Dictionary

A

  • Access

    People have the right of access to the personal data that organisations process of them. If someone asks an organisation for access, the organisation must provide information about which data it has of this person, where the data come from, and what happens with them.

  • Accountability

    Accountability means that organisations must be able to demonstrate that they comply with the GDPR. This is also called the accountability principle.

  • Accuracy (of data)

    Accuracy is one of the basic principles of the GDPR. This means that organisations that process personal data must ensure that the data are accurate and that they update the data if necessary.

  • Adequacy decision

    With an adequacy decision, the European Commission determines that the level of data protection in a third country is comparable to that provided by the GDPR.

  • Alternative intervention

    The Autoriteit Persoonsgegevens (AP), the Dutch data protection authority, may choose not to immediately initiate an official investigation and/or formal enforcement procedure, but to stop a violation in another way. For example, through a warning letter or conversation.

  • Anonymisation

    When personal data are anonymised, the data are changed in such a way that it is no longer possible to determine whom the data relate to.

  • Authentication

    Authentication is a security mechanism that regulates access control. It requires verification of the (digital) identity of a user or system through a suitable means.

  • Authorisation

    To grant someone permission to access a system, a file or (personal) data.

  • Automated decision-making

    Automated or automatic decision-making involves a decision being made about someone automatically (by the computer). This is done based on data about that person, without a human being assessing these data.

B

  • Binding Corporate Rules (BCR)

    Binding corporate rules (BCR) are internal corporate rules for data traffic within an organisation, which international organisations or multinationals with branches both inside and outside the EEA can draw up.

  • Biometric data

    Examples of biometric personal data are fingerprints or facial images. These physical features are unique. That is why organisations can use them for identifying people or confirming their identity.

  • Black list

    A black list is a list of persons with whom an organisation does not want or no longer wants to do business, such as shoplifters or fraudulent employees. If the organisation wants to share the black list with other organisations, this may only be done with a permit from the Autoriteit Persoonsgegevens (AP), the Dutch data protection authority.

C

  • Certification; certificate

    A certificate (or GDPR certificate) is a written statement that a product, process or service meets all or certain specified requirements of the GDPR.

  • Citizen Service Number (BSN)

    The Dutch citizen service number (BSN) is a unique personal identification number that is intended for the contact between citizens and the government.

  • Code of conduct

    A group of organisations, such as a branch of industry or a sector, can (voluntarily) draw up a GDPR code of conduct for the way in which these organisations handle personal data. In doing so, they demonstrate that they comply with the GDPR.

  • Compliance; compliant

    Complying with privacy legislation when processing personal data.

  • Concerned supervisory authority

    In an international investigation, one data protection supervisory authority from the EU is in charge. It collaborates with the supervisory authorities of the other EU countries where the data processing has impact. These other supervisory authorities, who are not in charge, are called the concerned supervisory authorities.

  • Connected vehicle

    A connected vehicle is a car, motorcycle, scooter or bicycle that is connected to the Internet and can collect and exchange all kinds of data, for example, how you drive and travel. This can provide a lot of information about you and your life.

  • Controller

    The controller is an organisation or a person that determines the purpose of and the means for the use of personal data.

  • Core activities

    An organisation's core activities include the processes that are essential to achieving the organisation's goals. Or that are part of the main tasks of the organisation.

  • Covert monitoring

    Monitoring people without their knowledge.

  • Credit scoring

    To assess the creditworthiness of a potential customer, or in other words, to assess whether that person is able to pay the bills. For example, regarding a loan or mobile phone contract.

  • Criminal data

    Criminal data are data relating to criminal convictions and offences. Or to related security measures.

  • Cross-border data processing

    Cross-border data processing occurs if an organisation also processes personal data outside its own EU Member State. For example, in the Netherlands as well as in Germany, or a country outside the EU. Or if people in more than one Member State are (likely to be) significantly affected by the data processing.

D

  • Data breach

    A data breach involves access to personal data while this is not permitted or the intention. This is caused by a breach of the security of these data. The unwanted destruction, loss, alteration or provision of personal data due to such a breach also fall under the definition of a data breach.

  • Data breach notification obligation

    Organisations that have a serious data breach must notify the Autoriteit Persoonsgegevens (AP), the Dutch data protection authority, and sometimes the victims as well, in a timely manner.

  • Data breach register

    Under the GDPR, organisations are required to set up and maintain a data breach register. In this register, they keep a record of which data breaches have occurred in the organisation.

  • Data minimisation

    When processing personal data, organisations have to proceed from the principle 'as few as possible'. This means you are not allowed to process more data than necessary. It is one of the basic principles of the GDPR.

