In the field of data protection, technical terms are often used. This data protection glossary provides an overview of various terms used in data protection practice and attempts to explain them in simple and understandable language.
- Address dealer
- Agencia Española de Protección de Datos (AEPD)
- Adequacy decision
- Article-29-Working Party
- Article 93 Committee Procedure
- Artificial Intellligence
- Authorization concept
- Automated decision making
- Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
- Bayerischer Landesdatenschutzbeauftragter (BayLfD)
- Berliner Beauftragte für Datenschutz und Informationsfreiheit (BlnBDI)
- Berlin group
- Berufsverband der Datenschutzbeauftragten Deutschlands (BvD e.V.)
- Bundesbeauftragter für den Datenschutz und die Informationsfreiheit (BfDI)
- Binding Corporate Rules
- Biometric Data
- Blockage (Sperrung)
- Bundesdatenschutzgesetz (BDSG)
- Bundesarbeitsgericht (BAG)
- California Consumer Privacy Act (CCPA)
- Census decision (Volkszählungsurteil)
- Certification bodies
- Chilling Effects
- Cloud Computing
- Codes of conduct
- Commission Nationale de l’Informatique et des Libertés (CNIL)
- Conflict of interest
- Connected driving
- Convention 108 (Council of Europe)
- Cross-border processing
- Data from publicly accessible sources
- Data minimisation
- Data Mining
- Data Protection Authority
- Data protection by design
- Data protection by default
- Data Protection Commission (DPC)
- Data protection coordinator
- Data protection day
- Data Protection Directive (DPD)
- Data protection impact assessment (DPIA)
- Data protection management system
- Data protection notice
- Data Protection Officer
- Data protection violation
- Data quality
- Data relating to criminal convictions and offences
- Data retention (Vorratsdatenspeicherung)
- Data subject
- Data subject´s rights
- Data transfer
- Deep Learning
- Deletion report
- Direct marketing
- Directive 2016/680/EC
- Double opt in
- Dual control principle
- Düsseldorfer Kreis
- Employee data protection
- E-privacy Directive 2009/136/EC
- ePrivacy Regulation
- European Commission
- European Conference
- European Data Protection Board (EDPB)
- European Data Protection Officer (EDPO)
- EU-US Privacy Shield
- Filing system
- Finger print
- General Data Protection Regulation (GDPR)
- Genetic data
- Gesellschaft für Datenschutz und Datensicherheit (GDD e.V.)
- Gläserner Bürger
- Group of undertakings
- Identity fraud/theft
- Information Commissioners Office (ICO)
- Information society service
- Information duties
- Information security
- International Association of Privacy Professionals (IAPP)
- International Conference
- International organization
- Internet of Things (IoT)
- Iris scanner
- IT security
- Joint controllers
- Joint supervisory authorities
- Lawfulness of processing
- LDA Bbg
- LDI Bremen
- LDI NRW
- LfD MV
- LfD Niedersachsen
- LfDI Baden-Württemberg
- LfDI Rheinland-Pfalz
- Legal Tech
- Log file
- London initiative
- Passenger Name Record (PNR)
- Personal data
- Personal data breach
- Principles of processing
- Prior consultation
- Privacy (Privatsphäre)
- Privacy by Default
- Privacy by Design
- Privacy Dashboard
- Prohibition subject to permission (Verbot mit Erlaubnisvorbehalt)
- Prüm Treaty
- Purposes of the processing
- Record of processing activities
- Relevant and reasoned objection
- Rights and freedoms of the data subject
- Right to access
- Right to data portability
- Right to guarantee the confidentiality and integrity of information technology systems (IT-Grundrecht)
- Right to lodge a complaint with a supervisory authority
- Right to information
- Right to informational self-determination(Recht auf informationelle Selbstbestimmung)
- Right to erasure (`right to be forgotten`)
- Right to object
- Right to rectification
- Right to restriction of processing
- Right to withdrawal
- Roles and rights concept
- Der Sächsische Datenschutzbeauftragte
- Schengen Information System (SIS)
- Security breach
- Small and medium-sized enterprises (SME)
- Special categories of personal data ("sensitive data")
- Standard contractual clauses
- Swiss-US Privacy Shield
- Privacy enhancing technologies (Technologien zum Schutz der Privatsphäre)
- Telecommunications data
- Telecommunications secrecy
- Third party
- Third country
- Der Thüringer Landesbeauftragte für den Datenschutz (TLFD)
- Traffic data
- Transmission of functions
- Two-factor authentication
- Unabhängiges Datenschutzzentrum Saarland
- Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein
Accountability is the duty of the controller to comply with the principles governing the processing of personal data in accordance with Art. 5 para. 1 GDPR. This can be achieved by adequate documentation of the processing operations and processes.
The Anti-Counterfeiting Trade Agreement (ACTA) is a multilateral trade agreement for the introduction of international standards for the enforcement of intellectual property rights in the participating countries. Its proponents describe it as a response "to the increase in global trade in counterfeit goods and pirated copies of copyrighted works". The scope of the ACTA agreement is broad and includes counterfeit goods, generic drugs and "piracy over the Internet". In a 2010 opinion, the EDPS warned of the potential incompatibility of the agreement with EU data protection law.
Address dealers are merchants or companies that buy and sell the postal addresses of potential customers, which are pre-filtered according to the wishes of advertising companies. Address trading is a part of direct marketing.
An "adequacy decision" is a decision adopted by the European Commission in accordance with Art. 45 GDPR which determines that a third country (i.e. a country not bound by the GDPR) or an international organisation provides an adequate level of protection for personal data. This decision takes into account the national legislation of the country, its supervisory authorities and the international commitments it has entered into.
The significance of such a decision is that personal data may be transferred from EU Member States and EEA Member States to that third country without further requirements. A list of the European Commission's adequacy decisions will be published on its website.
Adequacy decisions are taken on the basis of the so-called "committee procedure", which comprises the following steps:
- a proposal from the Commission;
- an opinion of the Article 29 Data Protection Working Party;
- an opinion of the Article 31 Committee, delivered by a qualified majority of Member States, and
- the adoption of the decision by the College of Commissioners
The European Parliament and the Council may at any time request the Commission to maintain, amend or withdraw the adequacy finding for lack of powers under the Regulation.
The Agencia Española de Protección de Datos (AEPD) is the Spanish supervisory authority. It was founded in 1994 and is based in Madrid. In addition, the autonomous communities of Madrid, Catalonia and the Basque Country have data protection authorities that are independent of the AEPD. The AEPD is a public corporation and acts independently and without instructions.
Anonymization is a process in which all personal elements of a data record are irrevocably removed. Anonymised data no longer fall within the material scope of data protection laws. It is very difficult to achieve complete anonymisation. Anonymisation should not be confused with pseudonymisation.
The Article 29 Working Party is the predecessor of the European Data Protection Committee (EDPS). Its name derives from the fact that it was established in accordance with Art. 29 of the Data Protection Directive (DS-RL). It was an independent advisory body for the European Commission on data protection issues and supported the development of a harmonised implementation of data protection rules in the EU Member States.
The Art. 29 Data Protection Working Party is particularly known for its Working Papers (WP), which it published on various data protection issues. The Working Papers of the Art. 29 Data Protection Working Party can be downloaded here.
According to Article 93 GDPR , the European Commission is assisted by a committee when adopting implementing measures.
This committee is a committee within the meaning of Regulation (EU) No 182/2011 and is composed of representatives of the Member States and chaired by the Commission. The committee cooperates, for example, in the procedure for adopting adequacy decisions
Research into "intelligent" problem-solving behaviour and the creation of "intelligent" computer systems. Artificial intelligence (AI) deals with methods that enable a computer to solve such tasks that, if solved by humans, require intelligence.
An audit - with regard to data protection - is a review of the status of implementation of data protection regulations in companies. It is determined whether companies meet the requirements of data protection law, in particular the GDPR, with regard to their documentation and verification obligations, but also with regard to the design of processes. The audit is therefore a compliance tool. It concludes with an audit report, from which further measures can be derived and classified according to their urgency.
The authorization concept (also called the roles and rights concept) is a documentation of the roles and rights of persons in relation to a system or application. In software solutions, the roles and rights of persons with access rights can be very different, ranging from extensive read rights to extensive administrator rights. An appropriate configuration of authorizations is essential for compliance with data protection regulations.
