GDPR terminology explained

| Joost Krapels | Privacy
ten important GDPR terms

The GDPR defines what can and cannot be done with personal data. There is a good chance you are currently working on becoming GDPR compliant, and encounter many new terms. To complement the GDPR summary we published earlier, we have made a list of the most import GDPR terms and their meaning.


The GDPR is the General Data Protection Regulation, an EU law that was drafted in 2012 and will be applicable as of May 25th, 2018 in all member states to harmonize data privacy laws across Europe. A good full-text version is available at https://gdpr-info.eu.

Personal data
Personal data is any information relating to an identified or identifiable person.

Data subject
A data subject is a person who can be identified, directly or indirectly, by reference to an identifier. Examples of such identifiers are name, ID number, location data, and online identifiers relating to the social identity or beliefs of that person. Only a natural person can be a data subject. Companies, animals, cars cannot be data subjects. Also non-EU citizens can be data subjects.

Processing (of personal data)
processing of personal data is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. Nearly all verbs that preface “personal data” in a sentence describe a way of personal data processing. Examples of processing are collecting, storing, altering, using, erasing, and destroying personal data.

Special categories of personal data
The GDPR makes a distinction between several categories of personal data.  Article 9 from GDPR lists the following categories as special:

  1. personal data revealing racial or ethnic origin,
  2. political opinions,
  3. religious or philosophical beliefs,
  4. trade union membership,
  5. genetic data, biometric data processed for the purpose of uniquely identifying a natural person,
  6. data concerning health
  7. data concerning a natural person’s sex life or sexual orientation”. 

Personal data of a special category may not be processed, unless certain conditions apply. Mishandling of special data could have much more severe consequences for the rights and freedom of people.

The controller is anyone that, alone or jointly with others, determines the purposes and means of the processing of personal data.

A processor is any party or organization that processes personal data on behalf of a controller. The processor does not determine the means and purposes of processing, but only performs the processing itself.

Data Protection Officer (DPO)
The Data Protection Officer is a person appointed within an organisation to monitor the processing of personal data. The person should have expert knowledge of data protection law and practices. The DPO should:

  • inform and advise the organisation and its data processing employees on the obligations set out by the GDPR
  • monitor compliance with the Regulation and other data protection laws
  • advize on DPIA’s
  • be the face of the organization towards the Supervisory Authority.

Data Protection Impact Assessment (DPIA)
A DPIA is “an assessment of the impact of the envisaged processing operations on the protection of personal data”. (Article 35 GDPR) It needs to be carried out when a type of processing (in particular using new technologies) is likely to result in a high risk to the rights and freedoms of natural persons. See our DPIA explanation and template (Dutch) for more information on what a DPIA should contain.

Rights of data subjects
Under the GDPR, data subjects have seven clearly described rights. These rights are in place to make sure data subjects can exert control over personal data concerning them. Controllers should, under normal circumstances, allow data subjects to execute these rights. Processors should, where possible, facilitate it. The rights are:

  • Right of access by the data subject (article 13 and 14)
  • Right to rectification (article 16)
  • Right to erasure (‘right to be forgotten’, article 17)
  • Right to restriction of processing (article 18)
  • Right to data portability (article 20)
  • Right to object to data processing (article 21)
  • Right not to be subject to a decision based solely on automated processing (article 22)

Supervisory Authority
A Supervisory Authority is an independent public authority established by an EU Member State. According to the GDPR, each Member State shall provide for one or more independent public authorities to be responsible for monitoring the application of the Regulation. The goal of the having these authorities is twofold: to protect the fundamental rights and freedoms of persons in relation to processing, and to facilitate the free flow of personal data within the EU. Supervisory Authorities cooperate with each other and with the European Commission. Examples of Supervisory Authorities are the Dutch Autoriteit Persoonsgegevens and the UK’s ICO.

For more articles about privacy, visit our page with all privacy articles.

All definitions are from GDPR directly, rephrased for readability by Sieuwert van Otterloo and Joost Krapels.

Image credit:  videmusart via unsplash

Author: Joost Krapels
Joost Krapels has completed his BSc. Artificial Intelligence and MSc. Information Sciences at the VU Amsterdam. Within ICT Institute, Joost provides IT advice to clients, advises clients on Security and Privacy, and further develops our internal tools and templates.