General Data Protection Regulation (GDPR) Concepts
The General Data Protection Regulation (GDPR) aims to ensure the data subjects' data privacy. Because it is a complex document, the following list of the most relevant terms included in the Regulation has been prepared:
| Consent | Free, specific, informed expression of will by which the data subject agrees, by a statement or unambiguous, affirmative act, to the processing of personal data concerning them. |
| Explicit consent | An unambiguous statement or affirmative act as a prerequisite for compliant consent, "explicit" refers to how the data subject expresses consent. Explicit consent is necessary for certain situations where a severe data protection risk arises, and therefore, a high level of individual control over personal data is deemed appropriate. For example, under the GDPR, explicit consent plays a role in the processing of special categories of data (Art. 9), in the provisions on data transfers to third countries or international organizations in the absence of adequate safeguards (Art. 49), automated individual decisions, including profiling (Art. 22). |
| Special data | Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data to uniquely identify a person, data concerning health, or data concerning a person's sex life or sexual orientation. |
| Personal data | Information relating to an identified or identifiable natural person ("data subject") - An identifiable person is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, electronic identifiers or to one or more factors specific to that natural person's physical, physiological, genetic, mental, economic, cultural or social identity. |
| Health data | Personal data relating to the physical or mental health of a natural person, including the provision of health services, that reveal information about their health status |
| Profiling | Any form of automated processing of personal data which consists in using such personal data to evaluate certain unique aspects relating to a natural person, particularly analyzinge or predicting aspects relating to their work performance, economic situation, health, personal preferences, interests, reliability, behavior, location or movements. Recipient - A natural or legal person, public authority, agency, or other body that receives personal data communications, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry following Union or Member State law shall not be regarded as recipients; the processing of such data by those public authorities shall comply with the applicable data protection rules according to the purposes of the processing. |
| Recipient | A natural or legal person, public authority, agency, or other body that receives personal data communications, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry following Union or Member State law shall not be regarded as recipients; the processing of such data by those public authorities shall comply with the applicable data protection rules according to the purposes of the processing. |
| Right to erasure of data | The data subject's right, depending on the context, to obtain from the controller the erasure of their personal data without undue delay. |
| Right of access | The right of the data subject to obtain from the controller confirmation as to whether or not personal data concerning them are being processed and, if so, the right to access their data and information on the processing. |
| Right of rectification | Right of the data subject to obtain, without undue delay, from the controller the rectification of inaccurate personal data concerning him or her. |
| Data Protection Officer | A data privacy specialist who works independently to ensure that an entity is complying with the policies and procedures set out in the GDPR. |
| Limitation of processing | The placing of a mark on personal data held to limit its processing in the future. |
| Data portability | The right of the data subject to receive the personal data concerning them which they have provided to a controller in a structured, commonly used, and machine-readable format, and the right to transmit such data to another controller without hindrance from the controller to whom the personal data have been provided. |
| Privacy by design | The controller shall implement appropriate technical and organizational measures, such as pseudonymization, both at the time of the determination of the means for processing and at the time of the processing itself, to implement data protection principles, such as minimization, effectively and to incorporate the necessary safeguards into the processing to meet the requirements of this Regulation and protect the rights of data subjects. |
| Pseudonymization | Processing of personal data which makes it possible to identify a specific data subject without recourse to further information, provided that such additional information is kept separately and subject to technical and organizational measures to ensure that personal data cannot be attributed to an identified or identifiable natural person. |
| Controller | The natural or legal person, public authority, agency, or other body which alone or jointly with others determines the purposes and means of the processing of personal data, where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided by Union or Member State law. |
| Risk | Risk has by standard (ISO/Guide 73:2009) the definition "effect of uncertainty on the achievement of objectives." In the context of data protection, mainly in impact assessment, it is interpreted as an event or set of events that may jeopardize the rights, freedoms, and guarantees of personal data subjects. |
| Current Risk | The risk arising from the processing that data subjects undergo given the mitigating controls and their effectiveness at the time of the analysis. |
| Inherent Risk | The risk arising from data subjects' processing without regard to mitigating controls. |
| Residual Risk | The risk arising from data subjects' processing considering future control implementation and hypothetical effectiveness. |
| Sub-processor | A natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller. |
| Third-Party | A natural or legal person, public authority, agency, or body other than the data controller, the controller, the processor, and the people who, under the controller's or the processor's direct authority, are authorized to process personal data. |
| Data subject | A natural person whose personal data are processed by a controller or processor. |
| Processing | An operation or set of operations which is performed upon personal data or on sets of personal data by automated or non-automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. |
Keep up to date with our blog posts
Tek4DPO
Maximize GDPR Compliance with Tek4DPO
Exercise of Rights
Limitations on the exercise of rights by the data holder
Data Protection Glossary
General Data Protection Regulation (GDPR) Concepts
Analysis of Email Marketing Platforms
Is it possible to reconcile marketing requirements and comply with the legislation?
TekPrivacy
We promote specialized solutions adjusted to the organization's reality, that by the nature of their activities, they process information and personal data.
Copyright © Tekprivacy 2022
Desenvolvido por 4por4