The automated individual decision is regulated in Art. 22 GDPR. It is a decision which significantly affects a person and which is taken solely on the basis of automated processing of personal data for the purpose of evaluating that person. Such an assessment may relate to various aspects of the person, such as his or her professional ability, creditworthiness, reliability or conduct.
The data subject's right according to Art. 22 GDPR allows data subjects to appeal against decisions which concern them and which are taken exclusively on the basis of an automated procedure, unless certain conditions are met or adequate safeguards are in place.
The term automation is mainly used in industry. Automation means that machines take over both the process design and the actual production independently. Automation is also a sub-area of artificial intelligence (AI) and raises some data protection issues.
The Bavarian State Office for Data Protection Supervision (BayLDA) is an independent state authority based in Ansbach. The authority was founded on 01.01.2002 and is not bound by instructions. It is the supervisory authority for the non-public sector and controls:
- private commercial enterprises
- self-employed and freelance workers
- private hospitals and homes
The Bavarian State Commissioner for Data Protection (BayLfD) is the supervisory authority for data protection issues in the public sector. It supports data subjects in safeguarding their data protection rights vis-à-vis the Bavarian public administration. The BayLfD has its headquarters in Munich.
The Berlin Commissioner for Data Protection and Freedom of Information (BlnBDI) is the supervisory authority of the State of Berlin. It has its headquarters in Berlin.
The International Working Party on Data Protection in Telecommunications (IWGDPT) was established in 1983 at the initiative of several national data protection authorities worldwide. Since the beginning of the working group, the secretariat has been provided by the Berlin Commissioner for Data Protection. Membership in the working group is not restricted to national data protection authorities, but also includes representatives of non-governmental organizations and from the private sector.
In recent years, the Berlin group has focused on aspects of data protection and privacy in information technology in the broadest sense, with particular emphasis on developments related to the Internet.
The Berufsverband der Datenschutzbeauftragten Deutschlands (BvD e.V.) is an association that represents the interests of data protection officers in Germany. The association was founded in 1989 and is based in Berlin.
The Federal Commissioner for Data Protection and Freedom of Information (BfDI) is an independent and autonomous federal authority for data protection and freedom of information in Bonn.
Binding Corporate Rules are regulated in Art. 47 GDPR. These are data protection guidelines which must be observed by companies based in the EU when transferring personal data outside the EU within a group of companies or a company. Such rules must include all general data protection principles and enforceable rights in order to provide adequate safeguards for data transfers. They must be legally binding and enforced by each member of the group concerned.
Companies must submit BCRs to the lead supervisory authority in the EU for approval. The authority will approve the BCRs in accordance with the coherence procedure set out in Art. 63 GDPR. Several supervisory authorities may be involved in this procedure, as the group seeking approval of its BCRs may have companies in more than one Member State. The competent authority sends its draft decision to the European Data Protection Board (EDPB), which issues an opinion on the BCRs. When the BCRs are finalised in accordance with the EDPB's opinion, the competent authority approves the BCRs. Authorisations granted by supervisory authorities on the basis of Directive 95/46/EC shall remain valid until they are amended, replaced or cancelled by those supervisory authorities, as appropriate.
Biometric data are defined in Art. 4 No. 14 GDPR as "personal data personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data".
Bitcoin is the world's leading crypto currency based on a decentrally organized booking system, namely the blockchain. Proof of ownership of Bitcoin is stored in personal digital letter bottles. The Blockchain records all transactions ever made with Bitcoins as a means of payment. The transactions are public and can be viewed by anyone. This is a key requirement of Bitcoin, as it allows the authenticity of the transactions to be verified.
Blocking or restricting the processing of personal data means methods consisting, inter alia, in temporarily transferring selected personal data to another processing system, blocking them from users or temporarily removing published data from a website. In automated filing systems, the restriction of processing should in principle be carried out by technical means in such a way that the personal data are not further processed in any way and cannot be altered.
The Blockchain is a digital account book in the form of a database. It enables any kind of information to be stored, processed, shared and managed in a publicly accessible way. The information is concatenated in a continuous list of records by means of cryptography. The beginning of any block chain is the creation block. The main purpose of block chain technology is to shift the control of monetary values or information.
The German Federal Data Protection Act (BDSG) regulates the processing of personal data in Germany in addition to the data protection laws of the federal states and the sector-specific regulations in other laws. The Federal Data Protection Act applies to both public and non-public bodies in Germany. In large parts it supplements the European data protection basic regulation and, with it, represents the data protection legal framework.
The Federal Labour Court, as the supreme court of the Federation, decides on disputes in the field of labour law. Its task is to maintain legal unity, establish legal certainty and further develop the law. Honorary judges from employer and employee circles are involved in this process. As an authority, the Federal Labour Court is subordinate to the Federal Ministry of Labour and Social Affairs and is subject to its supervision.
The California Consumer Privacy Act is a national data protection law in California that was passed on June 28, 2018 and has been in force since January 1, 2020. The purpose of the CCPA is to regulate the constitutionally protected right to privacy, which includes the control and use, in particular the sale of personal information.
The CCPA gives Californians additional rights to control how their information is handled. These rights include disclosure of the information in question, deletion, or a complete refusal to sell the information.
Closed-circuit television describes the use of optical electronic equipment, such as video cameras, for monitoring highly frequented security-relevant areas. For this purpose, additional equipment is used for the reproduction and storage of the image material.
With the so-called census decision, the Federal Constitutional Court initially suspended the planned census and then came to the following conclusion in its final decision
The provisions of the census law that dealt with the content and conduct of the census did not violate provisions of the Basic Law.
Parts of the provision that regulated the use of the information (data) obtained were not in accordance with the Constitution. The conditions under which the data could be passed on to certain other bodies were not compatible with the Basic Law.
In the decision, the Federal Constitutional Court mentioned the "fundamental right to informational autonomy" for the first time. First, it establishes general prerequisites for the handling of personal data that are compatible with this fundamental right. Then it deals with special features in the field of statistical surveys, which is what this case was about, and uses these to measure the provision in question.
The Member States, supervisory authorities, the Committee and the Commission shall encourage, in particular at Union level, the introduction of certification procedures specific to data protection and of privacy seals and certification marks to demonstrate that processing operations carried out by controllers or processors comply with this Regulation.
Certification pursuant to Art. 42 GDPR is granted by the certification bodies pursuant to Art. 43 GDPR or by the competent supervisory authority on the basis of the criteria approved by this competent supervisory authority pursuant to Art. 58 para. 3 GDPR or - pursuant to Art. 63 GDPR - by the Committee. If the criteria are approved by the committee, this may lead to a joint certification, the European Privacy Seal.
Without prejudice to the duties and powers of the competent supervisory authority pursuant to Art. 57 and 58 GDPR, certification bodies which have the appropriate expertise with regard to data protection shall grant or renew certification after informing the supervisory authority - so that the latter can, if necessary, make use of its powers pursuant to Art. 58 para. 2 lit. h GDPR.
Chilling effects is a legal concept of the European Court of Human Rights when it comes to encroachment on fundamental rights. It is about the danger that in the future people will fear interference and therefore change their behaviour. In the field of data protection, the term is also used in connection with the basic data protection regulation and its excessive regulation.
Cloud computing is the provision of IT infrastructure, storage space, computers, software, databases or similar via the Internet, i.e. the cloud. It describes a new consumption and delivery model for Internet-based IT services and enables the provision of dynamically scalable and often virtualized resources as a service over the Internet.
The Member States, the supervisory authorities, the Committee and the Commission shall encourage the drawing up of codes of conduct designed to contribute to the proper application of this Regulation in accordance with the specific characteristics of each processing sector and the particular needs of micro, small and medium-sized enterprises.
The Commission Nationale de l'Informatique et des Libertés (CNIL) is the national data protection authority in France, based in Paris. It is an administrative authority, free from directives, whose 17-member college consists of four members of parliament, two members of the Economic and Social Council, six representatives of the highest French courts and a further five qualified persons. The CNIL elects its President from among its members. The CNIL is chaired by Isabelle Falque-Pierrotin (2018).
Confidentiality is the protection against unauthorized disclosure of information. Confidential data and information must only be accessible to authorised persons in the permitted manner.
