GDPR glossary

General Data Protection Regulation 

GENERAL TERMS

Personal data: Basically, any information about a person that you can use to recognise that person. The easiest example is someone's name, which is personal data. A postal code can also be personal data, but only in combination with a house number, for example. The important thing is that the information can tell you who the person is. With just the postal code, you do not know yet, but in combination with a house number, it could.

ACTIONS

Processing: Any automated collection, manipulation or storage of personal data. Examples are: collection, recording, structuring, storing, updating, modifications, retrieval, consultation, forwarding and erasing.

Automated processing: Technology that processes data in an automated way (e.g., storing through an online form).

ROLES

Data subject: A person whose personal data is being processed by the controller or the processor.

Controller: A person or organisation which determines how personal data is being processed and for what purpose. The controller is responsible for compliance with the GDPR.

Processor: A person or organisation which processes personal data for a controller and follows the instructions of that controller.

Data Protection Authority (DPA): The national organisation(s) which act as the supervisory authorities for the processing of personal data. These independent organisations assess the compliance with national and European data protection rules.

PRINCIPLES

Lawfulness: data processing is lawful if it meets the requirements of the GDPR.

Fairness: data must be processed and used fairly, i.e. in line with the data subject’s expectations.

Transparency: processors must be transparent about their processing and on which processing grounds they base their processing.

Purpose limitation: data may only be used for the purposes for which it was collected. There are some general exceptions to this, such as scientific research and statistical purposes.

Minimum data processing: processors have a duty not to process more data than necessary. So they should also not collect more data than necessary.

Accuracy: processors have a duty to ensure the accuracy of the data they process. Data that is incorrect should be deleted or amended as soon as possible.

Storage limitation: if data is being processed, which is already minimised and purpose-specific, it should only remain stored in a form in which the data subject is identifiable for as long as it is necessary for the purpose for which the data is being processed. After the purpose for processing has passed, the data may only be processed for a limited number of purposes such as archiving, research and statistical purposes.

Integrity and confidentiality: data subjects must be able to trust that their data can only be accessed by people who have permission and a reason to do so. Personal data should also be protected against loss and should be secured appropriately so that data confidentiality remains protected.