| Term | Reference | Definitions and related information |
| Adequacy decision | GDPR Article 45 | Where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. Note: Adequacy decisions are relevant in the context of international transfers of PII. They constitute one of the exemptions from the prohibition on PII transfers outside of the EEA. List of adequate countries is available at: https://ec.europa.eu/info/strategy/justice-and-fundamental-rights/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en |
| Anonymous or Anonymised | GDPR Recital 26 | Information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. Clarification: Data in a form that does not identify individuals and where identification of an individual through combination of that data with other data is unlikely to take place. Note: Anonymised data would include data where all forms of identifiers linked to the data set have been fully and permanently removed (such identifiers include: e.g. a name, NI number, payroll number and customer reference Remember that a given data set may be so narrow that it is easy to identify the person: e.g. the current CEO |
| Automated Decision-Making | Article 22 Recital 71 | the ability to make decisions by technological means without human involvement. Note: Automated decision-making can take place with or without profiling and can be based on any type of data. |
| Binding Corporate Rules | means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity; | |
| Biometric Data | GDPR Article 4(14) Recital 51 | means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopy (finger print) data. Note: May include photographs when processed through a specific technical means allowing the unique identification or authentication of a natural person. Note that Biometric Data will be considered as SPECIAL CATEGORY DATA. |
| Child Data | The personal data belonging to young persons aged 13 years or less is considered to be Child Data. This persona data requires particular protection under the UK GDPR. In particular, persons of this age cannot provided lawful consent which must be provided, instead, by a parent or guardian Decisions about children based solely on automated processing must be avoided if this might have a legal or similarly significant effect on them. Also see Young Person Data and Student Data | |
| Communications | a complaint, enquiry, notice, request or other communication (but excluding any Data Subject Access Requests) relating to either party’s obligations under any Data Protection Laws in connection with this Schedule and/or the Processing of any of the Shared Personal Data, including any compensation claim from a Data Subject or any notice, investigation or other action from a Data Protection Supervisory Authority relating to any of the foregoing. | |
| Consent | GDPR Article 4(11) | Consent of the data subject means any freely given, specific informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or clear affirmative action, signifies agreement to the processing of personal data relating to him or her. Note: Consent is one of the 6 available legal ground for processing PII. |
| Contact Point | the person designated as the first contact points for third parties in relation to Data Subject Access Requests and Communications and any other matter relating to the Shared Personal Data. Each party’s respective Contact Point shall have overall internal responsibility within their respective party for appropriately addressing and responding to Data Subject Requests and Communications within the scope of that party’s obligations under this Schedule. | |
| Controller | GDPR Article 4(7) | The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law; Note: Also see definitions of ‘Joint Controller’ and ‘Processor’ |
| Cross-Border Transfer | means either: 1) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or 2) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State. For example: Transfer should be interpreted in the wider sense (this would for instance include ‘remote access’ to company systems by a third party IT services provider located outside of the EEA) | |
| Cyber and Information security | encompasses information security and security for internet connected devices, including customer vehicles, Connected Car and Manufacturing network connected devices. | |
| Data breach | See ‘personal data breach’ | |
| Data concerning health | GDPR Article 4(15) Recital 35 | means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status. Personal data concerning health includes all data pertaining to the health status of a data subject which reveal information relating to the past, current or future physical or mental health status of the data subject. This includes information about the natural person collected in the course of the registration for, or the provision of, health care services as referred to in Directive 2011/24/EU of the European Parliament and of the Council to that natural person; a number, symbol or particular assigned to a natural person to uniquely identify the natural person for health purposes; information derived from the testing or examination of a body part or bodily substance, including from genetic data and biological samples; and any information on, for example, a disease, disability, disease risk, medical history, clinical treatment or the physiological or biomedical state of the data subject independent of its source, for example from a physician or other health professional, a hospital, a medical device or an in vitro diagnostic test. |
