Data protection glossary

Special fields often have their very own technical terms. A definition is very helpful so that everyone really speaks of the same term. Laws, agreements and contracts often contain a definition at the beginning too. Here we compile a collection of more or less common terms in data protection and explain them (Click on the term to see an explanation). If you are missing a term here, please write to us and we will add it accordingly.

 

Anonymization

Origin:
The term "anonymisation" is derived from the term "anonymity". "Anonymity" is derived from the ancient Greek term "anónymos", i.e. "without a name", and refers to the absence of the assignment of the acting person to an action.

Description:
Anonymisation refers to the process of modifying data in such a way that individual information about personal or material circumstances can no longer be attributed to an identified or identifiable natural person, or can only be attributed with a disproportionate amount of time, cost and effort. Anonymisation is therefore a form of changing data. Anonymised data is not subject to the DSGVO, i.e. anonymisation relieves data protection.

Example:
Voter turnout: The secret ballot in elections is based on the principle of anonymization. Although it is still possible to trace who voted, it is no longer possible to assign the ballot paper to the voter.

Right to be informed

Origin:
Federal Data Protection Act, Art. 34; EU GDPR, Art. 15

Description:
Right of access to one' s own personal data processed by a responsible body.

Purpose:
Each data subject should be able to trace who processed which personal data for which purposes.

Example:
After completing a trial subscription for a magazine, more and more e-mails are trickling in and even the mailbox is overflowing with flyers and advertising mail. With a request for information the person concerned can inquire which data about him are stored and to whom his data were passed on and where he can put a stop to this now.

Order data processing

Origin:
Federal Data Protection Act (BDSG)

Description:
Contract that is required by law if personal data is processed by a service provider (by assignment).

Purpose:
Responsibility cannot simply be delegated away. The company remains responsible for the security of the data even if they are with the service provider.

Example:
The letter shop that prints the letters for a company or the IT company that accesses the customer's data during setup or maintenance. Seeing "is enough".

BDSG - new

Short for:
Federal Data Protection Act - new; official: "Act to adapt data protection law to Regulation (EU) 2016/679 and to implement Directive (EU) 2016/680 (Data Protection Adaptation and Implementation Act EU - DSAnpUG-EU)".

Description:
The BDSG-New specifies the handling of personal data in various areas within the framework of so-called "specification clauses" of the General Data Protection Regulation (GDPR). The addition "-new" designates the version of the BDSG that entered into force on 25 May 2018 with validity of the Basic Data Protection Regulation.

Purpose:
With the BDSG - new, the possibilities which the GDPR provides or allows for the national design of data protection law are used to adapt data protection legislation to national circumstances. In the BDSG - new, for example, regulations applicable in Germany on the protection of employee data, on the data protection officer and on the cooperation of the supervisory authority in the European context were created.

Data protection supervision

Origin:
State supervision of data protection by a state supervisory authority.

Description:
The term "supervisory authority" refers primarily to a body or organisation of the state which exercises a supervisory function over private-law or other state institutions. Data protection supervision is ensured by independent authorities of the Member States. These authorities are responsible for monitoring and enforcing the application of the GDPR and the data protection laws of the Member States.

Example:
In Germany there are independent federal and state data protection authorities. For federal authorities, the Federal Commissioner for Data Protection and Freedom of Information, Ms. Voßhoff, is responsible. For non-public bodies, the respective state commissioner is responsible for data protection where the company is based. Only in Bavaria there is a difference between non-public (State Office for Data Protection Supervision) and public areas (State Commissioner for Data Protection).

Data protection guideline

Origin:
General Data Protection Regulation (GDPR), Accountability Art. 5 para. 2

Description:
A brief written record of what is expected of each individual employee in the handling of personal data, the basis on which such data is processed and where more detailed guidance or elaborations can be found.

Purpose:
Corporate management is responsible for compliance with the law - including data protection laws. In order to prevent violations of the law and to provide employees with clear instructions on how to handle personal data, companies draw up and publish so-called data protection guidelines.

Due diligence

Origin:
The term due diligence comes from English and stands for the required care before entering into an agreement or contract.

Description:
Due diligence plays an important role in determining the value of a (purchase) object. It describes an examination during which the strengths and weaknesses of the property as well as the corresponding risks are analysed.

Example:
"IT due diligence" means the examination of opportunities and risks within the IT of a company. Above all, the future security and cost awareness of IT are examined in order to assess the value contribution of IT to the company as a whole. The introduction of data-driven and IT-supported business processes requires a more in-depth examination of the implementation. The main opportunities are synergy and efficiency potentials. In the area of risks, operational and monetary risks in particular are examined and assessed.

