Use this glossary like a GDPR checklist to make sure you best understand the terms used within the GDPR articles as part of your GDPR training. GDPR and other data regulations are an ever changing entity so expect regular updates to the list. Have something you need help with? Get in touch here and see if we can help.
Principle intended to ensure that controllers are more generally in control and in the position to ensure and demonstrate compliance with data protection principles in practice. Accountability requires that controllers put in place internal mechanisms and control systems that ensure compliance and provide evidence – such as audit reports – to demonstrate compliance to external stakeholders, including supervisory authorities.
The Anti-Counterfeiting Trade Agreement (ACTA) is a proposed multilateral trade agreement for establishing international standards on intellectual-property-rights enforcement throughout the participating countries. Its proponents describe it as a response “to the increase in global trade of counterfeit goods and pirated copyright-protected works.” The scope of ACTA is broad, including counterfeit goods, generic medicines, and “piracy over the Internet”.
In February 2010, the EDPS issued an opinion on the negotiations aimed at adopting the new agreement in which he warned against its potential incompatibility with the EU data protection regime.
An “adequacy decision” is a decision adopted by the European Commission on the basis of Article 25(6) of Directive 95/46/EC, which establishes that a third country ensures an adequate level of protection of personal data by reason of its domestic law or the international commitments it has entered into.
The effect of such a decision is that personal data can flow from the 27 EU Member States and the three European Economic Area member countries (Norway, Liechtenstein and Iceland) to that third country, without any further safeguards.
The Commission has so far issued seven adequacy decisions recognizing Switzerland, Canada, Argentina, Guernsey, Isle of Man, the US Department of Commerce’s Safe Harbor Privacy Principles, and the transfer of Air Passenger Name Record (PNR) data to the United States’ Bureau of Customs and Border Protection as providing adequate protection.
Adequacy decisions are adopted pursuant to the so-called “comitology procedure”, which involves the following steps:
- a proposal from the Commission;
- an opinion of the Article 29 Working Party;
- an opinion of the Article 31 Committee delivered by a qualified majority of Member States;
- t any time, the European Parliament and the Council may request the Commission to maintain, amend or withdraw the adequacy decision on the grounds that its act exceeds the implementing powers provided for in the Directive; and
- the adoption of the decision by the College of Commissioners.
- Commission Adequacy Decision
Article 29 Working Party
- The “Article 29 Working Party” is the short name of the Data Protection Working Party established by Article 29 of Directive 95/46/EC. It provides the European Commission with independent advice on data protection matters and helps in the development of harmonised policies for data protection in the EU Member States.
- The Working Party is composed of:
- representatives of the national supervisory authorities in the Member States;
- a representative of the European Data Protection Supervisor (EDPS);
- a representative of the European Commission (the latter also provides the secretariat for the Working Party).
Article 31 Committee
The Article 31 Committee was established by Article 31 of Directive 95/46/EC.
It is comprised of representatives of the Member States who cooperate in taking decisions whenever Member States’ approval is required under the Directive. By way of example, the Committee cooperates in the procedure for the adoption of Adequacy decisions.
Automated individual decision
An “automated individual decision” is a decision which significantly affects a person and which is based solely on automated processing of personal data in order to evaluate this person. Such an evaluation may relate to different personal aspects, such as performance at work, creditworthiness, reliability, conduct, etc.
Article 15 of Directive 95/46/EC and Article 19 of Regulation (EC) No 45/2001 lay down the right for individuals to object to decisions about them and solely based on automated means, unless certain conditions are fulfilled or appropriate safeguards are put in place.
The International Working Group on Data Protection in Telecommunications (IWGDPT) was established in 1983 on the initiative of a number of national data protection authorities in the world. The secretariat has since then been provided by the data protection authority of Berlin (Berliner Datenschutz-beauftragter). Membership in the Group is not limited to national data protection authorities, but extends also to representatives from the private and NGO sectors.
Over the last years, the Group has focused on data protection and privacy related issues of information technology in the wide sense, with a special focus on Internet-related developments.
Best available techniques
Best Available Techniques refer to the most effective and advanced stage in the development of activities and their methods of operation, which indicate the practical suitability of particular techniques for providing in principle the basis for complying with the EU data protection framework. They are designed to prevent or mitigate risks on privacy and security.
Council Directive 96/61/EC of 24 September 1996 concerning integrated pollution prevention and control provides for the following definitions, which could be applied by analogy:
- “techniques” shall include both the technology used and the way in which the system is designed, built, maintained, operated and replaced;
- “available” techniques shall mean those developed on a scale which allows implementation in the relevant sector, under economically and technically viable conditions, taking into consideration the costs and advantages, whether or not the techniques are used or produced inside the Member State in question, as long as they are reasonably accessible to the operator;
- “best” shall mean most effective in achieving a high general level of protection.
Binding corporate rules
Binding corporate rules (BCRs) are a legal tool that can be used by multinational companies to ensure an adequate level of protection for the intra-group transfers of personal data from a country in the EU or the European Economic Area (EEA) to a third country.
The use of BCRs requires, in principle, the approval of each of the EU or EEA data protection authorities from whose country the data are to be transferred.
The Article 29 Working Party has adopted a number of documents to guide companies willing to use this tool:
- WP 107: Working Document Setting Forth a Co-Operation Procedure for Issuing Common Opinions on Adequate Safeguards Resulting From “Binding Corporate Rules” (pdf);
- WP 108: Working Document Establishing a Model Checklist Application for Approval of Binding Corporate Rules (pdf);
- WP 133: Recommendation 1/2007 on the Standard Application for Approval of Binding Corporate Rules for the Transfer of Personal Data;
- WP 153: Working Document setting a table with the elements and principles to be found in Binding Corporate Rules (pdf);
- WP 154: Working Document Setting up a framework for the structure of Binding Corporate Rules (pdf);
- WP 155: Working Document on Frequently Asked Questions (FAQs) related to Binding Corporate Rules (pdf)
Biometrics or biometric systems are methods for uniquely recognizing humans based upon one or more intrinsic physical or behavioural traits.
