A –

Accountability. Principle that guarantees data controller’s compliance with data protection principles, through the adoption of technical and internal measures.

Anonymization. A technique applied to personal data in order to achieve irreversible de-identification[i].

Article 29 Working Party (hereinafter, “Art.29 WP”). Article 29 of Directive 95/46/EC introduces an independent Data Protection Working Party that gives advice on data protection matters and aids the European Commission in development of policies.

B –

Binding corporate rules. Personal data protection policies adhered to by a controller or processor established on the territory of a Member State of the Union, for transfers, or a set of transfers, of personal data to a controller or processor in one or more third countries within a group of undertakings or group of enterprises engaged in a joint economic activity[ii].

Biometric data. Any data relating to the physical, physiological or behavioural characteristics of an individual, which allow their unique identification, such as facial images, or dactyloscopic data (fingerprints)[iii].

Biometric systems. Methods for uniquely recognizing humans with a high level of accuracy, though one or more physical or behavioural traits.

C –

Communication. Any information exchanged or conveyed between a finite number of parties by means of a publicly available electronic communications service. This does not include any information conveyed as part of a broadcasting service to the public over an electronic communications network except to the extent that the information can be related to the identifiable subscriber or user receiving the information[iv].

Confidentiality. It is forbidden to listen, tap, store or realize other kinds of interception or surveillance of communications and the related traffic data by persons other than users, without the consent of the users concerned, except when legally authorised[v].

Consent. Any freely given specific and informed indication of the data subject’s wishes by which he/she signifies his/her agreement to personal data relating to him/her being processed[vi].

Cookies. Short text files stored by a web site on the user’s device to provide more personalised experiences, by remembering user profile without the need of a specific log-in. A “session cookie” is a cookie that is automatically deleted when the user closes his/her browser, while a “persistent cookie” is a cookie that remains stored in the user’s terminal device until it reaches a defined expiration date (which can be minutes, days or several years in the future). A “third party cookie” would thus refer to a cookie set by a data controller that is distinct from the one that operates the website visited by the user (as defined by the current URL displayed in the address bar of the browser)[vii].

Crowdsourcing. The act of taking a job, service, idea or content traditionally performed by a designated agent and outsourcing it to an undefined, generally large group of people in the form of an open call, especially from an online community[viii].

D –

Data blocking. Data which are incomplete, inaccurate, or stored in a way incompatible with the legitimate purposes pursued by the controller, can be frozen by the controller for a specific period of time, permitting access to the data blocked only to competent people/authorities, for purposes of proof, or with the data subject’s consent, or for the protection of the rights of a third party[ix].

Data breach. A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communications service. In the case of a personal data breach, the provider of publicly available electronic communications services shall, without undue delay, notify the personal data breach to the competent national authority. When the personal data breach is likely to adversely affect the personal data or privacy of a subscriber or individual, the provider shall also notify the subscriber or individual of the breach without undue delay. Notification of a personal data breach to a subscriber or individual concerned shall not be required if the provider has demonstrated to the satisfaction of the competent authority that it has implemented appropriate technological protection measures, and that those measures were applied to the data concerned by the security breach. Such technological protection measures shall render the data unintelligible to any person who is not authorised to access it[x].

Data concerning health. Personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status[xi].

Data controller. The natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data[xii].

Data processing. Any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction[xiii].

Data processor. A natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller[xiv].

Data protection (DP). The set of rights and principles for personal data processing, such as the specific purposes and consent of the person concerned, without considering that the data is held in the public or private sector. Article 8 of the Charter of Fundamental Rights of the European Union guarantees data protection as a fundamental right by protecting individuals without impeding the free flow of information, thanks to the legal certainty given to the data subject[xv].

Data protection officer (DPO). According to Regulation 679/2016, “The controller and the processor shall designate a data protection officer in any case where: (a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; (b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or (c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10”. The rationale of this new role was already settled in Article 18(2) of Directive 95/46/EC which provided the possibility for Member States to lift the obligation to notify for controllers that appointed a personal data protection official[xvi].

Data recipient. A natural or legal person, public authority, agency or any other body to whom data are disclosed, whether a third party or not; however, authorities which may receive data in the framework of a particular inquiry shall not be regarded as recipients[xvii].

Data retention. A processing operation consisting of retaining personal data for certain purposes, including those set by law (e.g. investigation, detection and prosecution of serious crimes).

Data subject. An identified or identifiable natural person whose personal data are collected, held or processed. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity[xviii].

