Data Protection & GDPR – Key Vocabulary

Vocabulary flashcards summarising key terms, principles, rights, roles and mechanisms introduced in the lecture on GDPR and data protection. They cover definitions, lawful bases, territorial scope, subject rights, organisational roles, international transfers, data breaches, and enforcement structures.

General Data Protection Regulation (GDPR)

EU-wide regulation (in force since 25 May 2018) that protects natural persons with regard to processing of personal data and ensures free movement of such data within the EU.

Personal Data

Any information relating to an identified or identifiable natural person (data subject), even if identifiability results from combining multiple data items (Art 4.1 GDPR).

Data Subject

The natural person whose personal data are processed (Art 4.1 GDPR).

Processing

Any operation performed on personal data (collection, storage, use, erasure, etc.), whether automated or not (Art 4.2 GDPR).

Controller

The natural or legal person which determines the purposes and means of processing personal data (Art 4.7 GDPR).

Processor

The natural or legal person that processes personal data on behalf of the controller and only under its instructions (Art 4.8 GDPR).

Joint Controller

Two or more controllers that jointly determine purposes and means of processing and must define their respective duties in an agreement (Art 26 GDPR).

Sub-Processor

A processor engaged by another processor to carry out specific processing activities on behalf of the controller (Art 28.2 & 28.4 GDPR).

Special Categories of Data

Sensitive data revealing racial/ethnic origin, political opinions, religion, trade-union membership, genetic or biometric data, health, sex life or orientation, whose processing is generally prohibited (Art 9.1 GDPR).

Pseudonymisation

Processing of personal data so that they can no longer be attributed to a specific data subject without additional information (Art 4.5 GDPR); re-identification remains possible.

Anonymisation

Irreversible de-identification of data so that an individual can no longer be identified; truly anonymous data fall outside GDPR scope (Recital 26).

Privacy by Design

Obligation to embed data-protection safeguards into processing systems and business practices from the outset (Art 25 GDPR).

Privacy by Default

Requirement that, by default, only personal data necessary for each specific purpose are processed (Art 25 GDPR).

Accountability Principle

Controller’s duty to both comply with GDPR principles and be able to demonstrate that compliance (Art 5.2 GDPR).

Lawfulness, Fairness & Transparency

First GDPR principle: processing must have a lawful basis, be fair to individuals and be carried out openly (Art 5.1.a GDPR).

Purpose Limitation

Personal data must be collected for specified, explicit and legitimate purposes and not further processed in an incompatible way (Art 5.1.b GDPR).

Data Minimisation

Only data that are adequate, relevant and limited to what is necessary may be processed for a given purpose (Art 5.1.c GDPR).

Accuracy Principle

Personal data must be accurate and, where necessary, kept up to date (Art 5.1.d GDPR).

Storage Limitation

Data must be kept no longer than necessary for the purposes for which they are processed (Art 5.1.e GDPR).

Integrity & Confidentiality

Data must be processed with appropriate security, protecting against unauthorised or unlawful processing and against accidental loss, destruction or damage (Art 5.1.f GDPR).

Territorial Scope – Establishment Criterion

GDPR applies to processing in the context of activities of an establishment of a controller/processor in the EU, regardless of where processing takes place (Art 3.1).

Territorial Scope – Targeting Criterion

GDPR applies to non-EU controllers/processors that offer goods/services to or monitor behaviour of data subjects in the EU (Art 3.2).

Household Exemption

GDPR does not apply to purely personal or household activities that are not made accessible to an indefinite number of people (Recitals 16-18; Lindqvist & Buivids cases).

Legal Obligation (Lawful Basis)

Processing necessary to comply with EU or Member-State law binding on the controller (Art 6.1.c GDPR).

Contractual Necessity (Lawful Basis)

Processing necessary for performance of a contract with the data subject or to take pre-contractual steps at their request (Art 6.1.b GDPR).

Consent (Lawful Basis)

Freely given, specific, informed and unambiguous indication of the data subject’s wishes signifying agreement to processing (Art 4.11 & 7 GDPR).

Legitimate Interest (Lawful Basis)

Processing necessary for the controller’s or a third party’s legitimate interests, except where overridden by data subject’s interests or rights (Art 6.1.f GDPR).

Vital Interest (Lawful Basis)

Processing necessary to protect someone’s life or physical integrity (Art 6.1.d GDPR).

Public Interest/Official Authority (Lawful Basis)

Processing necessary for a task carried out in the public interest or under official authority (Art 6.1.e GDPR).

Right to be Informed

Data subjects must receive clear information about the collection and use of their personal data (Arts 13 & 14 GDPR).

Right of Access

Data subject’s right to obtain confirmation of processing, access to data and related information, and a free copy (Art 15 GDPR).

Right to Rectification

Right to have inaccurate personal data corrected or incomplete data completed without undue delay (Art 16 GDPR).

Right to Erasure (Right to be Forgotten)

Right to have personal data deleted when certain grounds apply, e.g., withdrawal of consent or unlawful processing (Art 17 GDPR).

Right to Restrict Processing

Right to limit processing of personal data under specific circumstances without deleting the data (Art 18 GDPR).

Data Portability

Right to receive own data in a structured, commonly used, machine-readable format and transmit to another controller (Art 20 GDPR).

Right to Object

Right to object to processing based on legitimate/public interest or for direct marketing, including profiling (Art 21 GDPR).

Automated Decision-Making & Profiling

Data subjects have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects (Art 22 GDPR).

Data Protection Impact Assessment (DPIA)

Pre-processing assessment to identify and mitigate high risks to rights and freedoms arising from planned processing operations (Art 35 GDPR).

Data Protection Officer (DPO)

Expert appointed to monitor GDPR compliance, advise, train and act as contact point for data subjects and DPAs (Arts 37-39 GDPR).