In data protection law, a conflict of interest describes a situation in which conflicting interests of different parties oppose each other. This must be taken into account in particular when weighing up the interests and taking into account the fundamental rights and freedoms of the data subjects.
Connected driving refers to communication between vehicles (also vehicle-to-vehicle communication) and between vehicles and infrastructures (also vehicle-to-infrastructure communication). In connected driving, traffic-related information is exchanged via radio technologies. This includes, for example, processed information on traffic flow, accidents, road works or weather conditions. As a rule, sensors record the necessary information. This information is processed by computer and is then available for transmission to vehicles.
The term 'consent' in the context of data protection means any freely given specific and informed indication of his or her will, by which the data subject accepts that personal data relating to him or her be processed. Consent may be given in writing or by an unequivocal affirmative act.
The controller within the meaning of Regulation (EU) 2018/1725 and the General Data Protection Regulation (GDPR) is the body that determines the purposes and means of processing personal data. The actual processing may be transferred to another body known as the processor. The controller is responsible for the lawfulness of the processing, the protection of the data and the respect of the rights of the data subjects. The controller is also the body to which data subjects may apply to exercise their rights.
Convention 108 refers to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, adopted by the Council of Europe in 1981.
This Convention is the first legally binding international instrument adopted in the field of data protection.
The Convention lays down minimum requirements aimed at protecting individuals against the abuses that may occur in the collection and processing of personal data. It also aims to regulate the cross-border transfer of personal data. A total of 40 European states have ratified the Convention to date.
Cookies are text files that are stored in the Internet browser or by the Internet browser on the user's computer system. If a user calls up a website, a cookie can be stored on the user's operating system. This cookie contains a characteristic string of characters that enables the browser to be uniquely identified when the website is called up again.
Cross-border processing is either processing of personal data carried out in more than one Member State in the course of the activities of establishments of a controller or processor in the Union, where the controller or processor is established in more than one Member State, or processing of personal data carried out in the course of the activities of a single establishment of a controller or processor in the Union, but which has or may have substantial impact on data subjects in more than one Member State.
Cybersecurity or IT security is the protection of networks, computer systems, cyberphysical systems and robots against theft or damage to their hardware and software or the data processed by them, as well as interruption or abuse of the services and functions offered.
Damage is generally defined as a disadvantage caused by the reduction or loss of tangible or intangible assets. The term is, due to the fact that a damage is always accompanied by an involuntary loss of protected legal assets, i.e. of both a legal and an economic nature.
A database is an organized collection of structured information or data, typically stored electronically in a computer system. Data within the most common types of databases today is typically modeled in rows and columns in a series of tables to make processing and data retrieval efficient. The data can then be easily accessed, managed, modified, updated, controlled and organized. Most databases use the Structured Query Language (SQL) to write and query data.
A "publicly available" source is a source that is freely accessible to a group of addressees not defined according to specific characteristics (e.g. telephone directory, search engine results). Information that has been published on social media platforms and is only accessible to a certain group of people (e.g. friends) due to certain settings are not public sources.
Data minimisation/data economy/data avoidance is a principle in data protection law, which states that personal data should only be processed as much as necessary for the purpose of the processing. In addition to other principles of data protection law, it is regulated in Art. 5 para. 1 lit. c GDPR.
Data mining is the systematic application of computer-assisted methods to find patterns, trends or correlations in existing data stocks. Algorithms used for knowledge discovery are based on statistical methods, among others. Data mining is interdisciplinary and uses findings from the fields of computer science, mathematics and statistics for the computer-aided analysis of data sets.
Data Protection Authorities are independent authorities that monitor the application of data protection rules through powers of investigation and remedy. They offer competent advice on data protection issues and deal with complaints regarding violations of the GDPR and the relevant national laws. There is one such authority in each EU Member State. In principle, the data protection authority in the EU Member State where your company/organisation is based is the main contact point for data protection issues.
Companies/organisations are encouraged to take technical and organisational measures at the earliest possible stage in the design of technical processing operations, which are designed to protect privacy and guarantee data protection principles from the outset.
By default, companies/organisations should ensure that personal data are processed with the highest possible level of data protection (for example, only necessary data should be processed, short storage periods and limited accessibility should be provided for), so that these data are not made available to an unspecified number of persons from the outset.
The Data Protection Commission is the national data protection authority in Ireland, based in County Laois. It is the regulator responsible for ensuring compliance with the Data Protection Basic Regulation, the ePrivacy Directive (2011) and the Directive on the Investigation of Crimes involving the Processing of Personal Data.
The data protection coordinator is often found in groups or companies with an existing data protection organization. He or she works on a project-related basis and supports (the data protection officer) in all data protection issues within his or her area of responsibility.
The European Data Protection Day is a data protection action day launched on the initiative of the Council of Europe. It has been held annually on 28 January since 2007. This date was chosen because the European Convention on Data Protection was signed on 28 January 1981.
The Data Protection Directive 95/46/EC is a directive adopted by the EU in 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Since the GDPR came into force, it has completely replaced the Directive.
A data protection impact assessment is an evaluation and risk analysis of a processing operation which involves a high risk to the rights and freedoms of natural persons and is to be carried out by the controller. This assessment must be carried out prior to processing and must take into account the nature, scope, context and purpose of the processing, in particular where new technologies are used.
A data protection management system represents the totality of all documented and implemented regulations, processes and measures with which the data protection-compliant handling of personal data in a company is systematically controlled and monitored. The regulations relevant to a data protection management system are primarily Art. 5, 24, 30, 32 and 35 GDPR.
The data protection notice is a document by which a person responsible for data protection fulfills the requirements set out in Art. 12 ff. GDPR. It provides a data subject with the opportunity to consult all relevant information on the processing of his or her personal data. The data protection notice must be formulated in a precise, transparent, comprehensible and easily accessible form in clear and simple language.
The data protection officer is a person in the company who is responsible for monitoring compliance with data protection regulations. A data protection officer must be appointed by all companies that have at least twenty employees permanently engaged in the automated processing of personal data. The task of the data protection officer is to inform the company about its obligations under data protection law and to monitor compliance with them, to sensitize employees and to be available as a contact person for both employees and the responsible supervisory authority in matters of data protection law.
Processing of personal data may involve risks resulting in physical, material or immaterial damage. Such risks include those of discrimination, identity theft or fraud or direct financial loss. A breach of data protection is therefore a violation of the provisions of the GDPR. This can, for example, be the unlawful processing of personal data, for example by unauthorised access to data processing systems.
Data Quality, in German data quality, provides information on how well existing data is suitable for certain applications or tasks. The data quality of a dataset can be determined on the basis of criteria. In addition to the correctness and reliability of the data, numerous other criteria such as relevance and availability play an important role in data quality. For a company, data quality can be decisive for business success. Only when data quality is assured can operational processes be reliably controlled, relevant reports be generated or business analytics and business intelligence applications be executed efficiently.
Criminal offences in the sense of Union law include, in addition to the elements of criminal law, in particular the administrative offences under German law. Furthermore, Article 10 GDPR also covers data on binding official decisions in preparatory proceedings which are intended to enable a criminal offence to be established. Particularly noteworthy are data on measures in criminal investigation proceedings.
Data retention refers to all obligations of data controllers to retain personal data for specific purposes.
The Data Retention Directive (Directive 2006/24/EC) contains an obligation for providers of electronic communications services to retain traffic and location data for communications by telephone, e-mail, etc. This data retention is for the purpose of investigation, detection and prosecution of serious crime.
The data subject is the linchpin of data protection law. A data subject is a natural person whose personal data are processed. Art. 4 No. 1 GDPR uses the term "identified or identifiable" natural person. According to EC 14 p. 2 GDPR, this does not apply to the processing of data of legal persons.
The rights of those affected are regulated in Art. 15 - 22 GDPR. These are:
The right of access by the data subject (Art. 15 GDPR)
The right of rectification (Art. 16 GDPR)
The right of deletion ("right to be forgotten") (Art. 17 GDPR)
The right to restrict processing (Art. 18 GDPR)
The right to data transferability (Art. 20 GDPR)
The right of objection (Art. 21 GDPR)
Automated decisions in individual cases including profiling (Art. 22 GDPR)
Furthermore, Art. 12 GDPR regulates the framework conditions for the processing/responding to data subjects' rights. For example, according to Art. 12 para. 3 sentence 1 GDPR, the person responsible must make the application available to the data subject "without delay and in any case within one month of receipt of the application".
