Data Privacy and Cybresecurity

GDPR Guide to National Implementation: Glossary

A practical guide to national GDPR compliance requirements across the EEA

4 min read


  • Adequacy Decision means a decision by the Commission to designate a third country as an Adequate Jurisdiction.
  • Adequate Jurisdiction means one of the following jurisdictions that have been designated by the Commission as providing an adequate level of protection for personal data: Andorra, Argentina, Canada (for organisations that are subject to Canada's PIPEDA law), Switzerland, the Faeroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, and Uruguay. In light of the CJEU’s decision in Schrems II, the EU-US Privacy Shield is no longer deemed adequate.
  • AML means anti-money laundering.
  • BCRs means Binding Corporate Rules, a mechanism for conducting lawful transfers of personal data within a corporate group to an intra-group company in a country outside the EEA.
  • CFR means the Charter of Fundamental Rights of the European Union (2000/C 364/01).
  • CJEU means the Court of Justice of the European Union. Code of Conduct means a code adhered to by an organisation, which may provide evidence of compliance with the requirements of EU data protection law.
  • Commission means the European Commission.
  • controller means the person(s) who determine the purposes and means of processing personal data.
  • data breach means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data.
  • data subject means an individual who is the subject of the relevant personal data.
  • DPA means a Data Protection Authority. Each Member State appoints one or more such Authorities to implement and enforce data protection law in that Member State. (The GDPR uses the term “Supervisory Authority”, but the terms Data Protection Authority and DPA are more commonly used in practice.)
  • DPO means a Data Protection Officer.
  • ECHR means the European Convention on Human Rights.
  • EDPB means the European Data Protection Board.
  • EDPS means European Data Protection Supervisor.
  • EEA means the European Economic Area (which is made up of the 28 Member States, together with Iceland, Liechtenstein and Norway).
  • EU-US Privacy Shield means the mechanism that had provided a legal basis for transfers of personal data from the EU to US organisations that certify to the EU-US Privacy Shield, pursuant to Commission Decision C(2016) 4176. In light of the CJEU's decision in Schrems II, the EU-US Privacy Shield is no longer deemed adequate.
  • GDPR means Regulation (EU) 2016/679 (the General Data Protection Regulation).
  • Impact Assessment means a Data Protection Impact Assessment, which is a structured review of a particular processing activity from a data protection compliance perspective. 
  • ISS means information society services (as defined in Art. 1(1)(b) of Directive (EU) 2015/1535).
  • Member State means a Member State of the European Union (i.e., Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and the United Kingdom). Following the UK’s submission of a notice of withdrawal under Art. 50 of the Treaty of Lisbon, the UK will remain an EU Member State until midnight (Brussels time) on 31 October 2019, unless the European Council decides unanimously to further extend the negotiating period. The UK will become a third country from the date of withdrawal.
  • personal data means information relating to an identified or identifiable individual.
  • processing means any operation that is performed upon personal data.
  • processor means a person or entity that processes personal data on behalf of a controller.
  • profiling means processing for the purposes of evaluating personal data in order to analyse or predict the behaviour of a data subject.
  • sensitive personal data means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and includes genetic data, biometric data for the purpose of uniquely identifying a natural person, health data or data concerning a natural person’s sex life or sexual orientation.
  • third country means a jurisdiction outside the EEA.
  • ePrivacy Directive means Directive 2002/58/EC (as amended by Directive 2009/136/EC).
  • WP29 means the Article 29 Working Party (an EUlevel advisory body made up of representatives from national DPAs and the EDPS, created under Art. 29 of Directive 95/46/EC). Under the GDPR, the WP29 is effectively replaced by the EDPB.


[back to top of page]



Other chapters


See also:

Our Global Data, Privacy & Cybersecurity Practice »

GDPR Handbook: Unlocking the EU General Data Protection Regulation »


[back to top of page]



This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2019 White & Case LLP