Such methods have already been used for a long time. However, the new element which triggers data protection considerations is that a machine can now automatically conduct these methods and possibly recognise humans with measurable accuracy.
Blocking means the freezing of data by the controller in a given moment for a specific period of time. Access to the data blocked is limited only to the competent people.
As provided by Article 15 of Regulation (EC) No 45/2001, the data subject shall have the right to obtain from the controller the blocking of data where:
- their accuracy is contested by the data subject, enabling though the controller to verify the accuracy, including the completeness of the data;
- or the controller no longer needs them for the accomplishment of its tasks but they have to be maintained for purposes of proof;
- or the processing is unlawful and the data subject opposes their erasure and demands their blocking instead.
Personal data blocked can only be processed for purposes of proof, or with the data subject’s consent, or for the protection of the rights of a third party.
CCTV stands for “closed circuit television”. It is a television system comprised of a camera or a set of cameras monitoring a specific protected area, with additional equipment used for viewing and/or storing the CCTV footage. The term itself originates from the fact that, as opposed to broadcast television, CCTV is usually a “closed” rather than “open” system with a limited number of viewers.
CCTV has been traditionally used for surveillance in specific locations with increased security needs such as banks, airports, military installations. In addition, in industrial plants, CCTV equipment has been used to remotely observe processes, for example, in hazardous environments. Increasing use of CCTV in public places has caused debate over public surveillance versus privacy.
See also: Video-surveillance
Cloud computing is Internet-based computing, whereby shared resources, software and information are provided to computers and other devices on-demand. It is a “paradigm shift” following the shift from mainframe to client–server in the early 1980s. Cloud computing describes a new consumption and delivery model for IT services based on the Internet, and it typically involves the provision of dynamically scalable and often virtualised resources as a service over the Internet. It is a by-product and consequence of the ease-of-access to remote computing sites provided by the Internet.
According to Article 32.2 of Regulation (EC) No 45/2001, “Every data subject may lodge a complaint with the European Data Protection Supervisor if he or she considers that his or her rights under Article 286 of the Treaty have been infringed as a result of the processing of his or her personal data by a Community institution or body.”
Article 33 of the Regulation also provides that “Any person employed with a Community institution or body may lodge a complaint with the European Data Protection Supervisor regarding an alleged breach of the provisions of this Regulation governing the processing of personal data, without acting through official channels”.
Anyone who believes that an EU institution or body violates his/her rights with regard to the processing of personal data may file a complaint with the European Data Protection Supervisor (EDPS). A staff member of an EU institution or body may also lodge a complaint with the EDPS even if he or she is not directly concerned by the violation.
In general, complainants are recommended to turn to the EDPS only after having contacted the controller and/or the Data protection officer of the institution or body concerned. However, complaints can also be lodged directly with the EDPS if this is deemed necessary.
Complaints to the EDPS must be in writing, either on paper or electronically, in principle using the complaint submission form available on the EDPS website. This form can be completed and sent electronically. Alternatively, it can be sent by fax or post including all relevant information as well as any supporting evidence.
If a complaint is found admissible, the EDPS will conduct an inquiry if he finds this appropriate. If the case is not resolved satisfactorily during the course of his inquiry, the EDPS will try to find a friendly solution which satisfies the complainant. If the attempt at conciliation fails, the EDPS may order the rectification, blocking, erasure or destruction of data or even impose a ban on a particular data processing.
The EDPS is not competent to deal with issues involving national authorities or private entities in the EU countries, and has no power to compensate the person concerned by the violation of data protection rules.
In order to ensure the consistent treatment of complaints concerning data protection and to avoid unnecessary duplication, the European Ombudsman and the EDPS have signed a Memorandum of Understanding (pdf). It stipulates, among other things, that a complaint that has already been brought forward should not be reopened by the other institution unless significant new evidence is submitted.
Confidentiality in a general sense refers to the duty not to share information with persons who are not qualified to receive that information. In a more specific sense, it refers to the confidentiality of communications provided for in Article 5 of the E-privacy Directive 2009/136/EC and in Article 36 of Regulation (EC) No 45/2001.
Confidentiality of processing also refers to the obligation of any person acting under the authority of the controller or the processor, who has access to personal data, not to process them except on instructions from the controller, unless he is required to do so by law (see Article 16 of Directive 95/46/EC and Article 21 of Regulation (EC) No 45/2001).
In data protection terminology, consent refers to any freely given, specific and informed indication of the wishes of a data subject, by which he/she agrees to personal data relating to him/her being processed (see Article 2 sub (h) of Data Protection Directive 95/46/EC and Article 2 sub (h) of Regulation (EC) No 45/2001.
Consent is an important element in data protection legislation, as it is one of the conditions that can legitimise processing of personal data. If it is relied upon, the data subject must unambiguously have given his/ her consent to a specific processing operation, of which he/she shall have been properly informed. The obtained consent can only be used for the specific processing operation for which it was collected, and may in principle be withdrawn without retroactive effect.
See also: Q&A on Consent
(See Data controller)
Convention 108 (Council of Europe)
Convention 108 refers to the Convention for the Protection of Individuals with regard to automatic processing of personal data which was adopted by the Council of Europe in 1981.
This Convention is the first legally binding international instrument adopted in the field of data protection.
It sets out minimum standards aimed at protecting the individuals against abuses which may accompany the collection and processing of personal data. It also seeks to regulate the transborder flow of personal data.
A total of 40 European states have ratified the Convention so far.
Short text files stored on the user’s device by a web site. Cookies are normally used to provide a more personalised experience and to remember user profile without the need of a specific login. Also it can be placed by third parties (such as an advertising network) in end users´ devices and maybe be used to track users when surfing across different websites associated to that third party.