  • Data portability

    People have a right to data portability. This means that in certain situations, they have the right to receive the personal data that organisations have about them. Or to have such data transferred directly to another organisation.

  • Data protection impact assessment (DPIA)

    A data protection impact assessment (DPIA) is an instrument for identifying the privacy risks of a data processing operation in advance. To ensure that the organisation can take measures to mitigate these risks.

  • Data Protection Officer (DPO)

    A Data Protection Officer (DPO) supervises the application of and compliance with the privacy legislation within an organisation.

  • Data subject(s)

    The person or persons whose personal data an organisation processes.

E

  • ECHR

    Abbreviation of the European Convention for the Protection of Human Rights and Fundamental Freedoms of 1950. Article 8 of the ECHR concerns the 'right to respect for privacy'.

  • Encryption

    Encrypting information makes it incomprehensible to unauthorised persons. This is a security measure. This does not make the data anonymous.

  • European Data Protection Board (EDPB)

    The European Data Protection Board (EDPB) is an independent body in which all national data protection agencies from the EEA work together.

  • European Economic Area (EEA)

    The European Economic Area (EEA) includes all EU countries plus Liechtenstein, Norway and Iceland.

  • Exception for personal or domestic use

    Is a publication of personal data intended exclusively for personal or domestic use? And therefore not for professional or commercial purposes? In that case, no consent from the data subject(s) is required for publication, because the GDPR does not apply.

  • Excessive

    The processing of personal data is excessive if more personal data are processed than is necessary for the purpose of the processing.

F

  • Fair

    According to the basic principles of the GDPR, organisations must process personal data in a manner that is 'fair'. That means: honest. For example, processing may not be misleading or discriminatory.

  • Fine

    This is an enforcement measure that means that a violator of privacy legislation must pay a sum of money to the Autoriteit Persoonsgegevens (AP), the Dutch data protection authority, as a penalty. A fine amounts to a maximum of 20 million euros or 4% of the global annual turnover.

G

  • GDPR Implementation Act

    On a number of points, the General Data Protection Regulation (GDPR) leaves room for national choices. In the Netherlands, these have been elaborated in the GDPR Implementation Act (UAVG).

  • General Administrative Law Act (Awb)

    The Dutch General Administrative Law Act (Awb) sets out how the government must prepare and announce decisions. And within what time frame the government must make a decision. In addition, this act contains rules for submitting and handling objections and appeals.

  • General Data Protection Regulation (GDPR)

    The General Data Protection Regulation (GDPR), together with the Law Enforcement Directive (LED), is the main privacy legislation, applying throughout the EEA.

H

I

  • Identity document

    An identity document is a tool that allows people to identify themselves: to prove that they are who they say they are.

  • Identity fraud

    In the case of identity fraud, criminals misuse false or stolen identity data. For example, they buy items in someone else's name without paying.

  • Indirectly identifying personal data

    Indirectly identifying personal data cannot be directly traced back to a specific person, but this will be possible when combined with each other or with other data.

  • Information obligation

    Every organisation that processes personal data has an obligation to provide information. This means that the organisation is obliged to inform people clearly about what it does with their personal data and why.

  • Integrity (of data)

    'Confidentiality and integrity' is one of the basic principles of the GDPR. This principle means that any data processing must be secured in an appropriate manner so that personal data cannot be illegally modified.

  • Internet of Things

    In addition to PCs, laptops and smartphones, more and more other devices are connected to the Internet and communicate among themselves. For example, smart TVs, cars, wearables (such as a smartwatch), toys, fridges, music systems, lights and thermostats. Together, these devices form the Internet of Things.

J

  • Joint controllership; joint controllers

    When multiple organisations jointly determine for what purpose and in what manner they process personal data. In that case, there are multiple controllers, or in other words, there is joint controllership. The organisations must then record how they structure their responsibility for compliance with the GDPR.

  • Journalistic exception

    Journalistic exception means that certain exceptions to the GDPR apply to journalistic publications. For example, the author does not have to ask consent from the data subjects for the use of their personal data.

  • Judicial Data and Criminal Records Act (Wjsg)

    In addition to the GDPR, the judiciary has to deal with the Dutch Judicial Data and Criminal Records Act (Wjsg). This law is based on the European Law Enforcement Directive (LED).

L

  • Law Enforcement Directive (LED)

    In addition to the GDPR, a separate European directive was introduced for data protection by authorities responsible for law enforcement, including the police and the judiciary. This is the Law Enforcement Directive (LED).

  • Lawful; lawfulness

    'Lawfulness' is one of the 6 basic principles of the GDPR. In order to be lawful, processing must be based in any case on a legal basis from the GDPR. In addition, the processing may not be contrary to other legislation, such as a legal obligation of confidentiality.

