Navigation path

  • Print version
  • Decrease text
  • Increase text

The most representative definitions relating to the protection of personal data and related subjects in the Commission can be found here.


Anonymous data
Anonymous data cannot be related to an identified or identifiable person and are consequently not personal data.
Article 29 Working Party
The Article 29 Data Protection Working Party is an independent European advisory body. The Working Party's mission is to ensure the uniform application of Directive 95/46/EC, providing opinions and making recommendations or drafting working documents that are all available on the Internet. The Article 29 Working Party's members are representatives of the different national data protection authorities, the European Data Protection Supervisor and representatives of the European Commission.


Breach (of security)

Appropriate technical and organisational measures should be taken to safeguard the secure use of the telecommunications networks and terminal equipment, if necessary in conjunction with the providers of publicly available telecommunications services or the providers of public telecommunications networks. Having regard to the state of the art and the cost of their implementation, these measures shall ensure a level of security appropriate to the risk presented.

In the event of any particular risk of a breach of the security of the network and terminal equipment, the Community institution or body concerned shall inform users of the existence of that risk and of any possible remedies and alternative means of communication.

Breach Notification

Personal data breaches are security incidents by which personal data is compromised, e.g. by unauthorised access, alteration or destruction. Providers of electronic communications services (ePrivacy Directive) have to report the breaches to the relevant national authority, and also to individuals when there is a risk to their personal data or privacy.
It is also recommended and soon will be mandatory (with the new EU DP legislative framework) to Notify those possible data/security breaches to the DPO, if occur.



Contractual clauses

This data protection clause is inserted in all model contracts used by the European Commission.

Where Contract execution and Grant implementation necessitates the processing of personal data, the contractor or beneficiary will act as data processor.
The data, purpose of processing, recipients and means for data subjects to exercise their rights will be stipulated in the contract, grant agreement or grant decision.

The Data Controller means the Community institution or body, the Directorate-General, the unit or any other organisational entity which alone or jointly with others determines the purposes and means of the processing of personal data.
For each processing operation, a Data Controller must be identified and prior notice must be given to the Data Protection Officer of the institution.
The controller is also the most important contact for you as a data subject, but also for the authorities that are to check him.


Data (anonymous)
Anonymous data cannot be related to an identified or identifiable person and are consequently not personal data.
Data (special categories)
Certain personal data are more sensitive than others. An individual's name and address are rather innocent data.
The processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and of data concerning health or sex life, are prohibited, unless:
  • the data subject has given his or her express consent to the processing of those data;
  • processing is necessary for the purposes of complying with the specific rights and obligations of the controller in the field of employment law insofar as it is authorised by the Treaties establishing the European Communities or other legal instruments adopted on the basis thereof;
  • processing is necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving his or her consent;
  • processing relates to data which are manifestly made public by the data subject or is necessary for the establishment, exercise or defence of legal claims;
  • processing is carried out in the course of its legitimate activities with appropriate safeguards by a non-profit-seeking body which constitutes an entity integrated in a Community institution or body, not subject to national data protection law by virtue of Article 4 of Directive 95/46/EC, and with a political, philosophical, religious or trade-union aim;
  • processing of the data is required for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment or the management of health-care services, and where those data are processed by a health professional subject to the obligation of professional secrecy or by another person also subject to an equivalent obligation of secrecy;

The European Data Protection Supervisor shall determine the conditions under which a personal number or other identifier of general application may be processed by a Community institution or body.