Data subject’s rights. Part of fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data (see below “Right to be informed”, “Right of access”, “Right to block”, “Right to obtain the notification to third parties”, “Right to object”, “Right not to be subject to a decision” and “Right to be forgotten”).

Data transfer. Any transmission or communication of data to a recipient in whatever way. Transfers of personal data when the recipient is located in a country outside the EU/EEA is subject to Articles 25-26 of Directive 95/46/EC.

G –

Genetic data. Personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question[xix].

Granular consent. Especially when using a smartphone application (app), after asking for consent before data collection, the data controller must ask for granular consent for each type of data the app will access, at least for the categories location, contacts, unique device identifier, identity of the data subject, identity of the phone, credit card and payment data, telephony and SMS, browsing history, email, social networks credentials and biometrics[xx].

I –

Information. Each data subject has the right to know the identity of the data controller who is processing his/her personal data, what type of personal data is being processed and for what purpose the data are intended to be used. Availability of this information on personal data processing is critical in order to obtain consent from the user for the data processing and, for the same reason, this information has to be clear and comprehensive[xxi]. (See below “Right to be informed”).

J –

Joint controllers. Two or more controllers jointly determine the purposes and means of the processing of personal data[xxii].

L –

Layered notice. Where the initial notice to the user contains the minimum information required by the EU legal framework, further information is available through links to the whole privacy policy that has to be readable, understandable and easily accessible[xxiii].

Location data. Any data processed in an electronic communications network, indicating the geographic position of the terminal equipment of a user of a publicly available electronic communications service. Such data may only be processed when they are made anonymous, or with the consent of the users or subscribers to the extent and for the duration necessary for the provision of a value added service. The service provider must inform the users or subscribers, prior to obtaining their consent, of the type of location data other than traffic data which will be processed, of the purposes and duration of the processing and whether the data will be transmitted to a third party for the purpose of providing the value added service. Users or subscribers shall be given the possibility to withdraw their consent for the processing of location data other than traffic data at any time. Where consent of the users or subscribers has been obtained for the processing of location data other than traffic data, the user or subscriber must continue to have the possibility, using a simple means and free of charge, of temporarily refusing the processing of such data for each connection to the network or for each transmission of a communication[xxiv].

N –

Notification. The controller or his representative, if any, must notify the supervisory authority before carrying out any wholly or partly automatic processing operation or set of such operations intended to serve a single purpose or several related purposes[xxv].

P –

Personal data. Any information relating to an identified or identifiable natural person (the data subject)[xxvi].

Personal data filing system. Any structured set of personal data, which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis[xxvii].

Privacy. The ability of an individual to be left alone, out of public view. Privacy covers issues relating to the protection of an individual’s personal space, so a possible interference must have a legal basis, having to be “in accordance with law”, as stated in Article 8 of the ECHR[xxviii].

Privacy by default. According to Regulation 679/2016 the controller shall implement mechanisms for ensuring that, by default, only those personal data are processed which are necessary for each specific purpose of the processing and are especially not collected or retained beyond the minimum necessary for those purposes, both in terms of the amount of the data and the time of their storage. In particular, those mechanisms shall ensure that by default personal data are not made accessible to an indefinite number of individuals[xxix].

Privacy by design. According to Regulation 679/2016, a controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures and procedures in such a way that the processing will “meet” the requirements of this Regulation and ensure the protection of the rights of the data subject[xxx].

Processor agreement. Processing via a processor must be governed by a contract or legal act binding the processor to the controller and stipulating in particular that the processor shall act only on instructions from the controller, respecting the same obligation to implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing[xxxi].

Profiling. Any form of automated processing of personal data consisting of using data to evaluate personal aspects relating to a natural person, in particular to analyse and predict aspects concerning performance at work, economic situation, health, personal preferences, or interests, reliability or behaviour, location or movements[xxxii].

Pseudonymisation. The processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, as long as such additional information is kept separately and subject to technical and organisational measures to ensure non-attribution to an identified or identifiable person.

R –

Right of access. The data subject is entitled to confirmation from the data controller, without constraint at reasonable intervals and without excessive delay or expense, as to whether or not data relating to him/her are being processed and information at least as to the purposes of the processing, the categories of data concerned, and the recipients or categories of recipients to whom the data are disclosed. Moreover, the data controller has to communicate to him/her in an intelligible form the data undergoing processing and any available information as to their source[xxxiii].