End-to-end encryption

Origin:
Encryption - also called cryptography - is derived from the Greek kryptós "hidden, concealed, secret".

Description:

End-to-end encryption ensures that transmitted data remains encrypted across all transmission stations. Only the legitimate communication partners, i.e. the respective endpoints of the communication, can decrypt the data. Encryption means the conversion of "plain text" into "key text" depending on a key. The plaintext can only be recovered from the key text using a secret key. End-to-end encryption protects the data from unauthorized access during transmission so that it can be transmitted confidentially.

Example:

Sending messages via the messenger service Threema.
Only the sender and recipient of a message can retrieve it unencrypted. The provider and other third parties do not have access to sent text messages, pictures or videos. The information is transmitted in encrypted form and only decrypted on the recipient's device. The decryption follows the principle of lock and key. Only the recipient with the correct key can decrypt the message.

EU-GDPR

Short for:
European General Data Protection Regulation

Description:
Europe-wide uniform rules for the processing of personal data and ensuring the free movement of data.
Effective as of: 25.05.2016
Validity as of: 25.05.2018

Purpose:
The Regulation creates binding and almost uniform rules throughout Europe for the protection of personal data and also increases fines to ensure their enforcement.

Entry into force vs. application

Origin:
Art. 99 GDPR

Description:
A law is effective when it comes into force. The validity, i.e. the applicability, of a law must be distinguished from this. The point in time that is determined for the validity of the law, for example with regard to individual facts, certain assessment periods or certain financial years, can deviate from the point in time of the entry into force.

Example:
The GDPR entered into force, i.e. became effective on 25 May 2016, i.e. twenty days after its publication as provided for in Article 99(1). The GDPRis applicable, i.e. it has been in force since 25 May 2018, as regulated in Article 99(2).

Notification obligation

Origin:
GDPR Recitals 85 and 89

Descritption:

The General Data Protection Regulation requires that data incidents are reported to the supervisory authority. This report must be made within 72 hours after the data incident was discovered. If data breaches are not reported, the supervisory authorities may impose heavy fines of up to EUR 10 000 000 or, in the case of a company, up to 2% of its total worldwide annual turnover for the previous financial year.

Example:
A hacker gets access to the data of a webshop operator. The webshop operator has stored personal data of his customers. This also includes the credit card data of the customers. As soon as the hacker attack becomes known, the obligation to notify must be fulfilled within 72 hours. Since the risk for those affected is very high (unwanted charges to the credit card), they must also be informed so that they can block their credit cards.

Patch

Description:
A patch is a correcting delivery for software or data from the end user's point of view in order to correct errors - usually to close known security gaps - or to add features that were previously not available.

Example:
Every PC user knows the updates of the operating system. For Microsoft Windows there is the so-called "Patchday". On every second Tuesday of the month, updates / patches for the operating system are provided, which are then installed on the computers.

PIA (DPIA)

Short for:
Privacy Impact Assessment (Data Protection Impact Assessment)

Origin:
EU GDPR, Art. 35

Description:
Preliminary assessment of the risk of a specific processing of personal data

Purpose:
Even prior to the introduction of certain data processing processes, it should be ensured that the person responsible deals with the assessment of the associated risk and provides justifications on the basis of which he came to his decision. If the risk cannot be reduced to a level commensurate with the level of data protection by reasonable means and technologies, the data protection supervisory authority must be contacted to clarify whether and how the planned data processing can be introduced.

Example:
Before installing a video surveillance system that could record persons, it is necessary to consider whether there is sufficient reason to justify such recording or whether milder measures should be taken. In addition, the measures taken to protect the data collected must be proportionate. All procedures and decisions taken must be documented, together with the reasons for them.

Phishing attacks

Origin:
Neologism from fishing.

Description:
Phising describes the attempt to access the personal data of an Internet user via fake e-mails, websites, short messages or similar. This often involves user data (login and password).

Example:
This user data can then be used, for example, to access the online banking account and plunder the victim's account.
Often an exact replica of the real website is linked so that the victim has no suspicion. The victim believes that he or she is logging into the online banking system of his or her bank, but the login data goes directly to criminal hackers. This scenario is also possible with shopping portals or e-mail accounts. Here, orders can be executed at the victim's expense or his e-mails can be read. Passwords of other services can often also be reset via the e-mail account, which then allow hackers further access and the victim suffers further, usually financial damage.

