Dictionary

People have the right of access to the personal data that organisations process of them. If someone asks an organisation for access, the organisation must provide information about which data it has of this person, where the data come from, and what happens with them.

Accountability means that organisations must be able to demonstrate that they comply with the GDPR. This is also called the accountability principle.

Accuracy is one of the basic principles of the GDPR. This means that organisations that process personal data must ensure that the data are accurate and that they update the data if necessary.

With an adequacy decision, the European Commission determines that the level of data protection in a third country is comparable to that provided by the GDPR.

The Autoriteit Persoonsgegevens (AP), the Dutch data protection authority, may choose not to immediately initiate an official investigation and/or formal enforcement procedure, but to stop a violation in another way. For example, through a warning letter or conversation.

When personal data are anonymised, the data are changed in such a way that it is no longer possible to determine whom the data relate to.

Authentication is a security mechanism that regulates access control. It requires verification of the (digital) identity of a user or system through a suitable means.

To grant someone permission to access a system, a file or (personal) data.

Automated or automatic decision-making involves a decision being made about someone automatically (by the computer). This is done based on data about that person, without a human being assessing these data.

Binding corporate rules (BCR) are internal corporate rules for data traffic within an organisation, which international organisations or multinationals with branches both inside and outside the EEA can draw up.

Examples of biometric personal data are fingerprints or facial images. These physical features are unique. That is why organisations can use them for identifying people or confirming their identity.

A black list is a list of persons with whom an organisation does not want or no longer wants to do business, such as shoplifters or fraudulent employees. If the organisation wants to share the black list with other organisations, this may only be done with a permit from the Autoriteit Persoonsgegevens (AP), the Dutch data protection authority.

A certificate (or GDPR certificate) is a written statement that a product, process or service meets all or certain specified requirements of the GDPR.

The Dutch citizen service number (BSN) is a unique personal identification number that is intended for the contact between citizens and the government.

A group of organisations, such as a branch of industry or a sector, can (voluntarily) draw up a GDPR code of conduct for the way in which these organisations handle personal data. In doing so, they demonstrate that they comply with the GDPR.

Complying with privacy legislation when processing personal data.

In an international investigation, one data protection supervisory authority from the EU is in charge. It collaborates with the supervisory authorities of the other EU countries where the data processing has impact. These other supervisory authorities, who are not in charge, are called the concerned supervisory authorities.

A connected vehicle is a car, motorcycle, scooter or bicycle that is connected to the Internet and can collect and exchange all kinds of data, for example, how you drive and travel. This can provide a lot of information about you and your life.

One of the legal bases from the GDPR is that people have given consent for processing their personal data.

The controller is an organisation or a person that determines the purpose of and the means for the use of personal data.

A cookie wall means that a website or app can only be accessed by accepting cookies. Because people have no real choice in the matter, cookie walls are prohibited under the GDPR.

An organisation's core activities include the processes that are essential to achieving the organisation's goals. Or that are part of the main tasks of the organisation.

Monitoring people without their knowledge.

To assess the creditworthiness of a potential customer, or in other words, to assess whether that person is able to pay the bills. For example, regarding a loan or mobile phone contract.

Criminal data are data relating to criminal convictions and offences. Or to related security measures.

Cross-border data processing occurs if an organisation also processes personal data outside its own EU Member State. For example, in the Netherlands as well as in Germany, or a country outside the EU. Or if people in more than one Member State are (likely to be) significantly affected by the data processing.

A data breach involves access to personal data while this is not permitted or the intention. This is caused by a breach of the security of these data. The unwanted destruction, loss, alteration or provision of personal data due to such a breach also fall under the definition of a data breach.

Organisations that have a serious data breach must notify the Autoriteit Persoonsgegevens (AP), the Dutch data protection authority, and sometimes the victims as well, in a timely manner.

Under the GDPR, organisations are required to set up and maintain a data breach register. In this register, they keep a record of which data breaches have occurred in the organisation.

When processing personal data, organisations have to proceed from the principle 'as few as possible'. This means you are not allowed to process more data than necessary. It is one of the basic principles of the GDPR.