See also E-privacy Directive 2009/136/EC.
Council Working Party on Data Protection
The Council Working Party on Data Protection was originally set up to deal with the foundations of the EC policy on data protection, such as Directive 95/46/EC, Directive 97/66/EC and Regulation EC (No) 45/2001. It allows for a more horizontal approach in first pillar matters.
Organisation of meetings and their frequency depend on the Presidency of the Council. More recent meetings have included discussions on Commission’s initiatives in the field of PETs or RFID, and other subjects like Member States’ experience with Directive 95/46/EC. The EDPS priorities for consultation on new legislation as well as his Annual Report have also been on the agenda of the meetings.
Under Regulation (EC) 45/2001, the data controller is the institution or body that determines the purposes and means of the processing of personal data. In particular, the controller has the duties of ensuring the quality of data and, in the case of the EU institutions and bodies, of notifying the processing operation to the data protection officer (DPO). In addition, the data controller is also responsible for the security measures protecting the data.
The controller is also the entity that receives requests from data subjects to exercise their rights.
The controller must co-operate with the DPO, and may consult him or her for an opinion on any data protection related question.
See also: Q&A on Controller
The principle of “data minimization” means that a data controller should limit the collection of personal information to what is directly relevant and necessary to accomplish a specified purpose. They should also retain the data only for as long as is necessary to fulfil that purpose. In other words, data controllers should collect only the personal data they really need, and should keep it only for as long as they need it.
The data minimization principle derives from Article 6.1(b) and (c) of Directive 95/46/EC and Article 4.1(b) and (c) of Regulation EC (No) 45/2001, which provide that personal data must be “collected for specified, explicit and legitimate purposes” and must be “adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed”.
Data mining is the process of analysing data from different perspectives and summarising it into useful new information. Data mining software is one of a number of tools for interrogating data. It allows users to analyse data from many different dimensions or angles, categorise it, and summarise the relationships identified. Technically, data mining is the process of finding correlations or patterns among dozens of fields in large relational databases. It is commonly used in a wide range of profiling practices, such as marketing, surveillance, fraud detection and scientific discovery. Obviously, for data mining to be effective it is necessary to analyse large amounts of previously collected data.
The right to data portability gives individuals the right to receive personal data they have provided to a controller in a structured, commonly used and machine readable format. It also gives them the right to request that a controller transmits this data directly to another controller.
- The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.
- It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability.
- Doing this enables individuals to take advantage of applications and services that can use this data to find them a better deal or help them understand their spending habits.
- The right only applies to information an individual has provided to a controller.
Some organisations in the UK already offer data portability through midata and similar initiatives which allow individuals to view, access and use their personal consumption and transaction data in a way that is portable and safe.
Data protection authority
A data protection authority is an independent body which is in charge of:
- monitoring the processing of personal data within its jurisdiction (country, region or international organization);
- providing advice to the competent bodies with regard to legislative and administrative measures relating to the processing of personal data;
- hearing complaints lodged by citizens with regard to the protection of their data protection rights.
According to Article 28 of Directive 95/46/EC, each Member State shall establish in its territory at least one data protection authority, which shall be endowed with investigative powers (such as access to data, collection of information, etc.), effective powers of intervention (power to order the erasure of data, to impose a ban on a processing, etc.), and the power to start legal proceedings when data protection law has been violated.
National data protection authorities have been established in almost all European countries, as well as in many other countries worldwide.
Data protection coordinator
In addition to the data protection officer foreseen by Regulation (EC) No 45/2001, some EU-institutions have appointed a data protection coordinator in order to coordinate all data protection aspects in the relevant DG, Departments or Units.
List of data protection coordinators
Data Protection Directive 95/46/EC
Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (also known as “Data Protection Directive”) is the centrepiece legislation at EU level in the field of data protection.
The Directive is a framework law, meaning that it is implemented in EU Member States through national laws.
It aims to protect the rights and freedoms of persons with respect to the processing of personal data by laying down guidelines determining when the processing is lawful. The guidelines mainly relate to:
- the quality of the data;
- the legitimacy of the processing;
- the processing of special categories of data;
- information to be given to the data subject;
- the data subject’s right of access to data;
- the right to object to the processing of data;
- the confidentiality and security of processing;
- the notification of the processing to a supervisory authority.
The Directive also sets out principles for the transfer of personal data to third countries and provides for the establishment of data protection authorities in each EU Member State.
Data Protection Day
The Member States of the Council of Europe and the European institutions celebrate Data Protection Day each year on 28 January.
This date marks the anniversary of the Council of Europe’s Convention 108, the first legally binding international instrument related to data protection.
The EDPS usually takes part in the celebration of the event by setting up an information stand in the main EU institutions.
Data protection officer
Each Community institution and body shall, in order to comply with Regulation (EC) 45/2001, have a data protection officer (DPO). The DPO shall ensure the internal application of the Regulation and that the rights and freedoms of the data subjects are not likely to be adversely affected by the processing operations.
The DPO shall also keep a register of processing operations that have been notified by the controllers of the institution or body where he or she works.
processed fairly and lawfully;collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Further processing for historical, statistical or scientific purposes shall not be considered incompatible provided that appropriate safeguards have been provided by the controller;
adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed; accurate and where necessary kept up to date; and kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which they were collected or further processed. If data are stored for longer periods for historical, statistical or scientific use, they should be kept either in anonymous form only or, if not possible, only with the identity of the data subjects encrypted.
Data retention refers to all obligations on the part of controllers to retain personal data for certain purposes.
The Data Retention Directive (Directive 2006/24/EC (pdf)) contains an obligation for providers of electronic communications to retain traffic and location data of communications through telephone, e-mail, etc. The retention takes place for the purpose of the investigation, detection and prosecution of serious crime.
See also Council framework Decision 2008/977/JHA.