Right to be forgotten. The data subject has the right to remove from the web the results obtained from searches made on the basis of his/her name. This right does not require deletion of the link from the indexes of the search engine: the original information will always be accessible using other search terms or by direct access to the source[xxxiv].

Right to be informed. The data subject has the right to be informed on the identity of the controller and of his representative, if any; on the purposes of the processing for which the data are intended; on the recipients or categories of recipients of the data; on the categories of collected data, if data are not taken from him/her; on whether replies to the questions are obligatory or voluntary, as well as the possible consequences of failure to reply; on the existence of the right of access to and the right to rectify the data concerning him/her[xxxv]. (See above “Information”).

Right to block. The data subject has the right to block the processing of his/her personal data when it does not comply with applicable data protection law, in particular because of the incomplete or inaccurate nature of the data[xxxvi]. (See below “Right to rectify/erase the data”).

Right not to be subject to a significant or automated individual decision. The data subject has the right not to be subject to decisions that produce legal effects concerning him/her, or significantly affect him/her and which is based solely on automated processing of data intended to evaluate certain personal aspects relating to him/her, such as his/her performance at work, creditworthiness, reliability, conduct, etc.[xxxvii].

Right to object. The data subject has the right to object at any time on compelling legitimate grounds relating to his particular situation to the processing of data relating to him/her, save where otherwise provided by national legislation, at least when his data are processed by a public authority or by a data controller relying on its legitimate interest. Moreover, he/her has the right to object on request and free of charge, to the processing of personal data relating to him/her which the controller anticipates being processed for the purposes of direct marketing; to be informed before personal data are disclosed for the first time to third parties or used on their behalf for the purposes of direct marketing, and to be expressly offered the right to object free of charge to such disclosures or uses[xxxviii].

Right to rectify/erase the data. The data subject has the right to have his/her personal data rectified or erased, in particular because of the incomplete or inaccurate nature of the data. The data controller has also to notify to third parties to whom the data have been disclosed any rectification, erasure or blocking carried out[xxxix].

S –

Special categories of data. Any data revealing, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and data concerning health or sex life[xl].

Security of the processing. The data controller must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing. Having regard to the state of the art (SOTA) and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected. Moreover, the data controller must ensure that personal data can be accessed only by authorised personnel for legally authorised purposes and the implementation of a security policy with respect to the processing of personal data[xli]. (See above “Privacy by design”, “Privacy by default”, “Processors agreement”).

T –

Third party. Any natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or the processor, are authorized to process the data[xlii].

Traffic data. Any data processed for the purpose of the conveyance of a communication on an electronic communications network or for the billing thereof. It must be erased or made anonymous when it is no longer needed for the purpose of the transmission of a communication and its processing must be restricted to persons acting under the authority of providers of the public communications networks and publicly available electronic communications services handling billing or traffic management, customer enquiries, fraud detection, marketing electronic communications services or providing a value added service, and must be restricted to what is necessary for the purposes of such activities[xliii].

Transnational processing of personal data. Means either: processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.[xliv].


[i]      Article 29 Data Protection Working Party, Opinion 5/2014 on anonymization techniques, Adopted on 10 April 2014, page 7, in http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/index_en.htm.

[ii]     Article 29 Data Protection Working Party, Working Document: Transfers of personal data to third countries: Applying Article 26 (2) of the EU Data Protection Directive to Binding Corporate Rules for International Data Transfers, Adopted on 3 June 2003, http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/index_en.htm.

[iii]    Article 4(14), Regulation 679/2016, adopted on 4 May 2016, in http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&qid=1465303957140&from=EN

[iv]    Article 2(d), Directive 2002/58/EC, in eur-lex.europa.eu.

[v]     Article 5(1), Directive 2002/58/EC, in eur-lex.europa.eu.

[vi]    Article 2(h), Directive 95/46/EC, in eur-lex.europa.eu.

[vii]    Article 29 Data Protection Working Party, Opinion 04/2012 on Cookie Consent Exemption, adopted on 7 June 2012, pages 4-5, in http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/index_en.htm.

[viii]   See ITU report on Quality of Services for Wireless Fixed Communication Systems), in http://www.itu.int/pub/r-rep.

[ix]    Article 32(2), Directive 95/46/EC, in eur-lex.europa.eu.

[x]     Article 2(4)(c) and Article 35(c), Directive 2009/136/EC, in eur-lex.europa.eu.

