Glossary of Compliance

Compliance Glossary

Our list of curated compliance glossary offers everything you to know about compliance in one place.

a b c d e f g h i j k l m n o p q r s t u v w x y z

A

Accountability

As per the GDPR, Accountability is integrated as a principle which requires that companies put in place appropriate organizational and technical measures to demonstrate their compliance with regulations and their effectiveness when requested.
Learn More Accountability

ACTA

The Anti-Counterfeit Trade Agreement is a multilateral treaty aimed at establishing a legal framework for the enforcement of intellectual property rights and practices. The plurilaternal agreement was an initiative born out of the need to curb counterfeiting and copyright infringements and strengthen international trade cooperation. The agreement was signed by the EU as represented by…
Learn More ACTA

Adequacy Decision

The EU made an adequacy decision which is a formal decision that recognizes that another country, sector, territory, or international company provides an equivalent level of protection for personal data, same as the EU does.
Learn More Adequacy Decision

Anonymization

Anonymization is a procedure for concealing personal data. It ensures that the individuals remain anonymous and that their identifying information is removed from the data sets used.   For example, if a particular person’s purchases or movements were logged over time, then anonymization would mean that it would be impossible for another individual or organization to…
Learn More Anonymization

Article 29 Working Party

The processor or any person acting under the authority of the processor or of the controller, who is authenticated to access personal data, shall not process the same except on instructions from the controller or required to do so by Union or Member State law.
Learn More Article 29 Working Party

Article 93 Committee Procedure

According to Article 93, the GDPR commission can declare assistance by a committee comprising of member state representatives and chaired by the commission in order to fulfil implementation obligations. It may assume and exercise its powers in line with any one of two implementation procedures as laid down by the commission, i.e., the advisory procedure…
Learn More Article 93 Committee Procedure

Automated Individual Decision

An automated individual decision is a decision that is a direct result of the automated processing of a data subject’s personal information. Article 22 of the GDPR allows individuals the right to object to such decisions. There are three exceptions to this rule:  – These decisions are essential for the entry or execution of a…
Learn More Automated Individual Decision

BCRs

Binding Corporate Rules, or BCRs, provide a framework for guaranteeing consistent and secure data protection when organizations exchange data. BCRs must include all essential data protection principles and enable individuals to exercise their enforceable rights.  This is especially important if personal data is being transferred outside of the EU, as an extra layer of security…
Learn More BCRs

Breach Notification

Breach Notification under the GDPR is the obligation of a controller to report any security incident in which individuals’ personal data have been subject to unauthorized access or disclosure, destruction, or other forms of misuse.  It helps alert data subjects and regulators of a potential breach and provides them with information about the incident. This…
Learn More Breach Notification

Data Controller

A Data Controller in GDPR is defined as the natural or legal person, public authority, agency, body who alone or in joint collaboration determines the means and purpose by which the data will be processed.
Learn More Data Controller

Data Minimization

Data Minimization represents that a data controller should restrict the collection of personal information to what is directly necessary and relevant to accomplish a certain task and only for a period deemed necessary to fulfil that purpose.
Learn More Data Minimization

Data Mining

Data mining or ‘profiling’ is an automated process that analyzes, processes, and makes decisions based on specific aspects of a data subject. Under the GDPR, it is imperative that data processors and controllers inform data subjects on the existence of such processes, logic, and decision-making instruments. If these decisions are made as per a contract…
Learn More Data Mining

Data Portability

Under the GDPR, citizens have access to their personal data held by a controller and can utilize that information for any purpose they choose. This right of Data Portability, among other rights covered under the GDPR, empowers individuals in many ways.
Learn More Data Portability

Data Protection Authority

Data Protection Authority is a public entity that oversee the implementation of data protection laws. These authorities can resort to both investigative and corrective measures for the same and also offer guidance on data privacy issues. Complaints with regard to GDPR breaches or corresponding national laws are also handled by these authorities.
Learn More Data Protection Authority

Data Protection Day

On January 28th every year, Data Protection Day takes place to remind us of the importance of protecting our data and following best practices. It was created in 2006 by the Council of Europe as an effort to increase respect for private lives and personal data, in accordance with data security standards such as the…
Learn More Data Protection Day

Data Protection Directive 95/46/EC

The Data Protection Directive protects the personal data and rights to privacy of EU citizens, making it an essential piece of legislation. It was enacted in October 1995 in the form of Directive 95/46/EC, and has since been at the foundation of modern protection standards for personal data within the European Union. 
Learn More Data Protection Directive 95/46/EC

Data Protection Principles

Everyone who uses personal data must abide by strict rules called ‘data protection principles’. They must ensure the information is: used fairly, transparently, and. lawfully used for specified, explicit purposes in a way that is relevant, adequate, and limited to only what is necessary.
Learn More Data Protection Principles