People have a right to data portability. This means that in certain situations, they have the right to receive the personal data that organisations have about them. Or to have such data transferred directly to another organisation.

A data protection impact assessment (DPIA) is an instrument for identifying the privacy risks of a data processing operation in advance. To ensure that the organisation can take measures to mitigate these risks.

A Data Protection Officer (DPO) supervises the application of and compliance with the privacy legislation within an organisation.

The person or persons whose personal data an organisation processes.

Abbreviation of the European Convention for the Protection of Human Rights and Fundamental Freedoms of 1950. Article 8 of the ECHR concerns the 'right to respect for privacy'.

Encrypting information makes it incomprehensible to unauthorised persons. This is a security measure. This does not make the data anonymous.

The European Data Protection Board (EDPB) is an independent body in which all national data protection agencies from the EEA work together.

The European Economic Area (EEA) includes all EU countries plus Liechtenstein, Norway and Iceland.

Is a publication of personal data intended exclusively for personal or domestic use? And therefore not for professional or commercial purposes? In that case, no consent from the data subject(s) is required for publication, because the GDPR does not apply.

The processing of personal data is excessive if more personal data are processed than is necessary for the purpose of the processing.

Explicit consent is an enhanced form of consent, requiring the data subject to give an explicit statement of consent. This is required in situations with a serious privacy risk, where it is important that people retain control over their personal data. For example, when processing special categories of personal data.

According to the basic principles of the GDPR, organisations must process personal data in a manner that is 'fair'. That means: honest. For example, processing may not be misleading or discriminatory.

This is an enforcement measure that means that a violator of privacy legislation must pay a sum of money to the Autoriteit Persoonsgegevens (AP), the Dutch data protection authority, as a penalty. A fine amounts to a maximum of 20 million euros or 4% of the global annual turnover.

On a number of points, the General Data Protection Regulation (GDPR) leaves room for national choices. In the Netherlands, these have been elaborated in the GDPR Implementation Act (UAVG).

The Dutch General Administrative Law Act (Awb) sets out how the government must prepare and announce decisions. And within what time frame the government must make a decision. In addition, this act contains rules for submitting and handling objections and appeals.

The General Data Protection Regulation (GDPR), together with the Law Enforcement Directive (LED), is the main privacy legislation, applying throughout the EEA.

Hashing is a method for pseudonymisation of personal data. It makes tracing these data back to individuals more difficult. Hashing is a security measure and does not lead to anonymisation.

Data about someone’s health are so-called special categories of personal data, because they are very privacy-sensitive.

An identity document is a tool that allows people to identify themselves: to prove that they are who they say they are.

In the case of identity fraud, criminals misuse false or stolen identity data. For example, they buy items in someone else's name without paying.

Indirectly identifying personal data cannot be directly traced back to a specific person, but this will be possible when combined with each other or with other data.

Every organisation that processes personal data has an obligation to provide information. This means that the organisation is obliged to inform people clearly about what it does with their personal data and why.

'Confidentiality and integrity' is one of the basic principles of the GDPR. This principle means that any data processing must be secured in an appropriate manner so that personal data cannot be illegally modified.

In addition to PCs, laptops and smartphones, more and more other devices are connected to the Internet and communicate among themselves. For example, smart TVs, cars, wearables (such as a smartwatch), toys, fridges, music systems, lights and thermostats. Together, these devices form the Internet of Things.

When multiple organisations jointly determine for what purpose and in what manner they process personal data. In that case, there are multiple controllers, or in other words, there is joint controllership. The organisations must then record how they structure their responsibility for compliance with the GDPR.

Journalistic exception means that certain exceptions to the GDPR apply to journalistic publications. For example, the author does not have to ask consent from the data subjects for the use of their personal data.

In addition to the GDPR, the judiciary has to deal with the Dutch Judicial Data and Criminal Records Act (Wjsg). This law is based on the European Law Enforcement Directive (LED).

In addition to the GDPR, a separate European directive was introduced for data protection by authorities responsible for law enforcement, including the police and the judiciary. This is the Law Enforcement Directive (LED).