According to Article 22 of Regulation (EC) No 45/2001, the data controller shall implement appropriate technical and organisational measures to ensure an appropriate level of security in relation to the risks represented by the processing and the nature of the personal data to be protected.
Such measures provide for the prevention of any unauthorised disclosure or access, accidental or unlawful destruction or accidental loss, or alteration and any other unlawful form of processing.
An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
Data subject rights
The data subject has the right to:
- Transparency (to be correctly and well informed)
- Access the data
- Rectify the data
- Request erasure
- Restrict processing
- Data portability
- Object to the processing of data
- Not to be subject to a decision based solely on automated processing
Data transfer refers to the transmission / communication of data to a recipient in whatever way.
Transfers of personal data within or between Community institutions or bodies or to recipients in EU countries are subject to certain conditions according to Articles 7 and 8 of Regulation (EC) No 45/2001. For instance, such transfer should be necessary for the legitimate performance of the public tasks involved.
Transfers are subject to specific safeguards when the recipient is located in a country outside the EU / European Economic Area (EEA) according to Articles 25-26 of Directive 95/46/EC and Article 9 of Regulation (EC) No 45/2001. See for instance the conditions for the transfer of PNR data or relating to the Safe Harbour scheme.
The GDPR has direct effect across all EU member states. This means organisations still have to comply with this regulation and we will still have to look to the GDPR for most legal obligations. However, the GDPR gives member states limited opportunities to make provisions for how it applies in their country. One part of the DPA 2018 is the details of these. The DPA 2018 has a part dealing with processing that does not fall within EU law, for example, where it is related to immigration. It applies GDPR standards but it has been amended to adjust those that would not work in the national context. It also has a part that transposes the EU Data Protection Directive 2016/680 (Law Enforcement Directive) into domestic UK law. The Directive complements the General Data Protection Regulation (GDPR) and Part 3 of the DPA 2018sets out the requirements for the processing of personal data for criminal ‘law enforcement purposes’.
Council Regulation 2725/2000 of 11 December 2000 (pdf) establishes a system known as “Eurodac”, i.e. a fingerprint database that assists the asylum procedure. It mainly helps to determine which Member State is competent for asylum applications (see Council Regulation 407/2002 (pdf) laying down certain rules to implement Regulation 2725/2000 concerning the establishment of “Eurodac” for the comparison of fingerprints for the effective application of the Dublin Convention).
The system consists of a central unit, a computerised central database for comparing the fingerprint data of asylum applicants, and means of data transmission between the Member States and the central database. The EDPS is responsible for supervision of the system in cooperation with the competent national data protection authorities.
Read more on the supervision of Eurodac
When a participating country sends a set of prints to Eurodac, it knows immediately if they match up with others already on the database. If so, it can choose to send the individual back to the country where he or she first arrived or applied for asylum; the authorities there are responsible for making a decision about the candidate’s right to stay. If not, the country that submitted the prints handles the case.
Read more on the Commission’s Freedom, Security and Justice website
The European Conference of data protection authorities of EU Member States and other European countries meets every year in spring. The Conference takes stock of important developments and usually adopts resolutions. The Conference set up the Working Party on Police and Justice, an advisory body on data protection in these areas.
Read more on the European Conference
The European Data Protection Supervisor (EDPS) is an independent supervisory authority established in accordance with Regulation (EC) No 45/2001, on the basis of Article 286 of the EC Treaty.
The EDPS’ mission is to ensure that the fundamental rights and freedoms of individuals – in particular their privacy – are respected when the EU institutions and bodies process personal data.
The EDPS is responsible for:
- monitoring and ensuring that the provisions of Regulation 45/2001, as well as other Community acts on the protection of fundamental rights and freedoms, are complied with when EC institutions and bodies process personal data (supervisory tasks);
- advising the EC institutions and bodies on all matters relating to the processing of personal data. This includes consultation on proposals for legislation and monitoring new developments that have an impact on the protection of personal data (consultative tasks);
- cooperating with national supervisory authorities and supervisory bodies in the “third pillar” of the EU with a view to improving consistency in the protection of personal data (cooperative tasks).
The EDPS also intervenes in cases before the Court of Justice of the European Communities.
E-privacy Directive 2009/136/EC
Directive 2009/136/EC which came into force in May 2011, concerns the processing of personal data and the protection of privacy in the electronic communications sector (pdf). It is usually referred to as the “E-privacy Directive” and is an amendment of Directive 2002/58/EC.
The E-privacy Directive covers processing of personal data and the protection of privacy including provisions on:
- the security of networks and services;
- the confidentiality of communications;
- access to stored data;
- processing of traffic and location data;
- calling line identification;
- public subscriber directories; and
- unsolicited commercial communications (“spam”).
The main changes to the 2002 Directive include a rule requiring the notification of data breaches (for instance someone whose personal data are lost, modified or accessed unlawfully while being treated by its electronic communications provider should be notified if this breach is likely to affect him/her negatively) and an extension of the Directive to also cover various electronic tags, strengthened enforcement rules, etc.
Data protection authorities are empowered to conduct investigations, enquiries and inspections, either on their own initiative or on the basis of a complaint. Those are efficient tools to verify facts and collect more information where needed.
The EDPS, as a supervisory authority, is responsible for monitoring and ensuring the implementation of Regulation (EC) No 45/2001. To achieve this task, the EDPS has extensive powers to perform his inquiries and inspections: he can access all personal data, all information and documents necessary for his enquiries, and can have physical access to any premises related to his duties.
Inquiries and inspections may result in referring the matter to the controllers requiring them to improve their practices under the Regulation. The EDPS may adopt further measures, such as warning or admonishing the controller, ordering the data to be rectified or blocked, imposing a ban on the processing or referring the matter to the Court of Justice.
Every year in the autumn, the privacy and data protection authorities from Europe and other parts of the world meet at the International Conference. Unlike the European Conference, the International Conference is open for attendance by interested parties. The Conference takes stock of new developments and usually adopts resolutions in a closed session for data protection authorities only. It is the biggest data protection event that takes place on a regular basis.