Data subject
The Data Subject is the person whose personal data are collected, held or processed by the Data Controller
We are all data subjects. For example, you disclose personal data as soon as you:
  • fill in a form;
  • place an order;
  • book concert tickets;
  • buy a train ticket;
    · use a credit card;
  • register for a course or in a sports club;
  • are admitted to hospital;
  • borrow a book from a public library or a DVD from a video rental shop.
Data Protection Officer (DPO)
Each institution has one or more DPOs to ensure the application of the principles of personal data protection in the institution. Each DPO keeps a register of all personal data processing operations in his/her institution. He/she also provides advice and makes recommendations on rights and obligations. He/she notifies risky processing of personal data to the EDPS (see below) and responds to requests from the EDPS. In critical situations he/she may investigate matters and incidents on request or on his/her own initiative
Data Protection Co-ordinator in a DG or Service (DPC)
The Co-ordinator is nominated by the DG and assures a coherent implementation of Regulation 45/2001 in the DG. He/she provides advice and assistance to all responsibles and specifically assists Controllers in the DG in their Notifications to the DPO. He/she sets up the inventory of applications for the processing of personal data in the DG and liaises and co-operates with the DPO. He/she also represents the DG in the network of Co-ordinators which is chaired by the DPO.
Data Protection principles
Anyone processing personal data should be aware of the basic principles, according to which it must be:
  • Fairly and lawfully processed;
  • Processed for limited and explicit purposes;
  • Adequate, relevant and not excessive;
  • Accurate;
  • Not kept longer than necessary;
  • Processed in accordance with the Data Subject's rights;
  • Secure;
  • Not transferred to third parties without adequate precautions.
Delegated Controller
A Delegated Controller may be designated by the Data Controller to prepare under his/her responsibility the Notification to the Data Protection Officer and to assure all the related co-ordination with the Data Protection Co-ordinator and others concerned with data protection inside or outside the respective Directorate General
A disclaimer is a general statement, describing the rights and obligations of all parties concerned, for example included in a privacy statement on a web site or in a contract.


European Data Protection Supervisor (EDPS)
The EDPS is an independent supervisory authority established in accordance with Regulation (EC) 45/2001. With respect to the processing of personal data, the EDPS is responsible for ensuring that the fundamental rights and freedoms of natural persons, and in particular their right to privacy, are respected by the Community institutions and bodies. The EDPS is also responsible for advising Community institutions and bodies and Data Subjects on all matters concerning the processing of personal data.
Data Controllers are obliged to co-operate with the EDPS, in particular by granting access to information.


Further processing
A further processing operation, involves personal data initially collected for an explicit purpose and re-used at a later time for historical, statistical or scientific purposes that are incompatible with the initial purpose. In other words, these processing operations constitute a specific form of secondary data collection.


Impact (Information Security)
The consequences of an incident on one or more assets constitute the impact (for instance personal data who are no longer accurate).
Incident (Information Security)
An incident is an unexpected or unwanted event that can have serious consequences.
Integrity (Information Security)
Integrity covers two different aspects: information integrity, and system and process integrity.


Lawful data processing
Article 5 of the Regulation states that the processing of personal data must be either necessary or consensual. Personal data may be processed only if:
  1. processing is necessary for the performance of a task carried out in the public interest on the basis of Community legislation or in the legitimate exercise of Community official authority, or
  2. processing is necessary for compliance with a legal obligation to which the Controller is subject, or
  3. processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract, or
  4. the Data Subject has unambiguously given his or her consent (meaning any freely given specific and informed indication of the Data Subject's wishes signifying agreement to personal data relating to him or her being processed) or
  5. processing is necessary in order to protect the vital interests of the Data Subject.
    The Data Controller is responsible for ensuring that personal data is processed fairly and lawfully.
Legitimate interest
An interest is called legitimate when the controller's interest in processing the data overrides the registered person's interest in not processing the data. In case of doubt, EDPS or a judge will decide whose interest has the highest priority.


(Manual) filing system

A manual filing system is a structured set of personal data that are accessible according to certain criteria, the yellow pages on paper for example.

Regardless if the filling system is manual or not, a "filing system" shall mean any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis; and nonetheless it is subject to the legal requirements of the Regulation 45/2001.

Furthermore, the Regulation 45/2001 applies to the processing of personal data wholly or partly by automatic means, and to the processing otherwise than by automatic means of personal data which form part of a filing system or are intended to form part of a filing system.