'Lawfulness' is one of the 6 basic principles of the GDPR. In order to be lawful, processing must be based in any case on a legal basis from the GDPR. In addition, the processing may not be contrary to other legislation, such as a legal obligation of confidentiality.

Organisations that carry out cross-border processing operations have to deal with one data protection authority. That is the lead supervisory authority, usually the supervisory authority in the member state in which the main establishment of an organisation is located.

Organisations may only process personal data if they have a good reason to do so. The legal name for this is 'legal basis'. The GDPR sets out 6 possible legal bases.

The Autoriteit Persoonsgegevens (AP), the Dutch data protection authority, pre-tests new proposals for laws and regulations that relate to the processing of personal data. The government is obliged to ask the AP for such a legislative test.
 

Logging is a security measure. It is used for recording events in systems. For example, who viewed or modified certain data and when this happened. It also includes attempts to gain unauthorised access.

Multifactor authentication is a technique that requires the use by a person or a system of a combination of at least 2 different types of authentication factors in order to gain access.

According to the GDPR, personal data may only be processed if this is necessary to achieve a specific purpose. Necessity consists of two requirements: proportionality and subsidiarity.

An organisation may process personal data in several member states of the European Union (EU). Or in one member state, but of people from several member states. The organisation, however, has to deal with one data protection agency only. This is called the one-stop shop mechanism or one-stop shop.

The Dutch Open Government Act (Woo) regulates the right to information about everything the government does. If the Autoriteit Persoonsgegevens (AP),the Dutch data protection authority, receives a request to make certain information public, it will make a decision on this. This is called a Woo decision.

One of the sanctions of the Autoriteit Persoonsgegevens (AP), the Dutch data protection authority. An organisation is given a certain amount of time to end a violation. If this does not happen (in time), the organisation must pay a predetermined amount for each day or week that the violation continues.

Consumers can use various payment services. For example, for payments via their smartphone, an automatic housekeeping book or advice on savings.

The company behind a payment service is called the payment service provider.

Organisations that want to process criminal data and share these data with others often have to apply to the Autoriteit Persoonsgegevens (AP), the Dutch data protection authority, for a permit first.

Personal data concerns information that is either directly about someone, or can be indirectly traced back to this person. For example, by combining multiple personal data.

The old privacy law in the Netherlands, which was replaced by the GDPR and the GDPR Implementation Act on 25 May 2018.

All municipalities in the Netherlands keep records of their residents. The records of all municipalities together form one large database. That is the Personal Records Database (BRP).

In the case of phishing, cybercriminals send fake emails, often to email addresses obtained through a data breach. This way, they try to obtain information (such as login details) and use this information for gaining access to a network or system.

In addition to the GDPR, the police, special investigation services and special investigation officers have to deal with the Dutch Police Data Act (Wpg). This law is based on the European Law Enforcement Directive (LED).

Did a DPIA show that a processing operation that an organisation intends to perform would entail a great privacy risk? And is this organisation unable to take measures to mitigate this risk? Then the organisation will have to enter into consultations with The Autoriteit Persoonsgegevens (AP), the Dutch data protection authority. This is called prior consultation.

Careful handling of personal data can be stimulated organisationally and technically with privacy by design and default. Privacy by design means ensuring that personal data are properly protected when designing products and services. Privacy by default means that the default settings of a product or service (e.g. a mobile phone) are privacy-friendly.

People have a number of rights when organisations process their personal data. We call this privacy rights. For example, the right to access data, or to have data rectified or erased.

In a privacy statement, an organisation states, among other things, which personal data the organisation uses and why.

Personal data processing means anything that an organisation can do with personal data, from collecting to destroying.

A controller and a processor record in writing the agreements they have made about the processing in a processing agreement.

1. Under the GDPR, a processing ban applies to special categories of personal data and criminal data, unless there is a legal exception.
2. The Autoriteit Persoonsgegevens (AP), the Dutch data protection authority, may impose a processing ban on an organisation. This is one of the sanctions of the AP. With this, the AP temporarily or permanently suspends the processing of personal data.