Data transmission (or data transfer) is the electronic transport of data (= data transfer) from the point of acquisition to the storage location, and from the storage location to the recipient. These locations are either one and the same computer or two different ones. According to Art. 44 ff. GDPR and Regulation (EC) No. 2018/1725, transmission to recipients in countries outside the EU and the European Economic Area (EEA) is subject to special protective measures.
The so-called Deep Learning is a special method of information processing. Deep learning is a subarea of machine learning and uses neural networks. To create artificial intelligence, training methods are used that draw on and analyse large amounts of data. The way it works is inspired in many areas by learning in the human brain.
A protocol records, retains or prescribes at what time or in what order which process was or is initiated by whom or by what. With regard to the deletion of personal data, the process of deletion is documented.
Direct marketing or direct communication includes all activities that serve to create an immediate and personalised interaction with current and potential customers. An important feature here is the largely individualised approach to the target contact. In addition to generating new customers, the main objective of direct marketing is to provide more intensive support for existing customers, thereby improving customer proximity and increasing customer loyalty.
At the same time as the general data protection regulation, the EU has also launched a data protection directive in the field of justice and home affairs. The aim of the JHA Directive is to bring about minimum harmonisation within the EU for data protection in the areas of police and justice in order to achieve a higher level of data protection in the Union as a whole. Member States may also maintain or introduce more stringent requirements in their national laws.
A user who has entered his e-mail address in a distribution list (single opt-in) will receive a subsequent confirmation e-mail to confirm his registration. If the user confirms the registration, the double opt-in is complete. The double opt-in procedure is intended to provide protection against spam and to give senders of e-mails with commercial content legal security, as the sending of requested commercial e-mails is not permitted.
The dual control principle or dual control can be used as a safeguard in a wide variety of areas. It states that two persons must confirm a certain critical activity or decision.
The Düsseldorfer Kreis is a working group of the data protection conference of the independent data protection authorities of the federal and state governments, which serves the communication, cooperation and coordination of data protection supervisory authorities for the non-public sector.
Employee data protection focuses on data protection in human resources. Companies have a large amount of personal data of their employees. However, data protection law sets clear limits when it comes to processing employee data. In particular, comprehensive personnel administration tools offer companies numerous possibilities for processing the data of their employees.
An important aspect of employee data protection is the work of the works council. The works council protects employees from supervision and control by the employer. When introducing and using technical equipment designed to monitor the behavior or performance of employees, the works council has a right of co-determination pursuant to § 87, Subsection 1, No. 6, BetrVG. In such cases, a works agreement is frequently concluded between the works council and the employer which lays down rules and framework conditions for the use of the system.
The Data Protection Directive on privacy and electronic communications or ePrivacy Directive is an EU directive issued in 2002 that sets binding minimum standards for data protection in telecommunications. The directive was revised in 2009 and since then has been referred to primarily as the Cookie Directive.
The draft for a ePrivacy Regulation regulates the use of electronic communications services within the European Union and is intended to replace the Data Protection Directive on privacy and electronic communications (2002/58/EC). It is estimated that the failure of the latest draft means that the ePrivacy Regulation is not expected to enter into force before 2023. Taking into account a transitional period of 24 months, this would mean that any new regulations would not come into force before 2025.
Erasure (of personal data) means ensuring that neither the responsible person nor third parties can establish a personal reference without disproportionate effort. It is sufficient to make the data anonymous and delete all related log files. A destruction of the data is not necessary.
Council Regulation (EC) No 2725/2000 of 11 December 2000 established a fingerprint database to support asylum procedures, called "Eurodac". This system contributes primarily to determining which Member State is responsible for asylum applications. The system comprises a Central Unit, a computerised central database for the comparison of fingerprint data of asylum seekers and the transmission facilities existing between the Member States and the central database. The European Data Protection Supervisor is responsible for supervising the system in cooperation with the competent national data protection authorities.
The European Commission is the politically independent executive of the EU. It is solely responsible for drawing up proposals for new European legislation and implementing the decisions of the European Parliament and the Council of the EU. The 27 Commissioners from each EU country take over the political leadership of the Commission for a period of five years. The President of the Commission gives each Commissioner responsibility for a particular policy area.
The European Data Protection Conference is an annual meeting of representatives of data protection supervisory authorities from the countries of the Council of Europe, the Council of Europe Data Protection Secretariat and, where appropriate, representatives of non-European data protection supervisory authorities where these countries have acceded to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108).
In addition to the general exchange of experience, the spring conference serves to discuss current issues of great importance to all participants. In order to express a common position among data protection supervisory authorities, the Conference may adopt resolutions which, although not binding on Members, are of a recommendatory nature and may form the basis for joint action.
European Data Protection Board (EDPB)
The European Data Protection Board (EDPB) is an independent body which ensures that the relevant EU legislation - in particular the general data protection regulation (GDPR) and the directive on data protection in law enforcement - is uniformly applied in all countries where it is applicable and promotes cooperation between national data protection authorities.
European Data Protection Officer (EDPO)
The European Data Protection Supervisor (EDPS) is a supervisory authority which ensures that all EU institutions and bodies guarantee the protection of privacy in the processing of personal data. Wojciech Wiewiórowski took up his duties as European Data Protection Supervisor on 6 December 2019. He was appointed for a five-year term by a joint decision of the European Parliament and the Council.
EU-US Privacy Shield
The Adequacy Decision of the European Commission (2016/1250) allows the transfer of personal data to the USA within the framework of the EU-US Privacy Shield (Privacy Shield), as the decision is in principle binding in accordance with Art. 45 Para. 1 GDPR. However, the general conditions under data protection law must also be examined. Provided these are met and the recipient in the USA is registered in the Privacy Shield, the personal data can be transferred.
‘Filing system’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.
The fingerprint is a print of the inner surface of a finger that can be evaluated to determine identity and shows the lines of the skin.
The fine is a sanction which is intended to "punish" an administrative offence committed. Administratively, it is a compensation payment for an administrative offence committed. Colloquially, the sanction is also called a fine.
General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR; 2016/679/EC) is a European Union regulation that harmonises the rules for the processing of personal data by most data processors, both public and non-public, throughout the EU. It has been mandatory in all EU member states since 25 May 2018 and has replaced its predecessor, the Data Protection Directive 95/46/EC.
‘Genetic data’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.
Gesellschaft für Datenschutz und Datensicherheit (GDD e.V.)
The Gesellschaft für Datenschutz und Datensicherheit is a German association for data protection and data security. As a non-profit association, the GDD advocates sensible, justifiable and technically feasible data protection. Its aim is to support data processing agencies - especially data protection officers - in solving and implementing the many legal, technical and organizational requirements associated with data protection and data security.
The metaphor of the Gläserner Bürger (transparent citizen) denotes a state in which the individual is reduced to his or her own data and illuminated by the progress of information technology. In this state, no more individual-personal characteristics of the person exist.
Group of undertakings
‘Group of undertakings’ means a controlling undertaking and its controlled undertakings.
Hand vein scanner
Hand vein identification is a biometric method for the identification of persons, in which the vein pattern of a hand is recorded and compared with a reference pattern. Either the veins of the palm, the veins of the back of the hand or the finger veins are used. The vein patterns of the human hand are complex and largely protected within the body from unnoticed spying. The position of the veins remains unchanged throughout life and is different for every person. Hand vein recognition can achieve a comparably high level of security, i.e. similarly low false acceptance rates, as iris recognition.
The Hessian Commissioner for Data Protection and Freedom of Information monitors compliance with the provisions of the Hessian Data Protection Act and other data protection regulations by the public bodies of the state, the municipalities and districts, as well as by other legal entities under public law subject to the supervision of the state and by their associations within the state of Hesse.
Since 18 September 2003, this has been Prof. Dr. Michael Ronellenfitsch, who has also been controlling non-public bodies such as private companies, insurance companies or associations based in Hesse since 1 July 2011. Since 25 May 2018, Prof. Dr. Michael Ronellenfitsch has also been the Hessian Commissioner for Freedom of Information.
Since 2009, Prof. Dr. Johannes Caspar has been the Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI). The HmbBfDI controls the administration and the economy in Hamburg and has unhindered access to all authorities, data processing companies and establishments for its audits.