Data Retention

The GDPR Data Retention rules says that any personal data collected or processed must be retained solely for the duration necessary to accomplish the purpose for which the information was initially gathered. However, it is important to note that there are exceptions, such as scientific or historical research.
Learn More Data Retention

Data Sovereignty

Data Sovereignty means the sensitive information is subject to applicability of laws and regulations of the country in which the data originated. This empowers data owners with the right to control and protect the usage of their data. For example, the data of people in the European Union is safeguarded with GDPR regulations.
Learn More Data Sovereignty

Data Subject

Data Subject is an individual that can be identified with personal information indicators. Personal information identifiers include but may not be limited to their name, address, phone number, email, location data or other factors that specify a person’s physical, physiological, genetic, mental, economical, cultural or social identity.
Learn More Data Subject

Data Transfer

Data Transfer is an intentional sending or authenticating of some other party for the use of personal data, where neither sender nor the recipient is a data subject. At the same time, data transfer should not be confused with data collection.
Learn More Data Transfer

DPA

Data Protection Act (DPA) is a legislative framework that lays down the regulations for usage of personal data by organisations, government and businesses. The law was enacted in 2018 for enforcement of the UK’s General Data Protection Regulation.
Learn More DPA

DPIA

A Data Protection Impact Assessment (DPIA) is an important tool to mitigate risk and demonstrate compliance with the GDPR. In a DPIA, companies consider the risk associated with the personal data they process and analyze ways of minimizing those risks as early as possible.  For example, if your company intends to use facial recognition technologies…
Learn More DPIA

DPO

A Data Protection Officer (DPO) is a critical role in any organization, as they are responsible for overseeing the IT infrastructure and data security. They act as a focal point where individuals can send their privacy queries and issues, working to ensure that data is kept secure, utilized responsibly, and disposed of properly at all…
Learn More DPO

E-privacy Directive 2009/136/EC

The European Parliament and Council Directive 2009/136/EC passed on 25 November 2009 modified the 2002/22/EC directive concerning universal service and users’ rights related to electronic communications networks and services, as well as the 2002/58 EC directive about processing privacy data in regards to electronic communication.  Furthermore, Regulation 2006 Europe-wide 2004 was amended for cooperation between…
Learn More E-privacy Directive 2009/136/EC

EDPB

The European Data Protection Board (EDPB) was created to address the crucial need for unified regulation. EDPB ensures that citizens have access to similar privacy services no matter where they are located in the EU by overseeing GDPR compliance and promoting collaboration between EU data protection authorities. With EDPB in place, Europeans can feel secure…
Learn More EDPB

EDPS

Established in 2004, the European Data Protection Supervisor (EDPS) plays an important role in protecting individuals’ personal data. As a result of the General Data Protection Regulation, this independent Supervisory Authority is responsible for monitoring and enforcing compliance with data protection law within EU institutions and bodies.  The EDPS works independently to ensure personal data…
Learn More EDPS

Encrypted Data

When simple and plain information is modified to a coded format for unauthorised data usage or viewing, it becomes encrypted data. Encrypted data can only be decoded by an encryption key and only those who have the key and the authority can view the data. Sensitive information such as personal data, financial information, confidential data…
Learn More Encrypted Data

EU PNR Directive

For passengers on international flights and the European Union (EU) Member States, it aims to regulate the exchange of the passenger name record (PNR) data of passengers and the processing of these data by Member States’ competent authorities.
Learn More EU PNR Directive

EU-US and Swiss Privacy Shield

The EU-US and Swiss Privacy Shield frameworks were designed by the European Commission and Swiss Administration and the U.S.Department of Commerce, respectively, to cater for companies on both sides of the Atlantic with a mechanism that complies with data protection requirements when personal data is transferred from the European Union as well as Switzerland to…
Learn More EU-US and Swiss Privacy Shield

Eurodac

Eurodac, short for European Asylum Dactyloscopy, is a database that stores and compares the fingerprints of asylum seekers. It collects and processes fingerprints of asylum seekers and other migrants, allowing information to be quickly shared between member states. It also helps to ensure the security of Europe’s borders, Eurodac provides a very useful resource in…
Learn More Eurodac

European Conference

The European Conference in GDPR is a fantastic opportunity for those who wish to remain informed on the latest developments in data protection laws. Presentations and discussions at this hybrid conference will cover how new technology impacts existing GDPR regulations and what practitioners need to be aware of throughout the EU.  Attendees will gain practical…
Learn More European Conference