In the case of large-scale processing, an organisation processes personal data on a large scale. Whether it is 'on a large scale' depends on the number of data subjects, the amount of data, how long the processing takes and its geographical scope.

A processing register contains information about the personal data that an organisation processes. All organisations that process personal data are obliged to set up such a register.

A processor processes personal data on behalf of another organisation and does not use these personal data for its own purposes.

The requirement of proportionality means that the infringement of the privacy of the data subjects is proportionate to the purpose of the processing.

PSD2 is a European directive that sets out the rules for payment services.

Pseudonymising data is a security measure. Pseudonymisation of personal data makes tracing these data back to individuals more difficult.

Purpose limitation means that organisations may not suddenly use personal data that they have collected for a specific purpose for a completely different purpose. It is one of the basic principles of the GDPR.

Ransomware is a form of malware (malicious software) that takes a computer or files hostage. Usually, payment is demanded after that.

People have the right to ask organisations to rectify (modify or supplement) their data if they are not correct or incomplete. This is called the right to rectification.

A reprimand is one of the measures (sanctions) that the Autoriteit Persoonsgegevens (AP), the Dutch data protection authority, may impose. With this, the AP establishes a violation of the GDPR and indicates that it disapproves of this.

When the processing of personal data that has yet to be started entails privacy risks, but an organisation is unable to find (sufficient) measures to limit these risks. In that case, the organisation can apply to the Autoriteit Persoonsgegevens (AP), the Dutch data protection authority, for prior consultation.

People have the right to ask organisations to (temporarily) stop using their personal data. For example if they have asked an organisation to rectify or erase their data, but the organisation still has to assess this request. This is called the right to restriction of processing.

In a number of situations, organisations are required to erase someone's personal data if that person requests this. This is called the right to erasure or the 'right to be forgotten'.

People have a number of rights when organisations process their personal data. For example, the right to access data, or to have data rectified or erased. We also call this privacy rights.

The Schengen area includes 29 European countries (Schengen countries). EU residents are allowed to travel freely within these countries. Persons are checked at the external borders of the Schengen area.

Screening means that an organisation requests information about an applicant or existing employee in order to assess the reliability of this person.

Sensitive data are personal data that generally are considered privacy-sensitive, such as data on electronic communication, location data, financial data and the citizen service number.

Special categories of personal data are data that are so privacy-sensitive that processing of these data by an organisation may have a (more) significant impact on someone. For example, data about a person's health or political preference. That is why special categories of personal data are given extra protection in the GDPR.

A staff tracking system is a system for monitoring the attendance, behaviour or performance of employees. If an employer does not use a system to monitor employees but it is possible, this is also a staff tracking system. Staff tracking systems are therefore quite common in organisations.

A standard contract or model contract for the transfer of personal data to a third country, which has been approved by the European Commission.

Organisations must remove personal data as soon as they are no longer necessary for the original purpose for which they were collected. Organisations may therefore retain data for a specific period of time only. This is one of the basic principles of the GDPR.

Organisations can outsource the processing of personal data to another party. This is called the processor. If this processor outsources the processing to another party, that party is the subprocessor.

Subsidiarity means that the purpose of the processing cannot be achieved in any other way that is less intrusive on the privacy of the data subjects.

Processing that takes place according to a specific system, such as a processing operation that has been embedded in the systems or in the policy of an organisation.

Countries outside the European Economic Area (EEA).

If an organisation transfers personal data to another organisation or to a person outside the organisation, that other organisation or person is called a 'third party'.

According to the basic principles of the GDPR, organisations must process personal data in a manner that is 'transparent'. This means that it must be clear to data subjects how and why an organisation processes their personal data.

In order to be lawful, a processing operation must in any case be based on a legal basis from the GDPR. In addition, the processing may not be contrary to other legislation, such as a legal obligation of confidentiality. If the processing operation does not comply with this, it is unlawful.

This is one of the sanctions of the Autoriteit Persoonsgegevens (AP), the Dutch data protection authority. The AP can issue a warning to an organisation if the organisation plans to process personal data in a manner that is contrary to the GDPR.