Glossary 

binding corporate rules

means a set of binding rules adopted by an organisation and approved by national data protection regulators to ensure the protection of personal data in multiple jurisdictions.

Citizens' Rights Directive

means Directive 2009/136/EC amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws. 

data controller

means the person which alone or jointly with others determines the purposes and means of the processing of personal data (Article 2(d), Data Protection Directive).

data processor

means a person which processes personal data on behalf of a data controller (Article 2(e), Data Protection Directive).

Data Protection Directive

means Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

data subject

means an individual about whom personal data is being processed.

eCommerce Information

means: (a) clear identification of commercial communications, and unsolicited commercial communications, as such; (b) clear identification of the natural or legal person on behalf of whom a commercial communication is made; (c) promotional offers, competitions and games are clearly identified (including conditions for participation) and the relevant email does not encourage recipients to visit websites that contravene these requirements. 

fair processing information

means the provision of information about: (a) the identity of the data controller and of his representative, if any; (b) the purposes of the processing for which the data are intended; and (c) any further information in so far as such further information is necessary, having regard to the circumstances in which the data are collected, to guarantee fair processing (Article 10, Data Protection Directive).

general data security obligations

means the obligation to implement appropriate technical and organisational measures to protect personal data having regard to the state of the art, the risks represented by the processing and the nature of the data to be protected (Article 17(1), Data Protection Directive).

Model Contracts

means the contractual clauses set out in Commission Decision C(2010) 593, Commission Decision C(2004) 5271 and Commission Decision C(2001) 1539.

Opinion on Personal Data

means the Article 29 Working Party’s Opinion 4/2007 on the concept of personal data (WP 136).

Privacy and Electronic Communications Directive

means Directive 2002/58/EC of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector.

similar products and services exemption

applies where a person collects a customer’s e-mail details in connection with a sale of a product or service and uses these contact details for direct marketing of its own similar products or services provided that customers are given the opportunity to object to such use of electronic contact details when they are collected and on the occasion a message is sent.

standard conditions for processing personal data

means the processing satisfies the general principles for data processing and is: (a) carried out with the data subject’s consent; or (b) necessary for the performance of a contract with the data subject; or (c) necessary for compliance with a legal obligation; or (d) necessary in order to protect the vital interests of the data subject; or (e) necessary for the public interest or in the exercise of official authority; or (f) necessary for the data controller’s or recipient’s legitimate interests, except where overridden by the interests of the data subject. The general principles of data processing are that personal data is: (a) processed fairly and lawfully; (b) collected for specific, explicit and legitimate purposes and not processed in a manner incompatible with those purposes; (c) adequate, relevant and not excessive; (d) accurate and, where necessary, up to date; (e) kept in an identifiable form for no longer than necessary (Articles 6 and 7, Data Protection Directive).

standard conditions for processing sensitive personal data

means the processing: (a) is carried out with the data subject’s explicit consent; or (b) is necessary for a legal obligation in the field of employment law; or (c) is necessary to protect the vital interests of the data subject where the data subject is unable to give consent; or (d) is carried out by data subject a non-profit-seeking body and relates to members of that body or persons who have regular contact; or (e) relates to data made public by the data subject; or (f) is necessary for legal claims; or (g) is necessary for medical reasons (Article 8(2) and 8(3), Data Protection Directive).

standard conditions for transborder dataflow

means the transborder dataflow: (a) is to a whitelisted country; (b) is made pursuant to a set of Model Contracts; (c) is made pursuant to binding corporate rules (if permitted in that jurisdiction); (d) is made with the data subject’s consent; or (e) is necessary for the performance of a contract with, or in the interests of, the data subject; (f) is necessary or legally required on important public interest grounds, or for legal claims; or (g) is necessary to protect the vital interests of the data subject; or (f) is made from a public register (Article 25 and 26, Data Protection Directive).

standard definition of personal data

means any information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his identity (Article 2(a), Data Protection Directive).

standard types of sensitive personal data

means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life (Article 8, Data Protection Directive).

standard processor obligations

means obligations on the data processor to only act on instructions from the data controller and to comply with the general security obligations (Article 17, Data Protection Directive).

standard territorial test

means the application of a state’s national law to the processing of personal data by a data controller : (a) in the context of an establishment in the territory of that state; (b) not established in the territory of that state, but in a place where its national law applies by virtue of international public law; (c) using of equipment in that state (other than for transit) where that data controller is not established on Community territory.

subject access information

means the provision of: (a) confirmation as to whether data relating to a data subject are being processed and information as to the purposes of the processing, the categories of data, and the recipients to whom the data are disclosed; (b) communication of the data undergoing processing and of any available information as to their source; and (c) knowledge of the logic involved in any automatic processing of data concerning the data subject (Article 12, Data Protection Directive).

transborder dataflows

means: (a) in the case of an EEA State, the transfer of personal data from a destination within the EEA to a destination outside of the EEA; and (b) in the case of other States, a transfer of personal data from within that State to any another State.

whitelisted country

means countries that the Commission has found to provide an adequate level of protection for personal data. This currently comprises Andorra, Argentina, Canada (partially), the Faroe Islands, Guernsey, Israel, the Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and organisations in the US which have committed themselves to the “EU-U.S. Privacy Shield”.