  • Lead supervisory authority

    Organisations that carry out cross-border processing operations have to deal with one data protection authority. That is the lead supervisory authority, usually the supervisory authority in the member state in which the main establishment of an organisation is located.

  • Legislative test

    The Autoriteit Persoonsgegevens (AP), the Dutch data protection authority, pre-tests new proposals for laws and regulations that relate to the processing of personal data. The government is obliged to ask the AP for such a legislative test.
     

  • Logging; log file

    Logging is a security measure. It is used for recording events in systems. For example, who viewed or modified certain data and when this happened. It also includes attempts to gain unauthorised access.

M

  • Multifactor authentication

    Multifactor authentication is a technique that requires the use by a person or a system of a combination of at least 2 different types of authentication factors in order to gain access.

N

  • Necessity; necessary; necessity requirement

    According to the GDPR, personal data may only be processed if this is necessary to achieve a specific purpose. Necessity consists of two requirements: proportionality and subsidiarity.

O

  • One-stop shop mechanism

    An organisation may process personal data in several member states of the European Union (EU). Or in one member state, but of people from several member states. The organisation, however, has to deal with one data protection agency only. This is called the one-stop shop mechanism or one-stop shop.

  • Open Government Act (Woo)

    The Dutch Open Government Act (Woo) regulates the right to information about everything the government does. If the Autoriteit Persoonsgegevens (AP),the Dutch data protection authority, receives a request to make certain information public, it will make a decision on this. This is called a Woo decision.

  • Order subject to a penalty

    One of the sanctions of the Autoriteit Persoonsgegevens (AP), the Dutch data protection authority. An organisation is given a certain amount of time to end a violation. If this does not happen (in time), the organisation must pay a predetermined amount for each day or week that the violation continues.

P

  • Payment service

    Consumers can use various payment services. For example, for payments via their smartphone, an automatic housekeeping book or advice on savings.

  • Payment service provider

    The company behind a payment service is called the payment service provider.

  • Permit

    Organisations that want to process criminal data and share these data with others often have to apply to the Autoriteit Persoonsgegevens (AP), the Dutch data protection authority, for a permit first.

  • Personal data

    Personal data concerns information that is either directly about someone, or can be indirectly traced back to this person. For example, by combining multiple personal data.

  • Personal Data Protection Act (Wbp)

    The old privacy law in the Netherlands, which was replaced by the GDPR and the GDPR Implementation Act on 25 May 2018.

  • Personal Records Database (BRP)

    All municipalities in the Netherlands keep records of their residents. The records of all municipalities together form one large database. That is the Personal Records Database (BRP).

  • Phishing

    In the case of phishing, cybercriminals send fake emails, often to email addresses obtained through a data breach. This way, they try to obtain information (such as login details) and use this information for gaining access to a network or system.

  • Police Data Act (Wpg)

    In addition to the GDPR, the police, special investigation services and special investigation officers have to deal with the Dutch Police Data Act (Wpg). This law is based on the European Law Enforcement Directive (LED).

  • Prior consultation

    Did a DPIA show that a processing operation that an organisation intends to perform would entail a great privacy risk? And is this organisation unable to take measures to mitigate this risk? Then the organisation will have to enter into consultations with The Autoriteit Persoonsgegevens (AP), the Dutch data protection authority. This is called prior consultation.

  • Privacy by design and default

    Careful handling of personal data can be stimulated organisationally and technically with privacy by design and default. Privacy by design means ensuring that personal data are properly protected when designing products and services. Privacy by default means that the default settings of a product or service (e.g. a mobile phone) are privacy-friendly.

  • Privacy rights

    People have a number of rights when organisations process their personal data. We call this privacy rights. For example, the right to access data, or to have data rectified or erased.

  • Privacy statement

    In a privacy statement, an organisation states, among other things, which personal data the organisation uses and why.

  • Processing

    Personal data processing means anything that an organisation can do with personal data, from collecting to destroying.

  • Processing agreement

    A controller and a processor record in writing the agreements they have made about the processing in a processing agreement.

  • Processing ban

    1. Under the GDPR, a processing ban applies to special categories of personal data and criminal data, unless there is a legal exception.
    2. The Autoriteit Persoonsgegevens (AP), the Dutch data protection authority, may impose a processing ban on an organisation. This is one of the sanctions of the AP. With this, the AP temporarily or permanently suspends the processing of personal data.

  • Processing on a large scale

    In the case of large-scale processing, an organisation processes personal data on a large scale. Whether it is 'on a large scale' depends on the number of data subjects, the amount of data, how long the processing takes and its geographical scope.

