, you need to be able to justify this decision, so you should document it in a Data Breach Record.

Any information that identifies or can be used to identify an individual directly or indirectly. Examples of Personal Information include, but are not limited to, first and last name, date of birth, email address, gender, occupation, or other demographic information.

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

A process designed to help organisations identify and mitigate privacy risks associated with proposed data processing activities.

Everyone has the right to know that their personal data are processed and for which purpose. The right to be informed is essential because it determines the exercise of other rights. A Privacy Information Notice is a document specifying the information which shall be provided to a data subject whether or not the data have been obtained from the data subject.

Any operation or set of operations that can be performed on personal data or on sets of personal data. This includes, for example, collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure and destruction.

A processor processes personal information on behalf of a controller based on the controller's instructions.

A natural or legal person, public authority, agency or another body, to which the personal data are disclosed.

Data retention refers to all obligations on the part of controllers to retain personal data for certain purposes. Data minimisation imposes to store data "as long as necessary, as short as possible", taking into account legal rules that may impose fixed periods.

The right for a data subject to obtain from the controller the confirmation that data related to him/her are being processed, the purpose(s) for which they are processed, as well as the logic involved in any automated decision process concerning him or her. This right also allows the data subject to receive communication in an intelligible form of the personal data processed.

It’s the right for data subjects to receive personal data they have provided to a controller in a structured, commonly used and machine readable format. It also gives them the right to request that a controller transmits this data directly to another controller.

Data subjects have the right to have personal data erased from a system or a website. This is also known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances.

It’s the right to obtain from the controller the rectification without delay of inaccurate or incomplete personal data.

This is a request made by a data subject to obtain the exercise of one of his/her rights under the GDPR. The GDPR does not specify how data subjects should make requests, whether it is verbally or in writing. They can also be made to any part of your organisation and do not have to be to a specific person or contact point, or to include as object "right request under the GDPR".

It’s the right for a data subject to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (a) of Article 5(1), including profiling based on that provision. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.

It’s the marking of stored personal data with the aim of limiting their processing in the future.

Special categories of personal data include data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural's sex life or sexual orientation. The processing of such information is in principle prohibited, except in specific circumstances. It is possible to process sensitive data for instance if the processing is necessary for the purpose of medical diagnosis, or with specific safeguards in the field of employment law, or with explicit consent of the data subject.

A service provider is an individual or entity that provides services to another party. It is not necessarily a processor, legal qualification depending on the situation.

Legal tools to provide adequate safeguards for data transfers from the EU or the European Economic Area (EEA) to third countries. They are model contracts adopted by the European Commission.

Independent body which is in charge of monitoring the processing of personal data within its jurisdiction (in each Member State of the Union), of providing advice to the competent legislative and administrative bodies, and of hearing complaints lodged by citizens.