[xi] Article 4(15), Regulation 679/2016, adopted on 4 May 2016, in http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&qid=1465303957140&from=EN

[xii]    Article 2(d), Directive 95/46/EC), in eur-lex.europa.eu.

[xiii]   Article 2(b), Directive 95/46/EC, in eur-lex.europa.eu.

[xiv]   Article 2(e), Directive 95/46/EC, in eur-lex.europa.eu.

[xv]  “1. Everyone has the right to the protection of personal data concerning him or her. 2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. 3. Compliance with these rules shall be subject to control by an independent authority.”, Article 8, Charter of Fundamental Rights of the European Union, 2012/C 326/02, in eur-lex.europa.eu.

[xvi] Article 37, Regulation 679/2016, adopted on 4 May 2016, in http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&qid=1465303957140&from=EN.

[xvii] Article 2(g), Directive 95/46/EC, in eur-lex.europa.eu.

[xviii] Article 2(a), Directive 95/46/EC, in eur-lex.europa.eu.

[xix]   Article 4(13), Regulation 679/2016, adopted on 4 May 2016, in http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&qid=1465303957140&from=EN

[xx]    Article 29 Data Protection Working Party, Opinion 02/2013 on apps on smart devices, Adopted on 27 February 2013, page 15 and 27, in http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/index_en.htm.

[xxi]   Article 29 Data Protection Working Party, Opinion 02/2013 on apps on smart devices, Adopted on 27 February 2013, page 22, in http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/index_en.htm.

[xxii] Article 26(1), Regulation 679/2016, adopted on 4 May 2016, in http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&qid=1465303957140&from=ENhttp://www.consilium.europa.eu/en/press/press-releases/2015/06/15-jha-data-protection/.

[xxiii] Article 29 Data Protection Working Party, Opinion 02/2013 on apps on smart devices, Adopted on 27 February 2013, pages 23-24, in http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/index_en.htm.

[xxiv] Article 2(c) and Article 9(1) and (2), Directive 2002/58/EC, in eur-lex.europa.eu.

[xxv] Article 18(1), Directive 95/46/EC, in eur-lex.europa.eu.

[xxvi] Article 2(a), Directive 95/46/EC, in eur-lex.europa.eu.

[xxvii] Article 2(c), Directive 95/46/EC, in eur-lex.europa.eu.

[xxviii]          “1. Everyone has the right to the protection of personal data concerning him or her. 2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. 3. Compliance with these rules shall be subject to control by an independent authority.”, Article 8, Charter of Fundamental Rights of the European Union, 2012/C 326/02, in eur-lex.europa.eu.

[xxix] Article 34(2), Regulation 679/2016, adopted on 4 May 2016, in http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&qid=1465303957140&from=EN

[xxx] Article 25(1), Regulation 679/2016, adopted on 4 May 2016, in http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&qid=1465303957140&from=EN.

[xxxi] Article 17, Directive 95/46/EC, in eur-lex.europa.eu.

[xxxii] Recital 71 and Article 22, Regulation 679/2016, adopted on 4 May 2016, in http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&qid=1465303957140&from=EN.

[xxxiii]          Article 12, Directive 95/46/EC, in eur-lex.europa.eu.

[xxxiv]          Article 17, Regulation 679/2016, adopted on 4 May 2016, in http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&qid=1465303957140&from=EN.

[xxxv] Article 12(a), Directive 95/46/EC, in eur-lex.europa.eu.

[xxxvi]          Article 12(b), Directive 95/46/EC, in eur-lex.europa.eu.

[xxxvii]         Article 15(1), Directive 95/46/EC, in eur-lex.europa.eu.

[xxxviii]         Article 14, Directive 95/46/EC, in eur-lex.europa.eu.

[xxxix]          Article 12(b) and (c), Directive 95/46/EC, in eur-lex.europa.eu.

[xl]    Article 8(1), Directive 95/46/EC, in eur-lex.europa.eu.

[xli]    Article 17(1), Directive 95/46/EC, in eur-lex.europa.eu and Article 3(4)(b), Directive 136/2009/EC, in eur-lex.europa.eu.

[xlii]   Article 2(f), Directive 95/46/EC, in eur-lex.europa.eu.

[xliii] Article 2(b) and Article 6(1)(5), Directive 2002/58/EC), in eur-lex.europa.eu.

[xliv] Article 4 (1) (23) of, Regulation 679/2016, adopted on 4 May 2016, in http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&qid=1465303957140&from=EN.