Supervisory Authority (SA)

Independent public authority in each Member State responsible for monitoring GDPR application (Art 51 GDPR).

European Data Protection Board (EDPB)

EU body that ensures consistent application of GDPR, issues guidelines and binding decisions, and resolves disputes between national SAs.

European Data Protection Supervisor (EDPS)

Independent authority supervising personal data processing by EU institutions and advising on EU-level policies.

Article 29 Working Party (Art 29 WP)

Pre-GDPR advisory body on EU data protection; replaced by the EDPB when GDPR entered into force.

Court of Justice of the EU (CJEU)

EU court that interprets EU law and ensures uniform application; its case-law shapes GDPR interpretation.

Data Processing Agreement (DPAgr)

Contract between controller and processor specifying subject-matter, duration, purposes, security and obligations (Art 28.3 GDPR).

Binding Corporate Rules (BCR)

Legally binding internal policies for international data transfers within a corporate group, approved by DPAs (Art 47 GDPR).

Adequacy Decision

European Commission finding that a third country ensures an adequate level of data protection, permitting free data flows (Art 45 GDPR).

Appropriate Safeguards

Mechanisms (e.g., SCCs, BCR) that allow data transfers to non-adequate countries while ensuring enforceable rights and legal remedies (Art 46 GDPR).

Derogations for Specific Situations

Limited grounds (e.g., explicit consent, contract performance, public interest) that permit international transfers in absence of adequacy or safeguards (Art 49 GDPR).

Data Breach

Security incident leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data (Art 4.12 GDPR).

Confidentiality Breach

Data breach involving unauthorised or accidental disclosure of or access to personal data.

Integrity Breach

Data breach involving unauthorised or accidental alteration of personal data.

Availability Breach

Data breach involving accidental or unauthorised loss or destruction of personal data.

72-Hour Notification Rule

Controllers must notify supervisory authority of a personal data breach within 72 hours of becoming aware (Art 33 GDPR).

High Administrative Fines

GDPR allows fines up to €20 million or 4 % of global annual turnover for severe infringements (Art 83 GDPR).

OECD Privacy Guidelines (1980)

First international principles on protection of privacy and transborder flows of personal data.

Convention 108

Council of Europe convention (1981) on automatic processing of personal data, precursor to EU data protection law.

Directive 95/46/EC

1995 EU Data Protection Directive replaced by the GDPR; key principles carried forward.

Charter of Fundamental Rights (Art 8)

EU charter article that recognises the right to protection of personal data as a fundamental right.

European Convention on Human Rights (ECHR) – Art 8

Guarantees right to respect for private and family life; interpreted as including personal data protection.

Principle of Proportionality

Any interference with data protection rights must be necessary and proportionate to a legitimate objective recognised by EU law.

Cookie Wall

Practice of conditioning access to a website on acceptance of all cookies; usually invalidates consent as not freely given.

Paywall (Consent Alternative)

Offering access in exchange for payment instead of consenting to cookies; assessment required to ensure consent remains free.

Household Exception – Lindqvist Case

CJEU ruling that publishing colleagues’ data on the Internet exceeded purely personal or household activity.

Household Exception – Buivids Case

CJEU ruling that filming police officers and uploading the video to YouTube was not a personal/household activity.

Establishment Criterion – Weltimmo Case

CJEU judgment establishing a broad interpretation of ‘establishment’ for online services; even minimal presence can suffice.

Like Button – Fashion ID Case

CJEU held that a website embedding Facebook “Like” button becomes joint controller for data collected by Facebook.

Fan Page – Wirtschaftsakademie Case

CJEU held that administrator of a Facebook fan page is a controller for data processing carried out by Facebook for page statistics.

Jehovah’s Witnesses Case

CJEU found religious community jointly controller with members collecting data during door-to-door preaching.

Data Protection by Default Example – Food Delivery Platforms

Italian DPA fined Foodinho & Deliveroo for failing to configure rider apps to collect only necessary data, breaching Art 25.

Legitimate Interest Assessment (LIA)

Three-step test (identify interest, necessity, balance with rights) required when relying on legitimate interest lawful basis.

Data Protection Impact Assessment Lists

National DPA catalogues of processing operations that do (or do not) require a DPIA based on high-risk criteria.

Standard of ‘High Risk’

Likelihood and severity of harm to individuals’ rights that triggers the obligation to conduct a DPIA or consult the SA.

Supervisory Authority Corrective Powers

Include warnings, reprimands, orders to comply, bans on processing, data deletion, suspension of transfers and fines (Art 58 GDPR).

European Data Protection Supervisor (EDPS) – Role

Monitors GDPR-like rules within EU institutions and bodies and cooperates with national SAs & EDPB.

EDPB Guidelines 3/2018

Guidance on territorial scope of GDPR, clarifying ‘establishment’ and ‘targeting’ criteria.

Recitals

Introductory paragraphs of GDPR providing context and interpretation guidance for the Articles.

Data Protection Principles (Art 5)

Seven core rules: lawfulness, fairness & transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity & confidentiality; accountability.

Right to Lodge a Complaint

Data subject’s right to complain to a supervisory authority about GDPR infringements (Art 77 GDPR).

Right to Compensation

Any person suffering material or non-material damage from GDPR infringement is entitled to compensation from controller or processor (Art 82 GDPR).

European Court of Human Rights (ECtHR)

Council of Europe court interpreting ECHR, including data-protection aspects under Art 8.

Principle of Free Movement of Data

GDPR guarantees that protection of personal data does not restrict or prohibit data flows within the EU.

Data Security Measures (Art 32)

Technical and organisational measures (e.g., encryption, confidentiality, resilience) to ensure appropriate security level.