‘Data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.
Identity theft, identity fraud or identity misuse refers to the misuse of personal data of a natural person by third parties. The aim of identity theft is usually financial, but a data set can also be used to damage a person's personal reputation, i.e. to discredit them.
In the field of IT, inference is a conclusion that was drawn with the help of a computer using a so-called inference engine. An inference engine is an artificial intelligence (AI) software that derives new facts from an existing database by inference. Inference engines are therefore an important component of expert systems as well as other knowledge-based systems.
Information Commissioners Office (ICO)
The ICO is the UK data protection authority with Elizabeth Denham as Information Commissioner. It reports directly to Parliament and is funded by the Department for Digital, Culture, Media and Sport (DCMS). Its legal basis is the Data Protection Act 2018, the GDPR, the Privacy and Electronic Communications Regulations 2003, the Freedom of Information Act 2000 and the Environmental Information Regulations 2004.
Information society service
An information society service shall comprise all services normally provided for remuneration, at a distance, by means of electronic equipment for the processing (including digital compression) and storage of data, at the individual request of a recipient of services.
‘Information society service’ means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council.
Information duties are understood to mean the duty of the controller, as stipulated in the GDPR, to inform data subjects about the processing of their personal data. A distinction is made here between two cases, namely whether or not the data have been collected directly from the data subject (so-called third-party collection).
Information security serves to ensure the confidentiality, integrity and availability of information. The information itself can exist in different forms and be stored on different systems. Information is not limited to digital data. The storing or receiving systems do not necessarily have to be IT components. They can be both technical and non-technical systems. The aim is to protect against dangers and threats and to prevent economic damage.
Along with confidentiality and availability, integrity is one of the fundamental IT protection goals. It describes the prevention of unauthorized modification of information, as well as the correctness (integrity) of data and the correct functioning of systems.
International Association of Privacy Professionals (IAPP)
The IAPP is the largest and most comprehensive global community and resource for data protection. Founded in 2000, IAPP is a non-profit organization that helps define, support, and improve data protection law worldwide.
Every autumn, the international conference brings together the authorities responsible for privacy and data protection from Europe and the rest of the world. Unlike the European (data protection) conference, the international conference is open to stakeholders. The conference takes stock of new developments and usually adopts resolutions in a closed session in which only data protection authorities participate. This conference is the largest regular event in the field of data protection.
International organisation’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.
Internet of Things (IoT)
The Internet of Things is a collective term for technologies of a global infrastructure of information societies, which makes it possible to network physical and virtual objects with each other and let them work together through information and communication technologies.
Iris recognition using an iris scanner is a method of biometrics for the purpose of authentication or identification of persons. For this purpose, images of the iris of the eye are taken with special cameras, characteristic features of the respective iris are identified with the help of algorithmic procedures, converted into a set of numerical values (feature vector, "template") and stored for recognition by a classification algorithm such as a neural network or compared with one or more already stored templates.
Cybersecurity or IT security is the protection of networks, computer systems, cyber-physical systems and robots against theft or damage to their hardware and software or the data processed by them, as well as interruption or abuse of the services and functions offered.
The International Working Group on Data Protection in Telecommunications (IWGDPT) - also known as the "Berlin Group" - deals with issues related to data protection in the telecommunications sector and, since the beginning of the 1990s, mainly with issues related to data protection on the Internet. To this end, it has produced numerous working papers which have received worldwide attention.
Where two or more controllers jointly determine the purposes of and means for processing, they shall be joint controllers. They shall lay down in a transparent agreement which of them fulfils which obligation under the GDPR, in particular as regards the exercise of the rights of the data subject, and which of them fulfils which information obligations under Articles 13 and 14 of the GDPR, unless and insofar as the respective roles of the controllers are not laid down by Union or national legislation to which the controllers are subject.
Joint supervisory authorities
Joint Supervisory Authorities/Supervisory Authorities (JSBs/Supervisors) provided a model for the organisation of the data protection supervision of several large scale IT databases operated at European level and for certain law enforcement agencies. They were mainly composed of representatives of the national data protection authorities.
Konferenz der unabhängigen Datenschutzbehörden des Bundes und der Länder
The Conference of the Independent Data Protection Authorities of the Federal Government and the Länder (abbreviated to: Data Protection Conference, DSK) is a body that deals with current issues of data protection in Germany and comments on them. The Conference consists of the Federal Data Protection Commissioner, the State Data Protection Commissioners of the 16 federal states and the President of the Bavarian State Office for Data Protection Supervision.
Lawfulness of processing
According to the principles of processing of personal data, processing must be lawful. This is the case if personal data are processed in accordance with at least one of the conditions set out in Art. 6 Para. 1 GDPR:
- Consent by the data subject
- Purpose of processing for the performance of the contract
- processing is necessary for compliance with a legal obligation
- processing is necessary in order to protect the vital interests of the data subject
- processing is necessary for the performance of a task carried out in the public interest
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party
The State Commissioner for Data Protection and the Right of Access to Files is an independent citizens' authority. It monitors the compliance with data protection regulations by public and private bodies in the State of Brandenburg. It also monitors public bodies with regard to the protection of the fundamental right to file inspection and access to information. It is appointed by the state parliament for a period of six years and is supported in its work by an authority with currently 32 offices.
The State Commissioner for Data Protection and Freedom of Information Bremen assists in the exercise of rights, advises on data protection issues, supervises the administration of the State and the municipalities of Bremen and Bremerhaven, as well as companies and other private bodies based in the State of Bremen.
The State Commissioner for Data Protection and Freedom of Information is elected for eight years by the Bremen Parliament (Landtag). She is independent in the exercise of her office; nobody can give her instructions.
The State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia is responsible for monitoring compliance with data protection regulations in North Rhine-Westphalia (NRW). She also ensures that citizens can exercise their right to free access to official information in NRW.
The State Commissioner for Data Protection and Freedom of Information of Mecklenburg-Vorpommern contributes by constant consultation and control to the fact that authorities and other public bodies (so-called public sector) as well as companies, associations, etc., are able to ensure that their data is protected. (so-called private or non-public sector) handle personal data properly and thus the right of the individual to informational self-determination is protected. In addition, he is the contact person for all questions related to the right of access to information held by the public administration.
The state commissioner for data protection of Niedersachen, elected by the state parliament, is the contact person for data protection. Her tasks include representing the data protection interests of citizens vis-à-vis public bodies and companies in Niedersachen and raising public awareness of data protection issues.
The Baden-Württemberg State Commissioner for Data Protection and Freedom of Information is responsible for ensuring that the basic right of informational privacy is respected. In the public sector, he monitors whether the authorities (e.g. police stations, tax offices, mayor's offices, etc.) and other public bodies (e.g. municipal hospitals) in Baden-Württemberg comply with the provisions of the State Data Protection Act and other data protection regulations (e.g. social secrecy, tax secrecy and medical secrecy). It advises the state government, the ministries as well as the authorities and other public bodies on data protection issues and provides them with recommendations for improving data protection.
Since 1 April 2011, the State Commissioner has also been the supervisory authority for the non-public sector. In this function, he monitors whether the non-public bodies based in Baden-Württemberg (e.g. companies or associations) comply with the provisions of the Federal Data Protection Act and other regulations on data protection. He can also advise and support the non-public bodies in the state and their company data protection officers on data protection issues.
The State Commissioner for Data Protection and Freedom of Information is active in Rheinland-Pfalz as a supervisory authority for the public sector and as a data protection supervisory authority for private bodies (companies). He continues to advise and support citizens in exercising their right to access information, especially if your application has been rejected in whole or in part.
It is established as an independent supreme state authority at the Rheinland-Pfalz state parliament. With regard to public and private bodies, it monitors compliance with data protection laws and other regulations on data protection, advises the state parliament, the state government and its members and the data processing bodies on data protection issues and carries out local inspections. Its task of investigating complaints from citizens is also important.
Legal Tech - composed of "legal services" and "technology" summarizes the digital progress in the legal working world and forms the core of the digitalization of legal work. Legal Tech can be divided into three areas:
- Research, communication and assistance systems for legal work
- technologies that automate legal work in individual areas and
- Smart Contracts and artificial intelligence, by means of which narrowly defined legal services can be handled autonomously
The word liability is a term from civil law and describes the debtor's obligation to perform. Liability can arise from the contract or from the law. In most cases, liability presupposes fault (intent or negligence). However, there is also strict liability, e.g. the liability of animal owners or product liability.