| Data Controller | See ‘Controller’ | |
| Data Portability | GDPR Article 20 | The ability to provide the Data Subject with personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance. Note: the portability requirement under GDPR only applies under certain circumstances/for specific legal grounds for processing PII. |
| Data Processor | See ‘Processor’ | |
| Data Protection Laws | (a) the Data Protection Act 2018…the General Data Protection Regulation ((EU) 2016/679) (GDPR), as it forms part of domestic law in the United Kingdom by virtue of section 3 of the European Union (Withdrawal) Act 2018 (including as further amended or modified by the laws of the United Kingdom or of a part of the United Kingdom from time to time)…the Privacy and Electronic Communications (EC Directive) Regulations 2003 and…all applicable laws and regulations relating to processing of Personal Data and privacy, including where applicable the guidance and codes of practice issued by the Data Protection Supervisory Authority including any amending or replacement legislation in force from time to time. | |
| Data Protection Officer (DPO) | GDPR See Articles 37, 38 & 39 | An individual responsible for making sure an organisation is compliant with data protection law. |
| Data Subject | GDPR Article 4(1) | A natural person who personal data relates to and can be identified/identifiable by that personal data. |
| Data Transfers | ICO: Data transfer is an intentional sending of personal data to another party or making the data accessible by it, where neither sender nor recipient is a data subject.… GDPR (Chapter 5)Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation. | |
| EEA | European Economic Area consisting of all the European Union countries plus Norway, Iceland and Lichtenstein. | |
| Enterprise | means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity; | |
| Filing System | means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis; | |
| GDPR | The General Data Protection Regulation | |
| Genetic Data | GDPR Article 4(13) Recital 34 | means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question; Genetic data should be defined as personal data relating to the inherited or acquired genetic characteristics of a natural person which result from the analysis of a biological sample from the natural person in question, in particular chromosomal, deoxyribonucleic acid (DNA) or ribonucleic acid (RNA) analysis, or from the analysis of another element enabling equivalent information to be obtained. Note: that Biometric Data will be considered as SPECIAL CATEGORY DATA. |
| Group of Undertakings | means a controlling undertaking and its controlled undertakings; | |
| Independent Controller | Where/if used this term is intended to have the same meaning as “Controller” | |
| Information Assets | information assets might include: > Physical assets used to store information. Examples include, but are not limited to, computer hardware, mobile phones, removable media storage devices, and paper files. > Collections of electronic and paper records. Examples include, but are not limited to, databases, spreadsheets, and archived files. >The contents of electronic and paper records of confidential information. Examples include, but are not limited to, Personal Identifiable Information (PII), emails sent or received by company email accounts, commercial and financial data relating to personal performance, and engineering or design documentation. > All -controlled devices connected to the internet. Examples include, but are not limited to, network switches | |
| Information Commissioner’s Office or ICO | The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. | |
| Information Owner | is the individual responsible for ensuring correct management of information assets. | |
| Information Society Service | ||
| Information society service (i.e. online services) | GDPR – Article 4(25) Dir (EU) 2015/1535 – Article 1(1) | means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council; -a service normally provided for remuneration; -provided at a distance; -by electronic means; – for the processing and storage of data – at the individual request of a recipient of the service’ |
| International Organisations | GDPR Article 4(26) | An organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries |
| Joint controller | GDPR Article 26 | Where two or more controllers jointly determine the purposes and means of processing Note: that the UK Regulator – draws a distinction between what is a ‘joint controller’ (defined under GDPR) and a ‘controller in common’ (not defined under GDPR)). The joint controllers would be acting together to decide the purposes and manner of data processing, whereas the data controllers in common would simply share a pool of personal data that they process independently of each other. |
| Lawful Safeguard | such legally enforceable mechanism(s) for transfers of Personal Data as may be permitted under Data Protection Laws from time to time; | |
