Glossary of terms used on this site

means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed

A person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Only controllers need to pay the data protection fee.

The principle of

the right to have their personal data returned to them in an electronic format by the data controller. They may then pass this data onto another controller. This will enable individuals to move to alternative service providers more easily

A person, public authority, agency or other body which processes personal data on behalf of the controller.

A term often used to refer to a supervisory authority, which is an independent public authority responsible for monitoring the application of the General Data Protection Regulation in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the European Union.

The implementation of appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons. Such organisational measures could consist, inter alia, of minimising the processing of personal data, pseudonymising personal data as soon as possible, transparency with regard to the functions and processing of personal data, and enabling the data subject to monitor the data processing.

data security and privacy compliance must be built into new organisational and technical systems during their development, not added in later. Only data that is determined as

The controller shall carry out an assessment of the impact of the envisaged processing operations on the protection of personal data when a type of processing is likely to result in a high risk to the rights and freedoms of natural persons. This assessment has to be done prior to the processing and, in particular if using new technologies, has to take into account the nature, scope, context and purposes of the processing.

Under the GDPR, some organisations need to appoint a data protection officer who is responsible for informing them of and advising them about their data protection obligations and monitoring their compliance with them.

Data protection policies outline the basic contours of the measures an organization takes in the processing and handling of personal data. Key matters the policy should address include: Scope, which explains both to whom the internal policy applies and the type of processing activities it covers; Policy statement; Employee responsibilities; Management responsibilities; Reporting incidents; Policy compliance.

Article 5 of the General Data Protection Regulation lists the principles as such: Lawfulness, fairness and transparency; Purpose limitation; Data minimisation; Accuracy; Storage limitation; Integrity and confidentiality.

Any person to whom personal data are disclosed, including any person to whom they are disclosed in the course of processing the data for a Data Controller (for example, an employee of the data controller, a data processor or an employee of the data processor).

The identified or identifiable living individual to whom personal data relates.

The communication of advertising or marketing material directed to particular individuals.