  • Processing register

    A processing register contains information about the personal data that an organisation processes. All organisations that process personal data are obliged to set up such a register.

  • Processor

    A processor processes personal data on behalf of another organisation and does not use these personal data for its own purposes.

  • Proportionality; proportional

    The requirement of proportionality means that the infringement of the privacy of the data subjects is proportionate to the purpose of the processing.

  • PSD2

    PSD2 is a European directive that sets out the rules for payment services.

  • Pseudonymisation

    Pseudonymising data is a security measure. Pseudonymisation of personal data makes tracing these data back to individuals more difficult.

  • Purpose limitation

    Purpose limitation means that organisations may not suddenly use personal data that they have collected for a specific purpose for a completely different purpose. It is one of the basic principles of the GDPR.

R

  • Ransomware

    Ransomware is a form of malware (malicious software) that takes a computer or files hostage. Usually, payment is demanded after that.

  • Rectification (of data); right to rectification

    People have the right to ask organisations to rectify (modify or supplement) their data if they are not correct or incomplete. This is called the right to rectification.

  • Reprimand

    A reprimand is one of the measures (sanctions) that the Autoriteit Persoonsgegevens (AP), the Dutch data protection authority, may impose. With this, the AP establishes a violation of the GDPR and indicates that it disapproves of this.

  • Residual risks

    When the processing of personal data that has yet to be started entails privacy risks, but an organisation is unable to find (sufficient) measures to limit these risks. In that case, the organisation can apply to the Autoriteit Persoonsgegevens (AP), the Dutch data protection authority, for prior consultation.

  • Restriction of processing

    People have the right to ask organisations to (temporarily) stop using their personal data. For example if they have asked an organisation to rectify or erase their data, but the organisation still has to assess this request. This is called the right to restriction of processing.

  • Right to be forgotten

    In a number of situations, organisations are required to erase someone's personal data if that person requests this. This is called the right to erasure or the 'right to be forgotten'.

  • Rights of data subjects

    People have a number of rights when organisations process their personal data. For example, the right to access data, or to have data rectified or erased. We also call this privacy rights.

S

  • Schengen area

    The Schengen area includes 29 European countries (Schengen countries). EU residents are allowed to travel freely within these countries. Persons are checked at the external borders of the Schengen area.

  • Screening

    Screening means that an organisation requests information about an applicant or existing employee in order to assess the reliability of this person.

  • Sensitive data

    Sensitive data are personal data that generally are considered privacy-sensitive, such as data on electronic communication, location data, financial data and the citizen service number.

  • Special categories of personal data

    Special categories of personal data are data that are so privacy-sensitive that processing of these data by an organisation may have a (more) significant impact on someone. For example, data about a person's health or political preference. That is why special categories of personal data are given extra protection in the GDPR.

  • Staff tracking system

    A staff tracking system is a system for monitoring the attendance, behaviour or performance of employees. If an employer does not use a system to monitor employees but it is possible, this is also a staff tracking system. Staff tracking systems are therefore quite common in organisations.

  • Standard contractual clauses (SCCs)

    A standard contract or model contract for the transfer of personal data to a third country, which has been approved by the European Commission.

  • Storage limitation

    Organisations must remove personal data as soon as they are no longer necessary for the original purpose for which they were collected. Organisations may therefore retain data for a specific period of time only. This is one of the basic principles of the GDPR.

  • Subprocessor

    Organisations can outsource the processing of personal data to another party. This is called the processor. If this processor outsources the processing to another party, that party is the subprocessor.

  • Subsidiarity

    Subsidiarity means that the purpose of the processing cannot be achieved in any other way that is less intrusive on the privacy of the data subjects.

  • Systematically

    Processing that takes place according to a specific system, such as a processing operation that has been embedded in the systems or in the policy of an organisation.

T

  • Third countries

    Countries outside the European Economic Area (EEA).

  • Third party

    If an organisation transfers personal data to another organisation or to a person outside the organisation, that other organisation or person is called a 'third party'.

  • Transparency; transparent

    According to the basic principles of the GDPR, organisations must process personal data in a manner that is 'transparent'. This means that it must be clear to data subjects how and why an organisation processes their personal data.

U

  • Unlawful; unlawfulness

    In order to be lawful, a processing operation must in any case be based on a legal basis from the GDPR. In addition, the processing may not be contrary to other legislation, such as a legal obligation of confidentiality. If the processing operation does not comply with this, it is unlawful.

W

  • Warning

    This is one of the sanctions of the Autoriteit Persoonsgegevens (AP), the Dutch data protection authority. The AP can issue a warning to an organisation if the organisation plans to process personal data in a manner that is contrary to the GDPR.