Read more on the International Conference
IWGDPT stands for International Working Group on Data Protection in Telecommunications).
See Berlin group
Joint Supervisory Authorities
There are several joint supervisory bodies with specific tasks (supervising protection of personal data within the Schengen Information System, Customs, Europol and Eurojust respectively). These supervisory bodies are, essentially, made up of representatives of the national data protection authorities.
The EDPS cooperates with these supervisory bodies, particularly with a view to improve consistency in the protection of personal data (see Article 46 sub (f)(ii) of Regulation (EC) No 45/2001.
Joint Supervisory Authority of Schengen
The establishment of the Joint Supervisory Authority of Schengen (JSA) is provided for by the Convention of 1990 implementing the Schengen Agreement of 1985.
The JSA is responsible for supervising the technical support function of the Schengen Information System (SIS). It consists of two representatives from each national data protection authority of the Schengen Member States.
Besides the task of supervising the technical support function of the SIS, the JSA has to examine any difficulties of application or interpretation that may arise during the operation of the SIS. The JSA has also been assigned the task of delivering opinions and of harmonising legal practice and interpretation at the national level, in accordance with Convention 108.
Joint Supervisory Body of Eurojust
The Joint Supervisory Authority of Eurojust monitors the activities of Eurojust, to ensure that the processing of personal data is carried out in accordance with the Eurojust Decision. The Authority also hears appeals lodged by individuals who are dissatisfied in cases where Eurojust has not granted them the right of access to their personal data.
Act of the Joint Supervisory Body of Eurojust
Joint Supervisory Authority of Customs
The Joint Supervisory Authority (JSA), established by the Convention on the use of information technology for customs purposes, is responsible for supervising the Customs Information System (CIS). The Authority inspects the central CIS database, offers advice and can examine issues relating to access requests by data subjects.
Europol Joint Supervisory Body
The operations of Europol are subject to supervision by the Europol Joint Supervisory Body (JSB), which ensures compliance with data protection rules. The main functions of the JSB involve, inter alia, examining proposals from Europol to exchange personal data with overseas law enforcement authorities and inspections of Europol in order to determine compliance with the provisions of the Europol Convention.
The appeals committee of the JSB is charged with examining appeals of Europol’s decisions. Members are appointed by the JSB and are appointed to serve for a period of five years.
Europol Joint Supervisory Body’s website
Large-scale IT systems
Several databases (information systems) created or about to be created by the European Union (EU) can be considered large by various (sometimes all) measures: number of people using the system for different purposes, amount of data collected, stored, accessed, manipulated, number of connections between components, etc.
The EU is creating or updating several large scale IT systems in the area of border and police control: SIS II, VIS and Eurodac are three examples of these databases.
At the 28th International Conference of Data Protection and Privacy Commissioners in London (November 2006), a statement was presented, entitled “Communicating data protection and making it more effective”, which received general support from data protection authorities around the world.
This was a joint initiative of the president of the French data protection authority, the UK Information Commissioner and the EDPS. This is now referred to as the “London Initiative”.
With a view to translating the statement into practical action, several workshops have been organised. They addressed the topics of communication, enforcement, strategy and internal organisation, and the notification of data breaches.
As one of the architects of the initiative, the EDPS has actively contributed to the follow-up so as to encourage the exchange of available experience and best practice between data protection authorities.
All processing operations or sets of operations intended to serve a single purpose or several related purposes must be notified by the controller to the data protection officer (DPO) of the Community institution or body concerned. The information provided shall include the set of data specified in Article 25 of Regulation (EC) 45/2001.
The DPO keeps a register of these notifications.
Processing operations likely to present specific risks to the rights and freedoms of data subjects must also be declared to the EDPS (Article 27 of the Regulation). This is qualified as a notification for prior checking.
The opinion is an important instrument of the EDPS, both in his supervisory role and as advisor on proposals for EU legislation.
In the context of a prior check, an opinion is issued on compliance of a processing operation with Regulation (EC) No 45/2001 and to make recommendations to the institution or body concerned. Such opinions are published on the EDPS website (Supervision section).
Opinions on proposals for EU legislation give a full analysis of the proposal from the perspective of data protection and may be discussed in the European Parliament and the Council. Such opinions are published in the C version of the Official Journal of the European Union and on the EDPS website (Consultation section). The EDPS adopts opinions on proposals for EU legislation and also on related instruments (communications, international agreements, comitology tools).
According to Article 2 (a) of Regulation (EC) No 45/2001: “Any information relating to an identified or identifiable natural person, referred to as “data subject” – an identifiable person is someone who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity”.
The name and the social security number are two examples of personal data which relate directly to a person. But the definition also extends further and also encompasses for instance e-mail addresses and the office phone number of an employee. Other examples of personal data can be found in information on physical disabilities, in medical records and in an employee’s evaluation.
Personal data which is processed in relation to the work of the data subject remain personal/individual in the sense that they continue to be protected by the relevant data protection legislation, which strives to protect the privacy and integrity of natural persons. As a consequence, data protection legislation does not address the situation of legal persons (apart from the exceptional cases where information on a legal person also relates to a physical person).
More about “personal data”
Personal data filing system
According to Article 2 sub (c) of Regulation (EC) No 45/2001, personal data filing system refers to “any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.”
The definition is independent of the size of the filing system, which may vary according to the circumstances. In some cases, such as for instance the case of disciplinary files for a small sized EU-body, the filing system can comprise just a handful of entries.
The acronym ‘PETs’ stands for “Privacy Enhancing Technologies”. It refers to a coherent system of information and communication technology (ICT) measures that protect privacy by eliminating or reducing personal data or by preventing unnecessary and/or undesired processing of personal data, all without losing the functionality of the information system.
The use of PETs can help to design information and communication systems and services in a way that minimizes the collection and use of personal data and facilitates compliance with data protection rules. It should result in making breaches of certain data protection rules more difficult and/or helping to detect them.