A log file is a file in which processes running on a computer or network system are logged. Another name for log file is therefore protocol file. Log files provide important data for the analysis of networks or access to a web server or website. For a long time, log file analysis was the most common method for obtaining data about visitors to a website.
At the 28th International Conference of Data Protection and Privacy Commissioners in London (November 2006), a declaration entitled 'Communicating data protection and making it more effective' was presented, which received broad support from data protection authorities around the world.
It was a joint initiative of the President of the French Data Protection Authority, the Data Protection Commissioner of the United Kingdom and the European Data Protection Supervisor. This is known as the 'London initiative'.
Machine Learning is a subarea of artificial intelligence. With the help of machine learning, IT systems are enabled to recognize patterns and regularities and to develop solutions on the basis of existing data sets and algorithms. So to speak, artificial knowledge is generated from experience. The knowledge gained from the data can be generalised and used for new problem solutions or for the analysis of previously unknown data.
The principal place of business shall mean, in the case of a controller with establishments in more than one Member State, the place where the controller has its head office in the Union, unless decisions relating to the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and that establishment is empowered to implement those decisions, in which case the establishment which takes such decisions shall be considered as the principal place of business;
in the case of a processor with establishments in more than one Member State, the location of its head office in the Union or, if the processor does not have a head office in the Union, the establishment of the processor in the Union where the processing activities in the context of the activities of an establishment of a processor are mainly carried out, in so far as the processor is subject to specific obligations under this Regulation.
Market place rule
The market place rule regulates and extends the territorial scope of application of European data protection law by data processing bodies outside the EU when processing personal data, provided that the respective offer is directed at the European market ("market place"). This means if neither the registered office nor a branch of the company is located in the EU, but the company offers goods or services to the data subjects in the Union, whether for payment or free of charge (Art. 3 II a) GDPR) or observes their behaviour (Art. 3 II b) GDPR). In contrast, under the country of origin principle, the law of the country where the company is established applies.
In international law, a Member State is defined as a State which is a member of a supranational or international organisation or part of an alliance or a regulated community of States. It is an individual state in an association of several states under international law.
Microcensus is the statistical collection of economic and social data on the inhabitants of Germany by means of random surveys of selected, representative members of the population. The microcensus serves, for example, to continue the information obtained from a census.
Natural Language Processing (NLP)
Natural Language Processing (NLP) is a branch of Artificial Intelligence (AI). Natural Language Processing is a set of techniques and methods for machine processing of natural language. It is intended to enable extensive communication between humans and computers by means of language.
Need to know principle
The so-called need-to-know principle (also known as the necessity principle) is an access control to personal data. It is intended to ensure that in principle only those persons have access to data who need it directly to perform a specific task.
The necessity principle describes within the proportionality assessment that a processing operation is only necessary if the task in question cannot be carried out or cannot be fully carried out without the specific date. Necessity as a substantive legal requirement only limits the scope of data processing in individual cases.
One stop shop principle
Pursuant to Art. 56 para. 6 GDPR, in the case of cross-border data processing, the so-called lead supervisory authority is the sole point of contact for the controller or the processor. This means that in the case of cross-border data transfers or processing, companies will have only one contact person for the assessment of data protection issues, on whose statements they can then rely.
Opinions are an important tool for the European Data Protection Supervisor (EDPS), both in his supervisory duties and in his role as advisor on proposals for new EU legislation.
In the context of a prior check, an opinion is issued to determine whether the provisions of Regulation (EU) 2018/1725 are complied with by a specific processing operation and to make recommendations to the institution or body concerned. These opinions are published on the EDPS website ('Supervision' section).
One speaks of an opt-in solution when the user's consent to the processing of his data is not automatically presupposed (see also: Opt-out). This procedure can be implemented by means of a simple opt-in, but also by means of a double opt-in, for example by means of a further confirmation in the form of an e-mail.
Other processor (weitere AV)
Where the processor uses the services of another processor to carry out certain processing operations on behalf of the controller, the same data protection obligations as those laid down in the contract or other legal instrument concluded between the controller and the processor pursuant to paragraph 3 shall be imposed on that other processor by means of a contract or other legal instrument in accordance with Union law or the law of the Member State concerned, in particular by providing sufficient guarantees that the appropriate technical and organisational measures are implemented so as to ensure that the processing is carried out in accordance with the requirements of this Regulation.
Passenger Name Record (PNR)
PNR data are all data stored by a passenger in relation to his or her flight booking. This includes, but is not limited to, the surname, maiden name, first name and doctorate of the passenger, PNR booking code details, date of booking and ticket issue, scheduled departure date or dates of scheduled departure, address and contact details, including telephone number and e-mail address.
A password is a defined character string that is used for authentication. It can be used to prove the identity of a person on the one hand, and certain authorizations on the other.
According to Art. 4 No. 1 GDPR, personal data is information that relates to an identified or identifiable natural person. In this context one also speaks of the "data subject". Personal data may include, inter alia, the name, telephone number, address or e-mail address.
Personal data breach
Processing of personal data may entail risks of physical, material or non-material damage. Such risks include those of discrimination, identity theft or fraud or direct financial loss. A breach of data protection is therefore a violation of the provisions of the DSGVO. This can, for example, be the unlawful processing of personal data, for example by unauthorised access to data processing systems.
Phishing refers to the process of obtaining personal data of an Internet user by means of fake websites, e-mails or short messages.
Principles of processing
The principles for the processing of personal data result from Art. 5 GDPR. These include lawfulness, processing in good faith, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality and the accountability of the controller.
The private sphere is the non-public area in which a person can exercise his or her right to free development of his or her personality, uninfluenced by external influences. This area is becoming increasingly important, especially in times of digitalisation on the Internet. For the Internet must not be allowed to interfere with people's private sphere either.
Privacy by Default
Privacy by Default means data protection through data protection-friendly default settings. What is meant by this is that factory settings are to be designed in such a data protection-friendly manner that even users who are less technically inclined are protected from unlawful processing. This means that they should not be disadvantaged when setting their preferences.
Privacy by Design
Privacy by Design means data protection through technology design. The basic idea here is that data protection can best be guaranteed if it is already technically integrated during the development of a data processing procedure.
A privacy dashboard is a program that helps a user to manage privacy settings.
Processing means any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, organisation, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
The controller within the meaning of Regulation (EU) 2018/1725 and the Basic Data Protection Regulation (GDPR) is the body that determines the purposes and means of processing personal data. The actual processing may be transferred to another body known as the processor. The controller is responsible for the lawfulness of the processing, the protection of the data and the respect of the rights of the data subjects. The controller is also the body to which data subjects may apply to exercise their rights.
Profiling is any automated processing of personal data consisting of the use of such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects relating to the performance of work, economic situation, health, personal preferences, interests, reliability, conduct, location or change of location of that natural person.
Prohibition subject to permission (Verbot mit Erlaubnisvorbehalt)
The prohibition subject to permission describes a fundamental principle in data protection law, after the processing of personal data has been prohibited for the first time, unless permission is granted. In the case of the GDPR, these are regulated in Art. 6 para. 1 GDPR.
The Prüm Treaty is an intergovernmental agreement between currently 13 Member States of the EU, which aims to improve cross-border cooperation and in particular the exchange of information between the contracting parties for the purpose of preventing and prosecuting criminal offences.
Pseudonymisation is the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the inclusion of additional information, provided that this additional information is kept separately and is subject to technical and organisational measures which ensure that the personal data is not attributed to an identified or identifiable natural person.
Purposes of the processing
Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes; further processing for archiving purposes in the public interest, for scientific or historical research or for statistical purposes shall not be considered incompatible with the original purposes ('purpose limitation') in accordance with Article 89(1).
The term ransomware is derived from the English word "ransom". Ransomware is an extortionate malware that attempts to block the use of systems or data. Users are asked to pay a ransom to remove the blockade. Since the malware often blocks data by encrypting it, ransomware is also called a cryptotrojan or encryption strojan.
According to Art. 4 No. 9 GDPR, the recipient is a natural or legal person, authority, institution or other body to whom personal data are disclosed, regardless of whether it is a third party or not. However, authorities which may receive personal data in the context of a specific investigation mandate under Union law or the law of the Member States shall not be regarded as recipients; the processing of such data by the said authorities shall be carried out in accordance with the applicable data protection provisions, in accordance with the purposes of the processing.
