Previous Chapter | Foreword | Index of Chapters
ad hoc clauses means a set of clauses for Cross-Border Data Transfers, which require prior approval by a DPA (see Chapter 13).
Adequacy Decision means a decision by the Commission to designate a third country as an Adequate Jurisdiction.
Adequate Jurisdiction means one of the following jurisdictions that have been designated by the Commission as providing an adequate level of protection for personal data: Andorra, Argentina, Canada (for organisations that are subject to Canada's PIPEDA law), Switzerland, the Faeroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, and Uruguay. In light of the CJEU's decision in Schrems II, the EU-US Privacy Shield is no longer deemed adequate.
BCRs means Binding Corporate Rules, a mechanism for conducting lawful Cross-Border Data Transfers within a corporate group (see Chapter 13).
CFR means the Charter of Fundamental Rights of the European Union (2000/C 364/01).
CJEU means the Court of Justice of the European Union.
Code of Conduct means a code adhered to by an organisation, which may provide evidence of compliance with the requirements of EU data protection law (see Chapter 12).
Commission means the European Commission.
Concerned DPA means a DPA of a Member State, the residents of which are affected by an organisation's data processing activities (e.g., if Dutch residents are affected by the relevant processing, then the Dutch DPA is a Concerned DPA—see Chapter 14).
Consistency Mechanism means the mechanism set out in the GDPR which requires DPAs to ensure that they enforce the GDPR in a consistent manner (see Chapter 15).
controller means the person(s) who determine the purposes and means of processing personal data (see Chapter 5).
Costeja means the decision of the CJEU in Google v Costeja (Case C-131/12).
Council means the Council of the European Union.
Cross-Border Data Transfer means a transfer of personal data to a recipient in a country outside the EEA (see Chapter 13).
data breach means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data (see Chapter 5).
data exporter means a controller (or, where permitted, a processor) established in the EU that transfers personal data to a data importer (see Chapter 13).
data importer means a controller or processor located in a third country that receives personal data from the data exporter (see Chapter 13).
Data Protection Principles means the principles that govern the processing of personal data (see Chapter 6).
data subject means an individual who is the subject of the relevant personal data (see Chapter 5).
Directive means EU Directive 95/46/EC.
DPA means a Data Protection Authority. Each Member State appoints one or more such Authorities to implement and enforce data protection law in that Member State. (The Directive and the GDPR both use the term "Supervisory Authority", but the terms Data Protection Authority and DPA are more commonly used in practice.)
DPA Clauses means a set of data transfer clauses drawn up by a DPA under the GDPR (see Chapter 13).
DPO means a Data Protection Officer (see Chapter 12).
ECHR means the European Convention on Human Rights.
EDPB means the European Data Protection Board.
EDPS means the European Data Protection Supervisor, a body responsible for ensuring that the EU institutions comply with EU data protection law.
EEA means the European Economic Area (which is made up of the 28 Member States, together with Iceland, Liechtenstein and Norway).
ePrivacy Directive means Directive 2002/58/EC (as amended by Directive 2009/136/EC).
establishment is not precisely defined. The key question is whether there is effective and real exercise of activity through stable arrangements (e.g., a branch or subsidiary can be an "establishment", while a travelling salesperson is unlikely to constitute an "establishment").
EU-US Privacy Shield means the mechanism that had provided a legal basis for transfers of personal data from the EU to US organisations that certify to the EU-US Privacy Shield, pursuant to Commission Decision C(2016) 4176. In light of the CJEU's decision in Schrems II, the EU-US Privacy Shield is no longer deemed adequate.
European Parliament means the Parliament of the European Union.
GDPR means Regulation (EU) 2016/679 (the General Data Protection Regulation).
GDPR Effective Date means 25 May 2018 (i.e., the date from which enforcement of the GDPR started).
Impact Assessment means a Data Protection Impact Assessment, which is a structured review of a particular processing activity from a data protection compliance perspective (see Chapter 12).
lead DPA means the DPA for the Member State in which an organisation has its main establishment (see Chapter 14).
main establishment means: (a) for a controller, the place of its central administration in the EU (or, if none, the place in the EU where its main processing decisions are taken); or (b) for a processor, the place of its central administration in the EU (or, if none, the place in the EU where its main processing operations take place) (see Chapter 14).
Member State means a Member State of the European Union (i.e., Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the United Kingdom). Following the UK's submission of a notice of withdrawal under Article 50 of the Treaty of Lisbon the United Kingdom will remain an EU Member State until midnight (Brussels time) on 29 March 2019, unless the European Council decides unanimously to extend the two-year negotiating period. The United Kingdom will become a third country from the date of withdrawal.
Model Clauses means the various sets of Standard Contractual Clauses for Cross-Border Data Transfers, published by the Commission (see Chapter 13).
One-Stop-Shop means the principle that an organisation operating in multiple Member States should have a lead "DPA" that provides a single regulatory point of contact, based on the place of its main establishment in the EU (see Chapter 14).
personal data means information relating to an identified or identifiable individual (see Chapter 5).
processing means any operation that is performed upon personal data (see Chapter 5).
processor means a person or entity that processes personal data on behalf of a controller (see Chapter 5).
profiling means processing for the purposes of evaluating personal data in order to analyse or predict the behaviour of a data subject.
relevant filing system means any structured set of personal data which are accessible according to specific criteria (see Chapter 3).
Safe Harbor means a data transfer mechanism agreed between the US and the EU, and ratified pursuant to Commission Decision 2000/520/EC. That Commission Decision was subsequently held to be invalid by the CJEU in Schrems.
Schrems means the decision of the CJEU in Schrems v Data Protection Commissioner (Case C-362/14).
Sensitive Personal Data means personal data, revealing race or ethnicity, political opinions, religion or beliefs, trade- union membership, physical or mental health or sex life. The GDPR adds genetic data. Data relating to criminal convictions or related security measures are also treated as sensitive in many Member States (see Chapter 5).
TFEU means the Treaty on the Functioning of the European Union.
third country means a jurisdiction outside the EEA.
WP29 means the Article 29 Working Party (an EU-level advisory body made up of representatives from national DPAs and the EDPS, created under Art.29 of the Directive). Under the GDPR, the WP29 is effectively replaced by the EDPB.
Unlocking the EU General Data Protection Regulation:
A practical handbook on the EU's new data protection law
Chapter 2: Complying with the GDPR
Chapter 3: Subject matter and scope
Chapter 4: Territorial application
Chapter 6: Data Protection Principles
Chapter 7: Legal basis for processing
Chapter 9: Rights of data subjects
Chapter 10: Obligations of controllers
Chapter 11: Obligations of processors
Chapter 12: Impact Assessments, DPOs and Codes of Conduct
Chapter 13: Cross-Border Data Transfers
Chapter 14: Data Protection Authorities
Chapter 15: Cooperation and consistency
Chapter 16: Remedies and sanctions
Chapter 17: Issues subject to national law
Chapter 18: Relationships with other laws
Chapter 19: Glossary
Our Global Data, Privacy & Cyber Security Practice
White & Case Technology Newsflash
If you would like to request a hard copy of this Handbook, please do so here.
This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2016 – 2019 White & Case LLP