Data protection GLOSSAR

Adequacy refers to the assessment of whether a third country or an international organisation offers an adequate level of data protection. This is determined by the European Commission and means that the data protection standards of the country or organisation in question essentially correspond to the standards of the EU.

An adequacy decision is a decision by the European Commission that a third country, a territory or a specific sector within a third country or an international organisation provides an adequate level of protection for personal data. This allows the free flow of data between the EU and these countries or organisations without additional data protection safeguards.

Anonymisation is the process by which personal data is changed in such a way that the data subject can no longer be identified. This means that the data is no longer considered personal data and is therefore no longer subject to the requirements of the GDPR.

The retention obligation refers to the legal obligation to retain certain data for a specified period of time. This obligation can arise from various legal requirements, such as tax or commercial law regulations.

A supervisory authority is an independent public body responsible for monitoring the application of data protection laws. Each EU member state has one or more supervisory authorities to ensure that citizens' data protection rights are upheld.

A processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. The processor only acts in accordance with the instructions of the controller and is contractually obliged to comply with data protection regulations.

An order processing contract (AVV) is a contract between the controller and the processor that defines the conditions and requirements for the processing of personal data. This contract must ensure that the processor only processes the data in accordance with the controller's instructions and in compliance with data protection regulations.

The data subject's right of access enables data subjects to obtain confirmation from the controller as to whether personal data relating to them is being processed and, if so, to obtain access to this data and certain information about it. This includes information about the purposes of the processing, the categories of data processed and the recipients or categories of recipients to whom the data has been or will be disclosed.

An automated individual decision is a decision based solely on automated processing of personal data that produces legal effects concerning the data subject or similarly significantly affects the data subject. The GDPR ensures that such decisions may only be taken under certain conditions in order to protect the rights and freedoms of the data subjects.

The notification of data subjects is an obligation of the controller to inform the data subjects without undue delay in the event of a personal data breach that is likely to result in a high risk to the rights and freedoms of the data subjects.

Legitimate interest is a legal basis for the processing of personal data in accordance with Art. 6 para. 1 lit. f GDPR. It exists if the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

The right to rectification gives the data subject the right to obtain from the controller without undue delay the rectification of inaccurate personal data. This also includes the right to have incomplete personal data completed.