Record of processing activities
Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility. 2That record shall contain all of the following information:
- the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;
- the purposes of the processing;
- a description of the categories of data subjects and of the categories of personal data;
- the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
- where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
- where possible, the envisaged time limits for erasure of the different categories of data;
- where possible, a general description of the technical and organisational security measures referred to in Article 32(1)
Relevant and reasoned objection
Relevant and reasoned objection means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union.
Representative means any natural or legal person established in the Union who has been appointed in writing by the responsible person or processor in accordance with Article 27 to represent the responsible person or processor in respect of their respective obligations under this Regulation.
"RFID" stands for "radio frequency identification". It is an automatic identification method based on the storage and remote retrieval of data using so-called RFID transponders.
An RFID transponder is an object that can be attached to products, animals or people, incorporated into products or implanted in the body of animals or people to enable identification or tracking via radio waves.
Rights and freedoms of the data subject
"Rights and freedoms of natural persons" is a central concept in the GDPR. The aim of the GDPR, according to Art. 1 para. 2 GDPR, is to protect the fundamental rights and freedoms of natural persons. These are determined by the Charter of Fundamental Rights and Freedoms of the European Union (Charter of Fundamental Rights - GrCh) and the European Convention on Human Rights (ECHR). The term rights and freedoms of natural persons also includes individual rights under ordinary law. It must be interpreted within the context of European law and not according to purely national understanding.
Right to access
The right to information is regulated in Art. 15 GDPR. It is one of the rights of data subjects. According to this, the data subject has the right to obtain information from the controller as to whether personal data are being processed by him or her. The person responsible must then provide information on the following:
- Processing purposes
- Categories of personal data processed
- Recipients or categories of recipients of the personal data
- if possible, the storage period or the criteria for determining this period
the existence of a right of rectification, erasure or limitation of the processing by the controller or a right to object to the processing
- the existence of a right of supervision with the supervisory authority
- if the personal data are not collected from the data subject, all available information on the origin of the data
- the existence of automated decision making, including profiling, as referred to in Article 22(1) and (4) and, at least in these cases, meaningful information about the logic involved and the scope and intended impact of such processing on the data subject
- If no personal data are processed, the data controller is obliged to provide so-called negative information, i.e. to inform the data subject that no data are processed.
Right to data portability
The data subject shall have the right to obtain the personal data concerning him/her that he/she has provided to a controller in a structured, common and machine-readable format and the right to have such data communicated to another controller without hindrance by the controller to whom the personal data has been provided, provided that the processing is based on consent pursuant to Art. 6, paragraph 1, letter A GDPR or Art. 9, paragraph 2, letter A GDPR or on a contract pursuant to Art. 6, paragraph 1, letter b, and that the processing is carried out by means of automated procedures.
Right to guarantee the confidentiality and integrity of information technology systems (IT-Grundrecht)
The fundamental right to guarantee the confidentiality and integrity of information technology systems protects the legitimate interest of the user that the data generated, processed and stored by an information technology system remain confidential. The fundamental right is based on Art. 2 Par. 1 in conjunction with Article 1(1) of the German Constitution as a special expression of the general right of personality (BVerfG, NJW 2008, 822). It applies only to the extent that protection is not guaranteed by more specific fundamental rights such as Article 10 of the German Constitution (secrecy of mail, letters and telecommunications), Article 13 of the German Constitution (inviolability of the home) or the fundamental right to informational self-determination (Article 2.1 in conjunction with Article 1.1 of the German Constitution).
Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to complain to a supervisory authority, in particular in the Member State of his habitual residence, employment or the place of the alleged infringement, if he considers that personal data relating to him are being processed in breach of this Regulation.
Right to information
Everyone has the right to know that his personal data are processed and for what purpose. The right to information is important because it is the basis for exercising other rights. The right to information refers to the information that a data subject is entitled to receive, whether or not the data have been collected from the data subject.
The obligation to provide information covers the identity of the controller, the purpose(s) of the processing operation, the recipients and the existence of rights of access and rectification of the data.
Right to informational self-determination(Recht auf informationelle Selbstbestimmung)
With the help of the right to informational self-determination, everyone should be able to decide for themselves what personal data they wish to disclose and who may use it. This is still a relatively recent development of the general right of personality, but it now has its own significance. It was not until 1983 that the Federal Constitutional Court had elaborated on it in its census ruling.
Right to erasure (`right to be forgotten`)
The data subject shall have the right to request the controller to delete personal data relating to him/her without delay and the controller shall be obliged to delete personal data without delay.
Right to object
The data subject shall have the right to object at any time, for reasons relating to his particular situation, to the processing of personal data concerning him carried out pursuant to Article 5(1)(a) of the GDPR, including profiling based on this provision. The controller shall no longer process the personal data unless he can demonstrate compelling legitimate reasons for processing which outweigh the interests, rights and freedoms of the data subject, or unless the processing is for the purpose of asserting, exercising or defending legal claims.
Right to rectification
The data subject shall have the right to obtain from the controller the rectification without delay of inaccurate personal data concerning him/her. Having regard to the purposes of the processing, the data subject shall have the right to request the completion of incomplete personal data, including by means of a supplementary declaration.
Right to restriction of processing
The right to restrict processing is a data subject right under the GDPR. The purpose of the provision under Art. 18 GDPR is that under certain conditions personal data may no longer be processed in accordance with the general provisions of the GDPR.
Right to withdrawal
The data subject has the right to withdraw his or her consent at any time. Revocation of consent shall not affect the lawfulness of the processing carried out on the basis of the consent until revocation. The data subject shall be informed before giving consent.
Risk is the product of probability of occurrence and severity of damage. A risk within the meaning of the GDPR is the existence of the possibility of an event occurring which itself constitutes damage (including unjustified impairment of the rights and freedoms of natural persons) or which may lead to further damage to one or more natural persons.
Robotics or robot technology deals with the design, configuration, control, production and operation of robots, e.g. industrial or service robots. In the case of anthropomorphic or humanoid robots, it also involves the production of limbs and skin, facial expressions and gestures, and natural language skills. The focus is on hardware robots with hardware and software. Pure software robots (bots) are primarily developed in computer science, nano-robots in the future in nanotechnology.
Roles and rights concept
An authorization concept describes which access rules apply for individual users or user groups to the data in an IT system. It should also regulate the processes that affect user rights, such as the creation of users or the regular control of the actual status to the target status. The authorization concept covers the diverse range of authorizations in an IT system. The field ranges from password restrictions, role definitions to process descriptions. To create an authorization concept, it is advisable to start "at the beginning", i.e. when redefining users.
Der Sächsische Datenschutzbeauftragte
The Saxon Data Protection Commissioner - the current incumbent has been Andreas Schurig since December 2015 - has been the supervisory authority in the sense of Art. 51 para. 1 of the GDPR since 25 May 2018. According to § 15 SächsDSDG, the Saxon Data Protection Commissioner is a supreme state authority with its headquarters in Dresden. According to § 16 SächsDSDG, the office holder is elected by the state parliament with the majority of its members.
In the public sector, e.g. state authorities, the Saxon Data Protection Commissioner and his staff may, as before, enter offices at any time in accordance with § 19 SächsDSDG; they must also be granted access to all data processing systems and equipment as before. Also, if the Saxon Data Protection Commissioner has established a punishable violation of a regulation on data protection, he may, as before, report this to the competent authority, usually the responsible public prosecutor's office.
Scam is the criminological term for a subtype of fraud in Germany (§ 263 StGB). Under false pretences (see social engineering), recipients are persuaded to participate in snowball systems or to make financial advances to the senders (the fraudsters) in anticipation of promised commissions. The victim is first made to believe that he or she can earn an enormous fortune. The person making the advance payment waits in vain for this consideration from the transaction - money or goods - because a consideration was not intended from the beginning.
Schengen Information System (SIS)
The Schengen Information System (SIS) is a large-scale IT system linked to the abolition of border controls at the internal borders of the Schengen area (which covers most of the EU's sovereign territory as well as some other countries).
The SIS will be replaced by SIS II to allow the connection of more countries and to provide new functionalities.