Genetic Data

The information that can be derived from a person’s genetic build-up or DNA is Genetic Data. This data specifies inherited physical traits, ancestry and other genetic markers. This data is used for medical research and treatment. A person’s susceptibility to certain diseases can be judged using the data. It can also be used by the…
Learn More Genetic Data

Grounds For Processing

As set out in Article 6 of the GDPR, the lawful grounds for processing personal data are: – Compliance with a legal obligation – Consent of an individual – Protecting the vital interests of a person – Performance of a contract; – Necessary for organizations to implement required changes in the public interest
Learn More Grounds For Processing

ICO

The Information Commissioner’s Office (ICO) is the office of the individual regulatory body that focuses on upholding information rights by processing complaints and carrying out actions pertaining to breaches and international duties in the best interest of the general public. Every organization that processes personal data should register with the ICO, which then collates registrant…
Learn More ICO

International Conference

International Conference is an annual event where authorities from international and sub national gather. It brings industry and subject matter experts from different industries together. Data protection stakeholders in Europe meet their colleagues from Canada, Latin America, Japan, and other countries in the Asia Pacific region to discuss issues related to challenges, interests, and strategy.
Learn More International Conference

Joint Supervisory Authorities

Joint Supervisory Authorities is a model that organizes data protection supervision of large IT databases based in Europe and some agencies in the field of law enforcement and national data protection authorities. They inspect CIS databases, provide advice, and examine access requests.
Learn More Joint Supervisory Authorities

Large-Scale IT Systems

Large-scale IT systems are set by the European Union and includes: – Visa Information System – Schengen Information System – Customs Information System – Internal Market Information System The national DPAs and EDPS work in joint collaboration to coordinate and supervise these databases.
Learn More Large-Scale IT Systems

Member State

The GDPR lists member states or countries that have chosen to comply with the regulation. This includes countries within the European Union—Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, and Sweden as well as countries…
Learn More Member State

Parental Consent

Article 8 of the GDPR lists specific conditions with regard to the collection and processing of personal information of children. It mandates that in order to process information for any child under the age of 16, organizations are required to gain consent from individuals that hold the parental responsibilities of the child. The individual that…
Learn More Parental Consent

Personal Data Breach

Within the context of the GDPR, a personal data breach is an incident that occurs when an individual experiences a security lapse that causes the accidental or deliberate destruction, alteration, loss, exposure, or unlawful access of personal information. In the event of a data breach, the data controller must alert the supervisory authority within 72…
Learn More Personal Data Breach

Personal Data Filing System

Personal Data Filing System in GDPR is defined as a “any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis”. Essentially, it defines a filing system in relation to structured personal data. Data filing must be structured to enable easy access…
Learn More Personal Data Filing System

PETs

PETs or Privacy Enhancing Technologies in GDPR refer to a coherent system that uses a set of measures to protect privacy. It reduces or eliminates personal data or prevents unnecessary processing of data while maintaining the functionality of the system. PETs help to fight and detect breaches.
Learn More PETs

Privacy By Design

Privacy by Design is an approach that was developed to battle the ever-increasing threats to information privacy and security. It implements privacy at the core of engineering and design methodology for any product, service, system, or process. The scope of privacy doesn’t end with design but rather extends throughout the lifecycle of any such product….
Learn More Privacy By Design

Privacy Notice

Also known as a fair processing notice, a privacy notice is one of many documented notifications that must be provided to customers and other parties. Under the rules of the GDPR, every data controller must provide customers with information on how they plan to store and process their personal information. This notification serves two purposes—…
Learn More Privacy Notice

Privacy Sheild

Privacy Shield is an informal agreement between the United States and the European Union. It specified regulations that were designed to ensure that any transfer of personal data from within the European Union to the United States conforms to the data protection standards of the EU. It included a number of assurances from the government…
Learn More Privacy Sheild

Processor Agreement

A DPA, or Data Processing Agreement,  is an agreement between a data processor (for instance, a third-party service provider) and a data controller (such as a company) to regulate any personal data processing that might be conducted for business purposes. A DPA is also known as a GDPR data processing agreement.
Learn More Processor Agreement

Regulation (EC) No 45/2001

Regulation (EC) No 45/2001 is concerned with protection of individuals in relation to personal data processing by EC institutions. It requires institutions to appoint a data protection officer and European Data Protection Supervisor to be an independent authority for data protection.
Learn More Regulation (EC) No 45/2001

Restriction on Processing

Restriction on Processing is a right given by GDPR which allows individuals to restrict the processing of their data in certain circumstances. This acts as an alternate option to requesting complete removal/erasure of data. It is applicable when the data is inaccurate, lawfully processed, no longer needed by the controller but needed by the individual,…
Learn More Restriction on Processing