| Legitimate interest | Article 6(1)(f) | Legitimate interests is one of the six lawful bases for processing personal data. GDPR states: “1.Processing shall be lawful only if and to the extent that at least one of the following applies: (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.” |
| Member state | Country that is a member of the European Union | |
| Natural Person | A person (in legal meaning. i.e., one who has its own legal personality) that is an individual human being, as opposed to a legal person, which may be a private (i.e., business entity or non-governmental organisation) or public (i.e., government) organisation. | |
| Permitted Lawful Basis | the permitted lawful basis described in the DPIA | |
| Permitted Purpose | the purpose of using the Personal Data as set out and for which a lawful basis has been defined | |
| Permitted Recipients | the relevant Receiving Party’s employees and …the relevant Receiving Party’s contractors and sub-contractors’ (together with their employees) | |
| Personal Data | means any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; Also see PII | |
| Personal data breach | GDPR Article 4(12) | A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed |
| PII (Personally Identifiable Information) | GDPR Article 4(1) Recital 30 | Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them. Clarification: Personally Identifiable Information (PII) PII is made up of any data set which alone or used in conjunction with other data can identify a living individual and provides information relating to that individual. For example: PII may include: a person’s name or other personal identifier ( an IP address, national insurance number, VIN or licensed plate number, etc) combined with, for example, contact details ( address, phone number, mobex, email address, etc), date of birth, personal characteristics, personal or professional life, statements of opinion or intention about the individual, images or recordings, driving behaviours associated to an identifier, geo-location data, bank account or debit/credit card details, salary or payroll information, cookie information, etc. Also see Personal Data |
| Privacy by design / by default | GDPR Article 25 Recital 78 | At the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects. Note: Such measures could consist, inter alia, of minimising the processing of personal data, pseudonymising personal data as soon as possible, transparency with regard to the functions and processing of personal data, enabling the data subject to monitor the data processing, enabling the controller to create and improve security features. |
| Privacy Impact Assessment or PIA | GDPR Article 35 | Privacy Impact Assessment assesses the possible impact of the envisaged processing operations on the protection of personal data. Note: This is a formal process of checking a PII processing activity to ensure it is compliant with data protection laws but also to identify and address potential risks. Where needed, action should be taken to mitigate potential adverse risks to privacy. |
| Processing | means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automatedmeans, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; | |
| Processing or Process | GDPR Article 4(2) | Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; Note: that the definition of processing is very extensive and covers all aspects of the handling of PII. |
| Processor | GDPR Article 4(8) | A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller For example: Entities acting strictly on the organisation’s instructions and having no discretion as to manner and purposes in which PII is processed such as for instance: > majority of cloud service providers > consultancies > HR service providers (payroll services, etc) > Etc |
| Profiling | GDPR Article 4(4), 22 Recital 71, 72 | Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements; Includes any form of automated processing of personal data evaluating the personal aspects relating to a natural person, in particular to analyse or predict aspects concerning the data subject’s performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, where it produces legal effects concerning him or her or similarly significantly affects him or her. Note: Profiling must likely comprise 3 elements: It has to be an automated form of processing It has to be carried out on personal data, and The objective of the profiling must be to evaluate personal aspects about a natural person Profiling has to involve some form of automated processing, but human involvement does not necessarily take an activity out of the definition. [The WP29 states: “simply assessing or classifying individuals based on characteristics such as their age, sex and height could be considered profiling, regardless of any predictive process.”] |
| Protective Measures | Article 32 | appropriate technical and organisational measures which may include: pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of such measures adopted by it |
| Pseudonymisation | GDPR Article 4(5) | means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person. Clarification: |
| Pseudonymised Data | Data which distinguishes individuals by using a unique identifier that does not reveal their ‘real world’ identity. | |
| Recipient | means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. 2However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing; | |