The SIS contains information on objects (stolen vehicles, identity documents, etc.) and people. Personal data on the following persons may be stored in the SIS:
third-country nationals who are banned from entering the Schengen area;
persons wanted in connection with criminal proceedings and persons under police surveillance;
missing persons who should be detained, in particular minors
A breach of security occurs when an organizational instruction or a legal requirement relating to data security has been violated. However, any event that provides evidence of a breach of confidentiality, integrity or availability of information can be considered a security incident. Each vulnerability is always initiated by a security relevant event, which, if confirmed, can prove to be a security breach.
Small and medium-sized enterprises (SME)
Micro, small and medium-sized enterprises (SMEs) are defined in EU Recommendation 2003/361. According to this recommendation, an enterprise is classified as an SME if it has no more than 249 employees and an annual turnover not exceeding €50 million or a balance sheet total not exceeding €43 million.
Special categories of personal data ("sensitive data")
The following personal data are considered "sensitive" and are subject to special processing conditions:
- personal data revealing the racial or ethnic origin, political opinions, religious or philosophical beliefs of a person
- trade union membership;
- genetic data, biometric data processed solely to uniquely identify a natural person;
- health data;
- data concerning the sexual life or sexual orientation of a person.
Standard contractual clauses
Standard contractual clauses are legal instruments to provide adequate safeguards for data transfers from the EU or the European Economic Area to third countries.
The European Commission has adopted three Decisions declaring that standard contractual clauses are appropriate and allowing companies to include these clauses in a transfer contract.
In principle, no authorisation from data protection authorities is required to use these clauses. However, a formal notification to the authority may still be required.
SWIFT ('Society for Worldwide Interbank Financial Telecommunication') is a global financial messaging service that facilitates international payment instructions.
Following the terrorist attacks of 11 September 2001, the US Department of the Treasury, by administrative order, requested SWIFT to transfer personal data stored on the SWIFT server in the United States in order to identify, trace and track individuals who provide financial support for terrorist activities.
Swiss-US Privacy Shield
The Swiss-US Privacy Shield is an agreement to the same extent as the EU-US Privacy Shield after the data transfer of personal data between Switzerland and the USA can legally take place. It sets out a number of standards as principles and for the lawful handling of data.
Privacy enhancing technologies (Technologien zum Schutz der Privatsphäre)
Privacy-enhancing technologies (PETs) are technologies that embody fundamental data protection principles by minimizing personal data use, maximizing data security, and empowering individuals. This can be software and hardware solutions, ie systems encompassing technical processes, methods or knowledge to achieve specific privacy or data protection functionality or to protect against risks of privacy of an individual or a group of natural persons.
Telemedicine is a collective term for various medical care concepts, which have in common the principle approach that medical services of the health care of the population in the areas of diagnostics, therapy and rehabilitation as well as in medical decision guidance are provided over spatial distances (or with a time lag). Information and communication technologies are used for this purpose.
Telecommunications data describes all data that has to do with telecommunications. For example, this can be connection data from the Internet. However, this usually refers to the data that is generated during a telephone call. This usually includes the number of the caller, the number of the called party as well as the date, time and length of a call. With a mobile phone, the approximate location can also be determined, depending on the base station used to dial into the mobile network.
The secrecy of telecommunications is protected by article 10 of the constitution. It is a special case of postal secrecy. The subject matter of telecommunications secrecy is the content and circumstances of individual communications via the medium of wireless or wired electromagnetic waves. In addition to telephone and radio traffic, communication via mobile radio and the internet is also protected. The entire ongoing communication process is protected, from the sending of the message to its receipt. Thus, the carriers of information after the communication process is completed are not protected.
The Terrorist Finance Tracking Program (also known as the TFTP) is a U.S. government program designed to gain access to the SWIFT database. This program was unveiled by the New York Times in June 2006. Based in Belgium, SWIFT (Society for Worldwide Interbank Financial Telecommunication) sets common standards for financial transactions worldwide. The Terrorist Finance Tracking Program is considered a tool in the "global war on terror".
Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data
A third country is a country that is not bound by the general data protection regulation (GDPR), unlike the 28 Member States of the EU and the three countries of the European Economic Area (EEA), Norway, Liechtenstein and Iceland.
It can be recognised that third countries provide an adequate level of protection for personal data to allow the transfer of personal data from EU and EEA Member States to these countries.
Der Thüringer Landesbeauftragte für den Datenschutz (TLFD)
The Thuringian State Commissioner for Data Protection and Freedom of Information deals with the receipt and processing of citizens' submissions on violations of data protection law by state authorities and companies in Thuringia. In addition, his task is to advise the authorities on how to comply with and improve data protection and to advise citizens on how to enforce their data protection rights and to report to the state parliament and the state government on his activities (annually) in the public and non-public sector.
Traffic data is data collected, processed or used in the course of providing a telecommunications service. According to § 96 TKG (telecommunications law) these are e.g.
- e-mail addresses (possibly also inventory data),
- Date and time of access or delivery
- Routing information and information about IP addresses and MAC addresses
- Number or identification of participating telephone connections for mobile connections, also the location data (radio cells)
Traffic data does not include information relating to content, such as the name of file attachments, the subject of an e-mail or the content of an SMS.
Data transmission (or data transfer) is the electronic transport of data (= data transfer) from the point of acquisition to the storage location, as well as from the storage location to the recipient. These locations are either one and the same computer or two different devices. In accordance with Chapter V of the GDPR and Regulation (EC) No. 2018/1725, transmission to recipients in countries outside the EU and the European Economic Area (EEA) is subject to special protective measures.
Transmission of functions
The transmission of functions assumes, instead of an order (data) processing, a transfer of personal data to third parties in the course of outsourcing of such "functions"/tasks which go beyond mere data processing as such and where the recipient has at least been given certain decision-making scope to fulfil the task. However, the concept of transfer of functions is not provided for in the GDPR.
The principle of transparency is a characteristic of processing in good faith. Accordingly, the data subject must be treated fairly when his or her personal data are processed.
A data processing operation is considered fair in terms of transparency if the data subject is given more decision-making power over his or her data and can better exercise his or her rights by being informed about the scope and extent of the processing.
A Trojan is malware that often masquerades as legitimate software. Trojans are used by cyber thieves and hackers to gain access to the user's system. Users are usually tricked into downloading and running the Trojan on their system through a social engineering scam. Once activated, cybercriminals can use the Trojan to spy on you, steal confidential data and gain backdoor access to your system.
Two-factor authentication refers to the proof of identity of a user by means of the combination of two different and in particular independent components.
Unabhängiges Datenschutzzentrum Saarland
The State Commissioner for Data Protection monitors compliance with data protection regulations both by the public bodies of the Saarland and by the non-public bodies based in the Saarland, thus ensuring the basic right of citizens to informational self-determination. In addition, it performs the task of the Saarland Commissioner for Freedom of Information.
The State Commissioner for Data Protection and Freedom of Information advises the public and non-public bodies and makes recommendations for improving data protection and on questions concerning freedom of information.
Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein
The Independent Centre for Data Protection Schleswig-Holstein is concerned with compliance with data protection law in Schleswig-Holstein. This includes following up on indications of data protection violations, monitoring data processing in Schleswig-Holstein authorities and companies, advising authorities, commercial enterprises and private individuals on all questions of data protection, e.g. on questions of interpretation of data protection law or legislation.
For the purpose of EU antitrust law, any entity engaged in an economic activity, that is an activity consisting in offering goods or services on a given market, regardless of its legal status and the way in which it is financed, is considered an undertaking.
The German Unfair Competition Act (UWG) is the legal basis in German law for combating unfair competition. It serves to protect competitors, consumers and other market participants from unfair business practices. It also protects the general interest in undistorted competition.
Video surveillance is the permanent or systematic surveillance of a specific area, event, activity or person by means of a CCTV system or other electronic device or system for visual surveillance.
Visa Information System (VIS)
The Visa Information System (VIS) is a large-scale IT system that will contain information, including photographs and fingerprint data, on visa applicants. The European Data Protection Supervisor issued an opinion on the development of the VIS in 2005 and a further opinion in 2006 on access to the VIS by law enforcement authorities (PDF). The information is gathered by the consulates in the different Member States and then transmitted to a central database, VIS, where it is accessible to all Member States. The roll-out of the VIS should in principle start in 2009.