Right of Information

Right of information gives individuals the right to be informed about how their personal data is collected and used by the controller.  If the data is directly obtained, the concerned person must be informed at the time of obtaining the data. If the data is not directly obtained, the concerned person must be informed within a…
Learn More Right of Information

Right of Rectification

Right of Rectification gives individuals the right to rectify incorrect data held by the controller without any undue delay. The individual has the right to get inaccurate data edited by providing supplementary information.
Learn More Right of Rectification

Right To Access

According to article 15 of the GDPR, every individual has the right to access information about their held data and details of processing criteria. This right forms the basis on which every other right under the GDPR is exercised. The fulfillment of this right happens in two distinct stages. The data controller first analyzes if…
Learn More Right To Access

Right To Be Forgotten

The Right to be Forgotten is a right that is afforded to every individual under article 17 of the GDPR. It states that any individual can invoke the right to have their personal information completely erased from the data controller’s records without undue delay (which amounts to about 30 days of request) This is done…
Learn More Right To Be Forgotten

Right to Object

Right to Object in Article 21 of GDPR provides individuals with the right to object to their personal data being processed at any given time. It is applicable in cases if the data is used for direct marketing, to conduct a task in public interest, where personal legitimate interests are concerned, and if the exercise…
Learn More Right to Object

Safe Harbor Principle

The Safe Harbor Principle is a set of guidelines in relation to the exchange of data between the United States of America and the European Union (and Switzerland). It ensures that the data exchanges by EU and US abide by the principles of nice, choice, onward transfer, security, data integrity, access, and enforcement.
Learn More Safe Harbor Principle

SIS

SIS II, also known as Schengen Information System, is a large-scale information system that facilitates cooperation between customs and police authorities, and national border control, in the Schengen Area.
Learn More SIS

Special Categories of Personal Data

The special categories of personal data under GDPR can be classified into the following: – Trade union membership – Processing of biometric or genetic data used for the purpose of uniquely identifying a person – Political opinions – Religious or philosophical beliefs  – The data concerning a natural person’s sex life or health, or sexual…
Learn More Special Categories of Personal Data

Standard Contractual Clauses

Standard Contractual Clauses govern the exchange of personal information between non-EU and EU countries. As per the General Data Protection Regulation, as a ground for data transfers between the EU and third countries, contractual clauses ensure appropriate data protection safeguards can be used. 
Learn More Standard Contractual Clauses

Subject Access Request

Under the Right of Access, a data subject (individual) can raise a written or verbal Subject Access Request (SAR) that grants them access to their information and allows them to understand if their information is being processed or not. Data processors will be required to fulfill SARs within a month of them being raised and…
Learn More Subject Access Request

Supervisory Authority

Supervisory Authority is any local agency, national agency, multinational agency, department official, parliament, regulatory authority, supervisory authority, professional body, government body, or board responsible for administering data processing laws.
Learn More Supervisory Authority

Third Party

The GDPR defines a Third Party as any entity excluding the data controller, data subject, or processor who, under authorization of the processor or controller, is allowed to receive and process personal data. A third party is not a processor that works on behalf of the data controller. They are not restricted by the controller….
Learn More Third Party

Traffic Data

Traffic Data can be defined as: “any data processed with the purpose of the conveyance of a communication using an electronic communications network or for the billing with respect to that communication and includes data relating to the duration, routing, or time of a communication.”
Learn More Traffic Data

Visa Information System

VIS is a central database with facial images and fingerprints (biometrics) of individuals applying for a limited-stay visa within the Schengen Area. Member States’ consular offices use these systems around the world and enable authorities to exchange visa information for limited-term stays in the Schengen countries.
Learn More Visa Information System

Sprinto: Your growth superpower

Use Sprinto to centralize security compliance management – so nothing
gets in the way of your moving up and winning big.

Data Protection Principles

Everyone who uses personal data must abide by strict rules called ‘data protection principles’. They must ensure the information is: used fairly, transparently, and. lawfully used for specified, explicit purposes in a way that is relevant, adequate, and limited to only what is necessary.

Traffic Data

Traffic Data can be defined as: “any data processed with the purpose of the conveyance of a communication using an electronic communications network or for the billing with respect to that communication and includes data relating to the duration, routing, or time of a communication.”

Visa Information System

VIS is a central database with facial images and fingerprints (biometrics) of individuals applying for a limited-stay visa within the Schengen Area. Member States’ consular offices use these systems around the world and enable authorities to exchange visa information for limited-term stays in the Schengen countries.

Grounds For Processing

As set out in Article 6 of the GDPR, the lawful grounds for processing personal data are: – Compliance with a legal obligation – Consent of an individual – Protecting the vital interests of a person – Performance of a contract; – Necessary for organizations to implement required changes in the public interest