Pseudonymisation

Description:
Pseudonymisation is the process of replacing a name or other identifier with a pseudonym in order to prevent or impede the identification of the person involved.

Accountability

Origin:
Art. 5 para. 2 GDPR

Description:
Accountability means that the person responsible has the burden of presenting and proving compliance with the DSGVO. For the data controller, this leads to a reversal of the burden of proof in the sense that the data subject or the supervisory authority do not have to prove a violation of the GDPR, but, conversely, the data controller has to prove that the processing complies with the GDPR.

Example:
A company must be able to prove that it has complied with the principles of the GDPR when processing personal data and that it has taken appropriate technical and organisational measures.

Sensitive data

Origin:
EU GDPR Recital 51, Art. 9

Description:
Sensitive data" or "special categories of personal data" include information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership. This category also includes genetic data, biometric data uniquely identifying a natural person and health data or data relating to sex life or sexual orientation.

Purpose:
The processing of sensitive data deserves special protection because of the significant risks to fundamental rights and freedoms. In order to do justice to the increased damage potential in the event of abuse, the law places particularly high demands on the processing of "special categories of personal data".

Example:
The human resources department contains a particularly large amount of sensitive data that can provide information on religious beliefs, trade union membership and the state of health of employees. Therefore, special technical and organisational measures should be taken in the area of human resources to ensure that access to the data held there is reasonable. The personnel office should therefore in any case have lockable doors, cupboards, programs and storage areas that are only accessible to a particularly small circle of employees.

TOM

Origin:
TOM stands for "Technical and organizational measures".
The term "technical and organisational measures" originates from the BDSG. Until the entry into force of the DSGVO, it was regulated there in the first section "General and common provisions" in § 9. Today, the term is found in Chapter IV "Controller and processor" in the provisions on security of processing in Articles 28 and 32 of the GDPR.

Description:
TOM are the technical and organizational measures to ensure the security of data processing. This involves the protection of data during storage and filing on computer systems, in folders, as well as during (further) processing, transmission, transport and loss. Technical measures are all protection attempts that can be physically implemented or measures that are implemented in software and hardware. Organisational measures are all attempts at protection that are implemented by instructions, procedures and processes.

Examples:
Technical measures
are fencing of the premises, securing of doors and windows, but also the user account, password enforcement or back-up.
Organisational measures include visitor registration, the four-eyes principle, work instructions or the specified sampling intervals.

Controller and processor

Origin:
GDPR Article 4 Definitions, Article 28 Processor

Description:
Controller
means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Purpose:
The clear identification of the controller and the processor is an important step in defining the rights and obligations set out in a contract for the processing of contract data.

Example:
A company rents servers in a data center. The company is "controller", the operator of the data center is the "processor". The controller decides on the means and purposes of data processing, i.e. he decides how many servers are provided, which programs are installed there, which data is processed. The processor only acts on the instructions of the controller.

Personal data breach

Origin:
GDPR Article 33 und 34

Description:
A data breach is an incident in which personal data is viewed, copied, changed or deleted by unauthorised persons.

Example:
A data breach can occur, for example, during a hacker attack. The hacker gains access to the company's data and copies it. However, a data breach most often occurs within a company. Either by employees who want to harm the company or by careless handling of personal data.

Records of processing activities

Origin:
EU GDPR, Article 30

Description:
Documentation of the data processing processes of personal data in the company

Purpose:
In order to be able to trace and check that data processing - including all stations, including possible (sub-)service providers - are legally compliant, it is legally required that every company maintains a record of processing activities in which, for example, can also be seen to whom data has been passed on or at what point in time it will have to be deleted.

Example:
Once a request for information has been received, the records of processing activites can be used to reconstruct how the data of the inquirer was processed and to whom it was passed on, as well as when a scheduled deletion is to be carried out.

Limitation to specific purposes

Origin:
The principle of Limitation to specific purposes was laid down in the census decision of the Federal Constitutional Court of 15 December 1983.

Description:
The purpose limitation requirement is intended to ensure that data are processed only for the purpose for which they were collected. Data processing for a purpose other than origially stated is referred to as change of purpose or interruption of purpose, which is only permitted on a legal basis or with the consent of the data subject.

Example:
As part of a recruitment process, the birthdays of employees are also recorded for the purpose of personnel administration. However, the company may not use the date of birth to congratulate employees on their birthday without their consent.