Dictionary

see Research purposes

Automated decisions are based on automatic data processing without human intervention. According to the General Data Protection Regulation, examples are the automatic rejection of an online credit application or an online recruitment procedure without any human intervention.

These include fingerprints, facial images, voice data or iris recognition images.

see Right to compensation

Consent is one possible basis on which data may be lawfully processed.

see Data subject

This refers to any natural or legal person, authority or other body that decides on data processing or processes data.

Companies must report data leaks or other data breaches to data protection authorities within 72 hours. In certain cases, consumers must also be informed immediately.

see Controller

see Right to data portability

This includes collecting, recording, saving, organising, adapting, modifying, reading, retrieving, using, transmitting, linking, deleting or destroying data.

Private individuals are exempted from the data protection rules if the data processing concerns exclusively personal or family activities.

see Processor

Each EU member state has at least one independent data protection supervisory authority to monitor compliance with the General Data Protection Regulation.

see Privacy by default

see Privacy by design

The Data Protection Directive is the predecessor of the General Data Protection Regulation. It dates from 1995 and was replaced in its entirety by the General Data Protection Regulation.

Persons under the age of 16 are considered children in the General Data Protection Regulation. Special data protection rights apply to them.

In companies, data protection officers monitor compliance with the General Data Protection Regulation.

Data subjects within the meaning of the General Data Protection Regulation are all people whose data are processed.

see Controller

The Federal Data Protection Act has been around since 1977, but has largely been replaced by the General Data Protection Ordinance as of May 25, 2018.

Fines may be imposed by data protection authorities and should be effective, proportionate and dissuasive.

The General Data Protection Regulation (GDPR) is an EU regulation that updates and reforms data protection law in the EU.

Genetic data are data on the inherited or acquired genetic traits of a data subject.

Health data are data relating to the mental or physical state of health of data subjects or information, from which this state of health can be gleamed.

The General Data Protection Regulation lays down the conditions under which data processing is lawful. In principle, data may not be processed without permission.

Partly undefined legal term that allows data processing without the consent of consumers

see Right to compensation

see Automated decision

If data controllers have corrected, deleted or restricted data at the request of data subjects, they must inform all recipients to whom the data have been disclosed of the rectification, deletion or restriction.

Data controllers must inform data subjects as to whether and, if so, which of their data are processed in which way.

EU member states have the right to impose sanctions for breaches of data protection rules.

This is any information relating to an identified or identifiable person, also known as the data subject.

Principle calling for data protection settings that collect, store and share as little data as possible from the outset.

Principle that manufacturers take into account data protection rights already during the development of products.

A processor is a kind of contractor which takes on the data processing on behalf of a controller.

see Automated decision

see Consent

see Data controller

Pseudonymisation refers to the processing of data in such a way that it can no longer be assigned to a specific person without the involvement of further data.

Personal data may only be used for specified purposes. Further processing for other, incompatible purposes is not permitted.

The General Data Protection Regulation provides that non-profit organisations can actively expose abuses in data protection by lodging complaints with the authorities.

Exceptions to the purpose limitation exist for scientific and historical research, for statistical purposes and for archiving purposes which are in the public interest.

The right of access gives data subjects the right to find out from controllers whether and, if so, which of their personal data is stored and processed.

see Right to erasure

If data subjects have suffered material or immaterial damages as a result of a violation of the General Data Protection Regulation, they are entitled to compensation.

This means that data subjects must be able to receive the personal data they have provided themselves in an electronic, structured format.

Data subjects have the right to request the deletion of their data. In many cases, controllers are then obliged to delete the data.

Consumers have the right to complain to a supervisory authority if they suspect that their data are being processed unlawfully.

Data subjects have the right to object to the processing of their data.

The right to rectification means that data subjects can have incorrect data corrected and have incomplete data added to.

A restriction of data processing can mean that data is temporarily blocked, deleted from a website or transferred to another processing system.

Data subjects can sue in case they suspect data protection violations.

see Consent

see Automated decision

This includes data on a data subject’s racial or ethnic origin, political opinion, religious or philosophical beliefs or trade union membership.

see Data protection authority