PETs can be stand-alone tools requiring positive action by consumers (who must purchase and install them in their computers) or be built into the very architecture of information systems.
PNR is the acronym for “Passenger Name Record”.
This information is collected by airlines or travel agencies at the time a passenger makes a reservation, before travelling. It differs from Advanced Passenger Information (API), which is collected later at the time of boarding.
In addition to the name of the passenger, PNR includes all information necessary for the reservation, such as:
- the travel agency responsible for the booking;
- the itinerary (including connections);
- the flights (number, date, time);
- groups of persons registered under the same booking;
- the passenger’s contact details (telephone number, address, etc);
- payment/billing information;
- hotel or car booking;
- special service requests (such as seat number, special meal, medical assistance);
- “frequent flyer” information.
Enforcement authorities have shown interest in the collection of PNR data, with a view to fighting terrorism and other forms of crimes. The European Union has concluded agreements with third countries requesting such information, in order to establish minimal data protection safeguards on the use of this information. The Article 29 Working Party and the EDPS have adopted official opinions on these agreements.
- the agreements
- the opinions of the Working Party
- the opinions of the EDPS: PNR Canada, European PNR and PNR Australia.
Processing operations by Community institutions or bodies likely to present specific risks to the rights and freedoms of data subjects must be declared to the EDPS prior to the processing of the data (Article 27 of Regulation (EC) 45/2001).
The EDPS will examine whether the processing respects the Regulation and will deliver an opinion within a period of two months.
In his opinion, the EDPS may make recommendations to the institution or body concerned so as to ensure compliance.
Ex-post prior check
Prior checks concern not only operations not yet in progress (see “Proper prior checks”) but also processing operations which started before the EDPS was appointed or before the Regulation (EC) 45/2001 came into force. In such situations a prior-check could not be “prior” in a strict sense but must be dealt with on an “ex post” basis. The EDPS has been absorbing the backlog in ex-post cases.
Proper prior check
The EDPS should give his opinion prior to the start of a processing operation so as to guarantee the rights and freedoms of the data subjects from the start (Article 27 of Regulation (EC) 45/2001). The term “proper prior checks” has been used to distinguish these cases from “ex-post” prior checks (see “Ex-post prior checks”).
Privacy is the ability of an individual to be left alone, out of public view, and in control of information about oneself.
One can distinguish the ability to prevent intrusion in one’s physical space (“physical privacy”, for example with regard to the protection of the private home) and the ability to control the collection and sharing of information about oneself (“informational privacy”).
The concept of privacy therefore overlaps, but does not coincide, with the concept of data protection.
Privacy by design
Privacy by design aims at building privacy and data protection up front, into the design specifications and architecture of information and communication systems and technologies, in order to facilitate compliance with privacy and data protection principles.
Processing (of personal data)
According to Article 2 (b) of Regulation (EC) No 45/2001, processing of personal data refers to “any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.”
Personal data may be processed in many activities which relate to the professional life of a data subject. Examples from within the EU institutions and bodies include: the procedures relating to staff appraisals and to the billing of an office phone number, lists of participants at a meeting, the handling of disciplinary and medical files, as well as compiling and making available on-line a list of officials and their respective field of responsibilities.
Personal data relating to other natural persons than staff may also be processed. Such examples may concern visitors, contractors, petitioners, etc.
According to Article 2 (e) of Regulation (EC) No 45/2001, a processor shall mean “a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.”
The essential element is therefore that the processor only acts “on behalf of the controller” and thus only subject to his instructions.
For example, a security company monitoring the entries into an institution’s building is not processing personal data of the persons entering a building for its own purpose, but on behalf of the institution concerned.
In some cases, the processor may choose not to process the data himself, but may have recourse to a subcontractor who processes the data on his behalf. In practice, this will depend upon the processor agreement entered into with the controller.
Transfers of personal data from a data controller to a data processor must be secured by a data processor agreement. It must meet certain minimum requirements, as set forth by Article 17 of the Data Protection Directive and Article 23 of Regulation (EC) No 45/2001.
The contract must stipulate that the data processor shall act only on instructions from the data controller. The data processor must provide sufficient guarantees in respect of the technical security measures and organisational measure governing the processing to be carried out, and must ensure compliance with such measures.
The Prüm Treaty is an international agreement signed on 27 May 2005 by Belgium, Germany, Spain, France, Luxembourg, Netherlands and Austria in order to improve cross-border cooperation in combating terrorism, cross-border crime and illegal immigration.
In June 2008 the Council adopted two decisions bringing the main provisions of this agreement into EU law, thus extending it to all EU Member States. These decisions focus on the exchange of biometric data (DNA and fingerprints) between police and judicial authorities, and requires Member States to set up DNA databases.
The EDPS issued two opinions (one on the initiative itself (pdf), one on its implementing rules (pdf)), recommending a step-by-step approach and highlighting that the specific provisions on data protection contained in the initiative are not stand-alone and should therefore be complemented by other general data protection rules.
Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person
According to Article 2 (g) of Regulation (EC) No 45/2001, a recipient shall mean “a natural or legal person, public authority, agency or any other body to whom data are disclosed, whether a third party or not; however, authorities which may receive data in the framework of a particular inquiry shall not be regarded as recipients.”
Notifications of processing operations have to comprise information on the recipients of the personal data. A recipient can be a third party (with the exception of authorities which in the framework of a particular inquiry receive data – in such cases, they shall only be regarded as a third party).
An illustrative example may be salary payments of officials of the EU institutions and bodies. The salary slip does not only go to the employee, but also to the institution or body where he or she works, and Eurostat receive the data (compiled).
See also: Q&A on Transfer of personal data
Regulation (EC) No 45/2001
Regulation (EC) No 45/2001 regulates the protection of individuals with regard to the processing of personal data by Community institutions and bodies.
The Regulation implements Article 286 of the Treaty establishing the European Communities which requires the application of data protection rules to Community institutions and bodies, as well as the establishment of an independent supervisory authority.
The data protection rules in the Regulation are based on the existing Community rules on data protection which apply to the Member States, in particular the Data Protection Directive 95/46/EC and the E-privacy Directive 2002/58/EC. The Regulation regroups the rights of the data subjects and the obligations of those responsible for the processing into one legal instrument.
It also establishes the European Data Protection Supervisor as an independent supervisory authority with the responsibility of monitoring the processing of personal data by the Community institutions and bodies.
Data retention refers to all obligations on the part of controllers to retain personal data for certain purposes.
To limit how long you keep personal data is part of data minimisation. The rule of thumb is “as long as necessary, as short as possible”, although sometimes legal rules may impose fixed periods. Data that are no longer retained cannot fall into the wrong hands, nor be abused, meaning that defining and enforcing limited conservation periods helps to protect the people whose data are processed.
RFID stands for Radio Frequency IDentification. It is an automatic identification method, relying on storing and remotely retrieving data using devices called RFID tags or transponders.
An RFID tag is an object that can be applied to or incorporated into a product, an animal or a person for the purpose of identification or remote tracking through the use of radio waves.
The EDPS released an opinion (pdf) on the issue in December 2007, in which he underlines that RFID systems could play a key role in the development of the European information society, but also that the wide acceptance of RFID technologies should be facilitated by the benefits of consistent data protection safeguards.
Right of access
The right of access is the right for any data subject to obtain from the controller of a processing [glossary] operation the confirmation that data related to him/her are being processed, the purpose(s) for which they are processed, as well as the logic involved in any automated decision process concerning him or her.
This right also allows the data subject to receive communication in an intelligible form of the data undergoing processing and of information regarding the processing.
This right can be exercised without constraint, at any time within three months from the receipt of the request, and is free of charge (Article 13 of Regulation (EC) No 45/2001).
Right of information
Everyone has the right to know that their personal data are processed and for which purpose. The right to be informed is essential because it determines the exercise of other rights.
The right of information refers to the information which shall be provided to a data subject whether or not the data have been obtained from the data subject.
The information which must be provided relates to the identity of the controller, the purpose(s) of the processing, the recipients, as well as the existence of the right of access to data and the right to rectify the data.
The right of information for the person concerned is limited in some cases, such as for public safety considerations or for the prevention, investigation, identification and prosecution of criminal offences, including the fight against money laundering.
In the context of processing operations within the EC institutions (see Articles 11 and 12 of Regulation (EC) No 45/2001), this right is often fulfilled by a privacy statement.
Right of rectification
The right of rectification is the right to obtain from the controller the rectification without delay of inaccurate or incomplete personal data (Article 14 of Regulation (EC) No 45/2001).
The right of rectification is an essential complement to the right of access and is important to maintain a high level of data quality.
To exercise the right of rectification, the data subject usually has to write to the controller of the processing operation. By way of illustration, if you need to change your personal address or if you find that information about you is inaccurate, you should exercise your right of rectification by contacting the controller who holds these data.
Right to object
The right to object has two meanings. First, it is the general right of any data subject to object to the processing of data relating to him or her, except in certain cases such as a specific legal obligation. Where there is a justified objection based on legitimate grounds relating to his or her particular situation, the processing in question may no longer involve those data (see Article 14 sub (a) of Directive 95/46/EC and Article 18 sub (a) of Regulation (EC) No 45/2001).
It also refers to the specific right of any data subject to be informed, free of charge, before personal data are first disclosed to third parties or before they are used on their behalf for the purposes of direct marketing, and to object to such use without justification (see Article 14 sub (b) of Directive 95/46/EC and Article 18 sub (b) of Regulation (EC) No 45/2001).
The right to object can be exercised at the moment of the collection of the data (for instance while completing a form), or at a later stage, by contacting the controller. The right to object is free of charge to the person who exercises it.
Safe Harbor Principle
Safe Harbor Principles are a set of privacy and data protection principles that, together with a set of frequently asked questions (FAQs) providing guidance for the implementation of the principles, have been considered by the European Commission to provide an adequate level of protection.
These principles were issued by the Government of the United States on 21 July 2000.
US organisations can claim that they comply with this framework. They should publicly disclose their privacy policies and be subject to the jurisdiction of the Federal Trade Commission (FTC) – under Section 5 of the Federal Trade Commission Act which prohibits unfair or deceptive acts or practices in or affecting commerce – or to the jurisdiction of another statutory body that will ensure compliance with the principles implemented in accordance with the FAQs.
See also: Adequacy decision
Sensitive data include data “revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life” (Article 10 of Regulation 45/2001; Article 8 of Directive 95/46/EC).
The processing of such information is in principle prohibited, except in specific circumstances. It is possible to process sensitive data for instance if the processing is necessary for the purpose of medical diagnosis, or with specific safeguards in the field of employment law, or with explicit consent of the data subject.
Schengen Information System (SIS)
The Schengen Information System (SIS) is a large-scale IT system linked to the abolition of internal border controls of the Schengen territory (most of the EU territory plus a few other countries).
The SIS will be replaced by SIS II in order to allow the connection of more countries and to provide new functionalities (see EDPS Opinion on the establishment of SIS II (pdf).
The SIS contains information on objects (stolen cars, identity documents, etc.), as well as on persons. Personal information may be recorded in the SIS on:
- third states nationals who are banned from entry to Schengen territory;
- people wanted in relation with criminal proceedings or people under police surveillance;
- missing people who should be placed under protection, in particular minors.
The data protection supervision of the system is ensured at national level by data protection authorities and, at European level, by the Schengen Joint Supervisory Authority or “JSA”.
The EDPS will replace the JSA at European level when the SIS II comes into operation, probably in the course of 2009.
Should you wish to access or rectify your data in the SIS, it is advisable to contact a data protection authority in one of the Schengen countries. Details of the relevant data protection authorities – who can either give you access themselves or tell you where to apply – are available on the JSA website.
Special Category Data
Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
Standard contractual clauses
Standard contractual clauses are legal tools to provide adequate safeguards for data transfers from the EU or the European Economic Area to third countries.
The European Commission has adopted three Decisions declaring Standard Contractual Clauses to be adequate, and therefore, companies can incorporate the clauses into a transfer contract.
In principle no authorisation is required from data protection authorities to be allowed to use these clauses. A formal notification to the authority might nevertheless be necessary.
SWIFT (“Society for Worldwide Interbank Financial Telecommunication”) is a worldwide financial messaging service which facilitates international money transfers.
Following the terrorist attacks of 11 September 2001, the United States Department of the Treasury served administrative subpoenas requiring SWIFT to transfer personal data held on its United States server in order to identify, track and pursue those who provide financial support for terrorist activity.
After press reports revealed this transfer of personal data, involving also banking data of European citizens, European data protection authorities found several breaches to the fundamental data protection principles, in particular relating to transfers of personal data to third countries (see Article 29 WP opinion 10/2006). Also, the EDPS adopted an opinion focusing on the role of the European Central Bank (see EDPS opinion).
Following these findings, many improvements were put in place in order to ensure full compliance with data protection legislation: SWIFT adhered to the Safe Harbor; the US Treasury provided clarifications and assurances concerning access and processing of SWIFT data; SWIFT announced important changes in the architecture of its payment services, ensuring that intra-European messages remain in Europe and are no longer mirrored in the United States.
See also: Safe Harbor and TFTP
A breach of security occurs where a stated organisational policy or legal requirement regarding information security has been violated. However, every incident which suggests that the confidentiality, integrity or availability of the information has been compromised can be considered a security incident. Every security breach will always be initiated by a security incident which, only if confirmed, may become a breach.
The Terrorist Finance Tracking Program (TFTP) is a United States government program to access the SWIFT transaction database, revealed by The New York Times in June 2006. Based in Belgium, SWIFT (Society for Worldwide Interbank Financial Telecommunication) establishes common standards for financial transactions worldwide. The Terrorist Finance Tracking Program is viewed as a tool in the “Global War on Terrorism”. It is said to allow additional scrutiny that could prove instrumental in tracking transactions between terrorist cells. Concerns have been raised that this classified program might be a violation of U.S. and European financial privacy laws, because individual search warrants to access financial data were not obtained in advance.
In February 2010, on the basis of these privacy concerns, the European Parliament rejected the conclusion of an agreement allowing US authorities access to European financial transactions data. In May 2010, the Commission started negotiating a new agreement, with the aim of ensuring better data protection safeguards.
The EDPS adopted an opinion on the European Commission’s draft agreement in June 2010 in which he called for further data protection improvements. In July 2010, the European Parliament gave its approval to the conclusion of a revised agreement.
A third country is a country which has not adopted a national law for the implementation of Directive 95/46/EC – as opposed to the 27 Member States of the EU and the three European Economic Area (EEA) countries Norway, Liechtenstein and Iceland.
Third countries need to ensure an adequate level of protection for personal data in order to enable transfers of personal data from the EU and EEA Member States to them.
The Commission has so far recognized Switzerland, Canada, Argentina, Guernsey, Isle of Man, Jersey and the US Department of Commerce’s Safe Harbor Privacy Principles, as providing adequate protection.
The effect of such a decision is that personal data can flow from the EU and EEA Member States to that third country (within the limit of the material scope as described by each Decision) without any further safeguards.
See also: Q&A on Transfer of personal data
According to Article 2 (f) of Regulation (EC) No 45/2001, third party shall mean “a natural or legal person, public authority, agency or body, other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or the processor are authorised to process the data.”
In the context of the EU institutions and bodies, a third party may be a public authority or private party which temporarily needs to process the personal data of an official. This may be the case, for instance, if an official, who moves to his workplace to start work and who is temporarily entitled to VAT-exemption, buys a car. In that case, the car company, the insurance company, the Ministry of Finance and the authority responsible for the car register would be third parties.
Traffic data are data processed for the purpose of the conveyance of a communication on an electronic communications network.
According to the means of communication used, the data needed to convey the communication will vary, but may typically include contact details, time and location data.
Although such traffic data are to be distinguished from content data, both are quite sensitive as they give insight in confidential communications. These data therefore enjoy special protection in Articles 5 and 6 of the E-privacy Directive 2009/136/EC and Articles 36 and 37 of Regulation (EC) No 45/2001.
Video-surveillance is the monitoring of a specific area, event, activity, or person by means of an electronic device or system for visual monitoring. Typically, the monitoring is carried out using CCTV systems.
See also: CCTV and the guidelines on video-surveillance published by the EDPS.
Visa Information System (VIS)
The Visa Information System (VIS) is a large scale IT system which will contain information, including photographs and fingerprint data about visa applicants. The EDPS issued an opinion on the establishment of the VIS in 2005 and another one about the access of law enforcement authorities to the VIS in 2006.
The information will be collected by consulates in the different Member States and then transferred to a central database, VIS, where it will be accessible by all Member States. In principle, the rolling out of the VIS should start in 2009.
One of the main purposes of the database is to fight “visa shopping”. Citizens from more than 120 countries need visas to enter the EU. In the current situation, an applicant who has been rejected by one country’s consulate could continue applying to other consulates. Once VIS is in place, this will not be possible. Information on previous applications and reasons for rejection will be available through the new system. The inclusion of fingerprint and photograph information is intended to allow border checks to verify whether the person presenting the visa is in fact the person to whom it was issued.
The data protection supervision will be the responsibility of the EDPS at the level of the Central Unit and of the Member States’ data protection authorities at national level. The EDPS and data protection authorities will jointly ensure coordination of that supervision.