The GDPR Glossary

This is a commonly used General Data Protection Regulation Glossary. Since GDPR is written by lawyers and we wanted to help you to understand these difficult terms in a more easy way. Below are the most important ones to keep an eye on.

The General Data Protection Regulation (GDPR)

The is a regulation on the protection of individuals within the European Union with regard to the processing and movement of personal data in this era of increased online data sharing. It was adopted on 27 April 2016 and it shall be applied from 25 May 2018.


It is a legal act adopted by the European Union that can be immediately applied in the Member States and does not need further adopting the national law. This means that the GDPR will come into effect in all the Member States of the European Union starting from 25 May 2018.

Personal data

Any data that can help identify an individual. It is also called Personally Identifiable Information.Examples of personal data include name, location, personal identification number, the color of your hair, the list of customers names and their addresses, IT usage data, traffic data, information about education, income, license plate.

Sensitive personal data

Similar to personal data because its main purpose is to help identify an individual, but more dangerous if breached or vulnerable to privacy.Examples of sensitive personal data include religious beliefs, race, political opinions, sexual orientation, physical and mental health conditions, biometric data or genetic data.

Biometric data

Any data that is used to identify a human being by his/her unique characteristics.Fingerprints are one example of biometric data. The GDPR states that the processing of such data is prohibited unless the data subject (user/consumer) has provided the consent and the processing is necessary for specific reasons such as protecting the vital interests of the individual.

Genetic data

Any data that refers to genetic characteristics of a data subject. This data is unique and individual.
Protecting the genetic data is very important, as health insurance companies in possession of genetic data regarding the health of a subject may increase the cost of insurance based on this information.

Data concerning health

Any data that can offer information about the physical and mental state of a data subject.

For example, medical records about a mental disorder such as depression are considered to be data concerning health.

Data subject

An individual to which the data refers to. In simpler terms, it could be a user or consumer.

For example, a student is a data subject, as the university possesses data about him/her which include name, address, nationality, date of birth, etc.

Furthermore, the processing of data may affect employees, managers, contractual partners, suppliers, etc


All the operations that are performed on the personal data, such as collecting, recording, transferring or storing.

When users create new accounts or do online-shopping using their credit cards, the websites process their personal data.

Encrypted Data

The protection of personal data that has the purpose of ensuring the confidentiality and integrity of the data and making it unreadable and from those who do not have a special access to this data.

For example, encrypted data may seem like meaningless information unless you are using the correct key to decrypt it.

Data Controller (DC)

The entity who decides which data will be processed and by what means.

Examples of data controllers include individuals, legal persons, government departments or companies. The GDPR creates an obligation to provide information to the data subject regarding any personal data being processed and to allow access to the personal data.

The DC must also inform in the quickest time possible the purpose of the processing, the category of personal data being processed, who the recipient of the personal data was etc.

Data Processor (DP)

The entity responsible for the processing of personal data on behalf of the Data Controller.

Examples of Data Processor include IT service providers or market research companies.

Only the processors providing sufficient guarantees in regard to the GDPR will be chosen by the Data Controller.

Data recipient

The entity that receives the data processed by the DP.

These entities can be public ( for example tax offices, governmental agencies etc.) or private ( for example departments regarding their own employees - like marketing, personnel, accounting etc., banks, telecommunications companies etc.)

Data protection agreement

When a DC appoint a DP, they must create this legal act called data protection agreement ( DPA) in order to determine in a written form all the conditions of the processing such as subjects of processing, duration, purpose, means used etc.

The obligations and rights of the processor have to be clearly determined ( for example the duty of confidentiality or the obligation to take all the technical measures possible to avoid breaches).

Right to erasure

Also referred to as 'right to be forgotten', it secures the individual's right to have the DC erase without delay their personal data, inform other controllers that the individual has requested the erasure of data and cease further dissemination of the data.

For example, search engines are expected upon a request from the individual to delete the links to certain web pages that are linked to the individual's name.

Right to the restriction of processing

The right of the individual to have the DC restrict the processing of the data if it is inaccurate, unlawful or the controller doesn't need the personal data for processing anymore.

If this right is used by the data subject, the DC has the obligation to inform further data controllers processing the data.

Right to data portability

It enables the data subject to obtain any personal data from the controller in a format that is readable by another data controller.

This right may have a higher applicability in the banking industry if a data subject requests to see his/her transactions and to obtain them in a readable format.

Joint controllers

Two or more data controllers decide together which data will be processed and by which means. The process has to be realized in a transparent manner, with regards to the rights of the data subject.

