Glossary of terms used on this site

This principle ensures that controllers are more in control and in the position to demonstrate compliance with data protection principles. Accountability requires that controllers put in place internal mechanisms and control systems that demonstrates compliance and provides evidence in order to demonstrate compliance.

Organisations must take every reasonable step to ensure the data processed is accurate and, where necessary, kept up to date. Reasonable measures should be understood as taking steps to prevent inaccuracies when the data is collected and processed. The organisation must consider the type of data and the specific purposes to maintain the accuracy of personal data in relation to the purpose.

Some data can be amended in such a way that no individuals can be identified from those data (whether directly or indirectly) by any means or by any person.

The General Data Protection Regulation refers to appropriate safeguards in a number of contexts, including the transfer of personal data to third countries outside the European Union, the processing of special categories of data, and the processing of personal data in a law enforcement context. This generally refers to the application of the general data protection principles, in particular purpose limitation, data minimisation, limited storage periods, data quality, data protection by design and by default, legal basis for processing, processing of special categories of personal data, measures to ensure data security, and the requirements in respect of onward transfers to bodies not bound by the binding corporate rules. This may also refer to the use of encryption or pseudonymization, standard data protection clauses adopted by the Commission, contractual clauses authorized by a supervisory authority, or certification schemes or codes of conduct authorized by the Commission or a supervisory authority. Those safeguards should ensure compliance with data protection requirements and the rights of the data subjects appropriate to processing within the European Union.

The General Data Protection Regulation requires a risk-based approach to data protection, whereby organizations take into account the nature, scope, context and purposes of processing, as well as the risks of varying likelihood and severity to the rights and freedoms of natural persons, and institute policies, controls and certain technologies to mitigate those risks. These "appropriate technical and organisational measures" might help meet the obligation to keep personal data secure, including technical safeguards against accidents and negligence or deliberate and malevolent actions, or involve the implementation of data protection policies. These measures should be demonstrable on demand to data protection authorities and reviewed regularly.

Processing which significantly affects a person and which is based solely on automated processing of personal data in order to evaluate this person.

Data is "available" if it is accessible when needed by the organisation or data subject. The General Data Protection Regulation requires that a business be able to ensure the availability of personal data and have the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.

means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images

Closed circuit television usually recorded and stored for security or monitoring purposes.

The Children’s code (or Age appropriate design code to give its formal title) is a data protection code of practice for online services, such as apps, online games, and web and social media sites, likely to be accessed by children.

Cloud computing is Internet-based computing, whereby shared resources, software and information are provided to computers and other devices on-demand and it typically involves the provision of dynamically scalable and often virtualised resources as a service over the Internet.

Introduced by the General Data Protection Regulation, codes of conduct are a new valid adequacy mechanism for the transfer of personal data outside of the European Union in the absence of an adequacy decision and instead of other mechanisms such as binding corporate rules or contractual clauses. Codes of conduct must be developed by industry trade groups, associations or other bodies representing categories of controllers or processors. They must be approved by supervisory authorities or the European Data Protection Board, and have a methodology for auditing compliance.

A fair information practices principle, it is the principle stating there should be limits to the collection of personal data, that any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.

Confidentiality in a general sense refers to the duty not to share information with persons who are not qualified to receive that information.

Any freely given specific and informed indication of wishes by means of an active step taken by the data subject which signifies their agreement to personal data relating to them being processed.

Adopted either directly by the European Commission or by a supervisory authority in accordance with the consistency mechanism and then adopted by the Commission, contractual clauses are mechanisms by which organisations can commit to protect personal data to facilitate ongoing and systematic cross-border personal data transfers.

means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

Short text files stored on the user

The transmission of personal information from one jurisdiction to another. Many jurisdictions, most notably the European Union, place significant restrictions on such transfers. The EU requires that the receiving jurisdiction be judged to have

means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed