Data Protected - Glossary

A glossary terms used in Data Protected is set out below. 

binding corporate rules

means a set of binding rules adopted by an organisation and approved by national data protection regulators to ensure the protection of personal data in multiple jurisdictions.

conditions for processing personal data

means that the processing is: (a) carried out with the data subject’s consent; (b) necessary for the performance of a contract with the data subject; (c) necessary for compliance with a legal obligation; (d) necessary in order to protect the vital interests of the data subject; (e) necessary for the public interest or in the exercise of official authority; or (f) necessary for the controller’s or recipient’s legitimate interests, except where overridden by the interests of the data subject (Article 6, GDPR).

condition for processing sensitive personal data

means the processing: (a) is carried out with the data subject’s explicit consent; (b) is necessary for a legal obligation in the field of employment law; (c) is necessary to protect the vital interests of the data subject or another person where the data subject is unable to give consent; (d) is carried out by a non-profit-seeking body and relates to members of that body or persons who have regular contact; (e) relates to data made public by the data subject; (f) is necessary for legal claims; (g) is for reasons of substantial public interest under EU or Member State law; (h) is necessary for healthcare reasons; (i) is necessary for public health reasons; or (j) is necessary for archiving, scientific or historical research purposes or statistical purposes and is based on EU or Member State law (Article 9 GDPR).

controller

means the person which alone or jointly with others determines the purposes and means of the processing of personal data (Article 4, GDPR).

Data Protection Directive

means Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

data subject

means an individual about whom personal data is being processed.

eCommerce Information

means: (a) clear identification of commercial communications, and unsolicited commercial communications, as such; (b) clear identification of the natural or legal person on behalf of whom a commercial communication is made; (c) promotional offers, competitions and games are clearly identified (including conditions for participation) and the relevant email does not encourage recipients to visit websites that contravene these requirements.

enhanced processor clauses

means the contract with the processor contain a description of scope, nature, duration and purpose of processing, and details of types of personal data and categories of data subjects. The contract must also oblige the processor to: (a) only process personal data on the documented instructions of the controller, including as regards international transfers. There is an exception for obligations under Union or Member State law, but the processor must inform the controller (unless prohibited from doing so); (b) ensure its personnel are subject to a duty of confidence; (c) keep the personal data secure; (d) only use a sub-processor with the consent of the controller. That consent may be specific to a particular sub-processor or general. Where the consent is general, the processor must inform the controller of changes and give them a chance to object; (e) ensure it flows down these obligations to any sub-processor. The processor remains responsible for any processing by the sub-processor; (f) assist the controller to comply with requests from individuals exercising their rights to access, rectify, erase or object to the processing of their personal data; (g) assist the controller with their security and data breach obligations, including notifying the controller of any personal data breach; (h) assist the controller should the controller need to carry out a privacy impact assessment; (i) return or delete personal data at the end of the agreement, save to the extent the processor must keep a copy of the personal data under Union or Member State law; (j) demonstrate its compliance with these obligations and submit to audits by the controller (or by a third party mandated by the controller); and (k) inform the controller if, in its opinion, the controller’s instructions would breach Union or Member State law (Article 28, GDPR).

enhanced transparency information

means the provision of: (a) your identity, contact details and details of your representative (if any); (b) the contact details of your data protection officer (if any); (c) the purpose and legal basis of processing (where legitimate interests is relied upon, details of those interests); (d) the right to withdraw consent if this is the basis for any processing; (e) the categories of personal data processed and the source of the personal data, including use of public sources; (f) the recipients or categories of recipients of personal data; (g) details of any intended transfer outside the Union (including details of any safeguards relied upon and the means to obtain copies of transfer agreements); (h) the period for which data will be stored or the criteria used to determine this period; (i) a list of the individual’s rights, including the right to object to direct marketing, make a subject access request, and to be “forgotten”; (j) details of any automated decision making, including details of the logic used and potential consequences for the individual; (k) whether provision of personal data is a statutory or contractual requirement, whether disclosure is mandatory and the consequence of not disclosing personal data; and (k) the right to complain to a supervisory authority. The information in (e) need not be provided where personal data collected from the data subject. The information in (k) need not be provided where the personal data is collected from a third party (Article 13 &14, GDPR).

GDPR

means Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

general data quality principles

means personal data must be: (a) processed fairly and lawfully; (b) collected for specific, explicit and legitimate purposes and not processed in a manner incompatible with those purposes; (c) adequate, relevant and not excessive; (d) accurate and, where necessary, up to date; (e) kept in an identifiable form for no longer than necessary; and (f) kept secure (Article 5, GDPR).

Law Enforcement Directive

means Directive (EU) 2016/680 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA.

Model Contracts

means the contractual clauses set out in Commission Decision C(2010) 593, Commission Decision C(2004) 5271 and Commission Decision C(2001) 1539.

Privacy and Electronic Communications Directive

means Directive 2002/58/EC of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector as amended by the Citizens' Rights Directive 2009/136/EC.

processor

means a person which processes personal data on behalf of a controller (Article 4, GDPR).

similar products and services exemption

applies where a person collects a customer’s e-mail details in connection with a sale of a product or service and uses these contact details for direct marketing of its own similar products or services provided that customers are given the opportunity to object to such use of electronic contact details when they are collected and on the occasion a message is sent.

standard types of sensitive personal data

means personal data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.

transborder dataflows

means: (a) in the case of an EEA State, the transfer of personal data from a destination within the EEA to a destination outside of the EEA; and (b) in the case of other States, a transfer of personal data from within that State to any another State.

whitelisted country

means countries that the Commission has found to provide an adequate level of protection for personal data. This currently comprises the “grandfathered” findings by the Commission under the Data Protection Directive, namely Andorra, Argentina, Canada (partially), the Faroe Islands, Guernsey, Israel, the Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and organisations in the US which have committed themselves to the “EU-U.S. Privacy Shield".