For example, a company which produces certain goods and its authorized dealer can decide to share the personal data of their customers.

Controller representative

An individual or a legal person who represents the controller in matters regarding the compliance with the GDPR.

Records of processing Activities

All the processing activities regarding personal data of enterprises with more than 250 persons or with a risk to the rights and freedoms of the data subjects shall be recorded.

For example, if an organization is using either employee data or customer data. They have to record it and present in a documentation form that is called records of processing activity.

Data protection impact assessment

If the data being processed possesses a risk to the rights and freedoms of data subjects, the controller has the obligation to evaluate the risk before starting the processing. The Data Protection Officer may offer assistance in this matter.

If the result of the assessment shows a high risk, the process shall be reviewed every 6 months. For medium risk, the process will be reviewed every 9 months and for low every 12 months.

Supervisory authority

A public authority with whom the data controllers and processors are required to cooperate if necessary.

Each State of the EU will designate at least one independent supervisory authority.

In Germany, there are 15 supervisory authorities, responsible for the different regions of the country (for example the Bavarian Data Protection Authority - BayLDA, responsible for the state of Bavaria)

The European Data Protection Board

A body of the European Union established by the GDPR composed of the head of one supervisory authority from each State of the EU.

The main purpose of the Board is to ensure the application of the Regulation.

Personal data breach

A security issue leading to unlawful access, use, dissemination etc. of personal data.

For example, 3 million encrypted customer credit card records have been stolen from Adobe in 2013 following a data breach.

The DC shall notify the supervisory authority within 72 hours of becoming aware of the breach and disclose the nature of the breach, the personal data affected, the likely consequences and the possible measures that can be taken to repair the damage created.

If the breach is considered to be a risk to the rights and freedoms of the individual, the data subject must be notified as well.

In order to avoid such problems, the controller is asked to analyze the risk of potential data breaches and to try to strengthen the security where possible. The risk is evaluated on a scale from 1(low risk) to 3 (high risk).

Data Protection Officer

An individual whose main task is to monitor the compliance of an enterprise with the GDPR and to advise on data protection measures.

A DP Officer shall be designated if the organization is a public authority, carries large-scale monitoring of data subjects or processes data related to criminal convictions.


A process encouraged by the GDPR in which the data cannot be attributed to an individual and cannot help identify him/her without additional information. This method is designed to improve the security of the data and reduce the risk of breaches. The DCs are encouraged to use this process in order to meet the GDPR security requirements.


An exemption of a law or a rule.

In the context of the European Union Regulations, derogation can mean that a Member State may not implement a new law immediately.


The agreement given by an individual regarding the processing of personal data.

For example, when registering on a website or taking part in an online contest, you have to tick a box saying that you agree that the company may use and process the data you have provided.


A method that uses the provided personal data to predict behavior in the future.

For example, social media websites use the data an individual has provided in order to offer him/her targeted advertising, based on likes, hobbies, viewed pages etc.

Filing system

A system that is designed to organize the personal data and make it accessible using some specific criteria.

For example, choosing personal data of subjects in one geographical area or of a specific age.

Data transfer

Moving personal data from the 28 EU countries and the three EEA countries (Norway, Liechtenstein, and Iceland) to a third country. The GDPR allows this process only if the country in matter complies with the conditions of the Regulation. A commission will evaluate the level of data protection in that specific country and approve or disapprove to the data transfer.

Until now the Commission has stated that the following countries provide sufficient data protection:  Andorra, Argentina, Canada (commercial organizations), Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay.

If the UK shall leave the European Union and the EEA, it shall become a third country.


European Economic Area, an area in which free movement of persons, services, goods and capital is allowed.

There are currently 28 EU states which are part of the EEA plus Norway, Liechtenstein and Iceland.

Binding Corporate Rules (BCR)

the set of internal rules used by multinational companies which regulate the transfers of personal data within the group to companies that are not in the EEA and do not provide the level of data protection required.

The BCRs need to be approved by the EU and will then provide sufficient protection guarantee to allow this international transfers to take place.

For example, eBay has adopted a set of Binding Corporate Rules approved by the Luxembourg National Data Commission.


Punishments imposed for not complying with the GDPR. The fines for data breaches can be as high as €20 million or 4% of global gross revenue (whichever is higher).

As a result of these very high penalties, many companies which do not comply with the Regulations or are subject to data breaches may face insolvency.

ECOMPLY is a GDPR compliance management software that assists in building and maintaining compliance documentation. Check out our website or contact us for more information.

Hauke Holtkamp, CEO ECOMPLY GmbH