| Records Retention Schedule | The Schedules by which data is retained and erased for both UK and Non-UK locations | |
| Relevant and Reasoned objection | means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union; | |
| Representative | means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation; | |
| Restriction of processing | GDPR Article 4(3) Recital 67 | The marking of stored personal data with the aim of limiting their processing in the future. This could include temporarily moving the selected data to another processing system, making the selected personal data unavailable to users, or temporarily removing published data from a website. In automated filing systems, the restriction of processing should in principle be ensured by technical means in such a manner that the personal data are not subject to further processing operations and cannot be changed. Clarification: |
| Retention Period | Determines the length of time that official records must be retained for administrative, financial, evidential, legislative, regulatory or informational reasons. The retention period is calculated from the time that a record is complete, issued or put into effect, or from the time that a specific event occurred termed the “Trigger Event”. | |
| Special Categories of Data | GDPR Article 9 Recital 51 | Personal data which are, by their nature, particularly sensitive. Including such data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. NOTE photographs should not be considered to be a special category of personal data unless processed through a specific technical means allowing the unique identification or authentication of a natural person at which time – covered by the definition of biometric data. (Defined above) Also see SPECIAL CATEGORY DATA Below |
| SPECIAL CATEGORY DATA (Sensitive Personally Identifiable Information) | GDPR Article 9 Recital 51 | SPECIAL CATEGORY DATA is a subcategory of PII which is particularly privacy sensitive, as it could cause substantial harm or distress if lost or misused. SPECIAL CATEGORY DATA includes an individual’s: racial or ethnic origin, political opinion, religious or other personal or philosophical beliefs of a similar nature, trade union membership, physical or mental health condition, sexual orientation or preferences, any proceedings for any criminal offence committed or alleged to have been committed, the disposal of criminal proceedings or the sentence of any court in criminal proceedings, genetic (e.g. an individual’s gene sequence) OR biometric data where processed to uniquely identify a person (e.g. fingerprints, facial recognition, retinal scans, etc). In addition to the above, the organisation will apply adequate security measures when handling data such as: user credentials (e.g. username, password) or other access codes, employment history, evaluations and disciplinary actions, salary or payroll information, tax information, health insurance information, family life information (spouse, children, parents, siblings), bank account or debit/credit card details, credit history and other banking information, individual identification references (e.g. National Insurance, social security, birth certificate, passport, driving license, and other government issued identification numbers), photographs, geo-location data. Also see definition of ‘data concerning health’. |
| Student Data | Student Data refers, in CEC systems, to data for two distinct categories of young person personal data 1) Child Data 2) Young Person Data Please see definitions for Child Data and Young Person Data | |
| Sub-processor | a Processor engaged by a processor or by any other Sub-Processor for carrying out processing activities in respect of the Personal Data on behalf of that party | |
| Supervisory authority | GDPR Article 4(21) | means an independent public authority which is established by a Member State pursuant to Article 51. Note: The Supervisory authority is the ICO for the UK. |
| System / Application Owner | is the individual responsible for the overall procurement, development, integration, modification, operation, maintenance, and retirement of an information system /application. | |
| The board | GDPR Recital 140 | The European Data Protection Board (the ‘Board’ or EDPB) is an independent body of the Union with a legal personality. |
| Third Country | A third country is a country other than the EU member states and the three additional EEA countries (Norway, Iceland, and Liechtenstein) that have adopted a national law implementing the General Data Protection Regulation (GDPR).…Under the GDPR, personal data can only be transferred to third countries in compliance with the conditions for cross-border data transfers set out in Chapter V (Articles 44 to 50, GDPR). Appropriate safeguards are required to enable transfers of personal data from the UK, EU and EEA member states | |
| Third party | GDPR Article 4(10) | means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data; |
| UK GDPR | has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the DPA 2018. | |
| Young Person’s Data | Young people older than 13 years can provide lawful consent so parental/guardian consent is not required. However, young person’s rights and the expected processing of their personal data must be explained in more accessible terms Also see Child Data and Student Data |
Privacy Terms Glossary
by
Tags:
Leave a Reply