INTRODUCTION TO GDPR

UNIVERSITY COLLEGE LONDON

GLOSSARY AND KEY TERMS

Certification bodies can certify particular features, processes and functions of data
controllers and processors.

Codes of conduct help controllers and processors ensure that they are
implementing the particulars of GDPR correctly. The codes themselves can be
drawn up by independent associations who demonstrate the relevant experience
around the code of practice in question.

Consent is one of the six legal bases for processing data. "The data subject's
consent" means any freely given, specific and informed indication of his wishes by
which the data subject signifies his agreement to personal data relating to him
being processed.

Data controller is the natural or person, public authority, agency or other body
responsible for determining the purposes for and how data is processed by an
organisation.

Data lifecycles show how data is acquired from a data subject, and is then shared
and processed to provide the service that the data subject contracted to with the
controller. This illustrates how data can be further processed and proliferated, and
how data can in theory be destroyed if the data subject exercises their right to
erasure.

Data processing includes collecting, storing, retrieving, amending, deleting,

archiving, and sharing it, pretty much anything that will be done with the data.

Data processor means a natural or legal person, public authority, agency or any
other body which processes personal data on behalf of the controller.

Data protection impact assessments (DPIA) enable organisations to identify,

assess and mitigate or minimise risks associated with data processing activities.

FutureLearn 1
Data protection officers (DPOs) are employed to inform and advise an
organisation and its employees about their obligations to comply with GDPR and
other data protection laws.

Data subject is the natural person about whom personal data is processed.

Derogations are an exemption from or relaxation of a rule or law.

A Directive is a legal act of the European Union, which requires member states to
comply without dictating the exact terms of compliance.

Legal obligation is one of the six legal bases for processing personal data. An
organisation is permitted to process data in order to meet a legal or regulatory
obligation of the data controller.

Legitimate interest is one of the six legal bases for processing personal data. An
organisation is permitted to process data if it is necessary to allow the controller or
a third party to process data for their own purposes (for example to conduct
monthly reporting for things like business continuity or improve their services), as
long as they don't override the interests or fundamental rights and freedoms of the
natural person.

Natural person in GDPR means a living individual, pure and simple.

Performance of a contract is one of the six legal bases for processing personal
data. This includes providing data before entering into a contract and then after
processing data in accordance with that contract.

Performance of a task in the public interest is one of the six legal bases for
processing personal data. This includes the exercise of official authority vested in
the data controller, for example a public health authority exchanging medical data
during an epidemic.

Personal data is data that identifies individuals, such as names, addresses, phone
numbers, emails, passport numbers, government or fiscal identifiers, but also
location, computer information, like IP addresses, and browser metadata. GDPR
takes a broad view of personal data. If it identifies an individual directly or
indirectly, then it's likely to be personal data.

FutureLearn 2
Privacy notices is a notice written by a data controller that contains information
about processing of data, the data subject's rights in relation to that processing,
any legitimate interests of the controller and when a data subject must be notified
of a breach of personal data. It must be written in a concise, transparent,
intelligible and accessible form, using clear and plain language, in particular for any
information addressed specifically to a child.

Protect the vital interests of an individual is one of the six legal bases for
processing personal data. Data processing is permitted on this basis in order to
protect the vital interests of the individual or another individual such as if there was
a risk of harm.

A recipient is a natural or legal person, a public authority, or any other body to

which data is disclosed. In GDPR, the international transfer of data means the
sending of data outside of the European Union and European economic area.

Rights concerning automated processing and profiling are one of the seven
rights for the natural person established in GDPR. They relate to any kind of
decision making or profiling that happens without human intervention.

Special categories of personal data are types of personal data that are more
sensitive, for example, information regarding ethnicity, religious or philosophical
beliefs, political opinions, trade union memberships, genetic and biometric data,
sexual orientation, or data concerning an individual's physical or mental health.

A supervisory authority is the data privacy regulator in each of the EU member

states, for example, the Information Commissioner's Office in the UK, or
Commission nationale de l'informatique et des libertés in France.

The right of access is one of the seven rights for the natural person established in
GDPR. The individual has a right of access to their personal information and
supplementary information that is in line with what would go into a privacy notice.

The right to data portability is one of the seven rights for the natural person
established in GDPR. It is the right for individuals to have copies of data that they
provided to a controller, transmitted to themselves, or another controller.

The right to erasure is one of the seven rights for the natural person established in
GDPR. It is also known as “the right to be forgotten”, means simply the right to have
personal data deleted if there's no reason to continue its processing.
FutureLearn 3
The right to object is one of the seven rights for the natural person established in
GDPR. It means individuals can object to processing of data for legitimate interests,
or in the performance of a public interest task or exercise.

The right to restrict processing is one of the seven rights for the natural person
established in GDPR. It is the right to stop an organisation from processing data
that an individual believes is incorrect until it's been verified.

The seven rights for the natural person are rights for individuals that the GDPR
enshrines.

The six legal bases are the six independent foundations upon which an
organisation is legally permitted to process data.

The six principles of GDPR form the fundamental conditions which organisations
must follow when collecting, processing and managing the personal information
data for all European citizens.

Third party processor is any external party that is processing data on your behalf,
likely at the request of a data controller or other data processor as a subcontractor.

FutureLearn 4