Model Notification
In order to support the free flow of information within the EU Commission, the DPO provides standard Notifications models for operations that occur more frequently or are standardized in the daily work of the Commission such as:



A Notification is a prior notice by the Controller to the Data Protection Officer of any processing operation (manual or electronic) in which personal data is involved. It is only needed if personal data is processed.
A notification is not intended to request permission or authorization, but only to notify a processing operation. The notification mainly consists of a description of the data processing operation, security safeguards, data transfer, retention period, etc.
By sending the Notification, the Controller complies with the legal requirements of the Regulation 45/2001 that requires the processing of personal data to be notified. Once the Notification is complete, the DPO validates it into the Register.


Opt in

In this system, you give somebody your prior consent to send you commercial messages. The opt-in system is valid for all forms of communication and allows you to give your free, specific and informed consent, as required by the DP Laws.
The opt-in system is mainly used when somebody regularly wants to send a massive number of e-mails, for example a newsletter, electronic magazines, promotional offers.

Opt out

As opposed to opt in, the opt-out system allows you to object to any data processing operation with a view to direct marketing, as required by the DP Laws.
This involves receiving an unwanted message containing the possibility to unsubscribe in order to stop receiving messages.


Personal data

Personal data reveal information about an identified or identifiable natural person (called the "data subject" in the DP Laws). In other words, personal data are all data allowing for the identification of an individual.
Personal data include an individual's name, a picture, a phone number, even a professional phone number, a code, a bank account number, an e-mail address, a fingerprint, …
Only data about a natural (physical) person are taken into account, excluding data about a legal person or an association (civil or commercial corporations or non-profit organizations).
For more details about what is personal data, please read the Article 29 Working Party's Opinion 4/2007 on the concept of personal data. Text .
Processing personal data

Processing personal data is defined as any operation or set of operations performed on personal data. These operations are extremely varied and relate, among others, to the collection, storage, use, modification, disclosure of the data.
· a Commission DG transmitting the names of persons requesting a building permit for a visit, represents data processing.
· the payroll of an official it is to be considered processing of personal data (name, date of birth, bank account, home address)

The DP laws apply as soon as the data are processed, even partially, using automatic means. Automatic means include all information technologies, computer technology, telematics, telecommunication networks (the Internet).
If data are not processed using automatic means (for example on paper or on microfiche) the DP Law still has to be observed if the data are included or will be included in a manual filing system that can be accessed according to specific criteria (for example people's names in alphabetical order).
For more details about what means processing of personal data, please read the Article 29 Working Party's working document on the Protection of Individuals with regard to the Processing of Personal Data. Document .

This is any natural person, legal person, un-associated organization or public authority processing data on behalf of the controller, not including individuals who are under the direct authority of the controller and who have been authorized to process the data).
Purposes: historical, statistical or scientific
  • historical research involves the processing of personal data with a view to the analysis of an earlier event or in order to make that analysis possible. This is possibly but not necessarily also a processing operation with a scientific purpose (in other words, a genealogist can appeal to this provision);
  • statistical purposes are achieved through any action with a view to collecting and processing personal data when this is necessary for statistical surveys or to produce a statistical result;
  • scientific research involves establishing patterns, rules of conduct and causal relations exceeding all individuals they relate to.
  • for this purpose, the data should be kept either in anonymous form only or, if that is not possible, only with the identity of the data subjects encrypted. In any event, the data shall not be used for any purpose other than for historical, statistical or scientific purposes.


Register of the Data Protection Officer
The Register is a data base containing all Notifications on the processing of personal data send to the Data Protection Officer by Controllers. Article 26 of Regulation 45/2001 requires the Data Protection Officer to keep a Register on processing operations of personal data and requires that this Register may be inspected by any person.
Rights of Data subjects
The Controller must give the Data Subject the following information about data being processed:
  1. confirmation as to whether or not data related to him or her are being processed;
  2. information about the purposes of the processing operation, the categories of data concerned, and the recipients or categories of recipients to whom the data are disclosed;
  3. communication of the data undergoing processing and of any available information as to their source;
  4. knowledge of the logic involved in any automated decision process concerning him or her.
The Data Subject has the right to access his data and to require the Controller to rectify without delay any inaccurate or incomplete personal data.
The Data Subject has the right to require the Controller to erase data if the processing is unlawful.
Right of rectification
Anyone can have incorrect data relating to him rectified free of charge, and have other data erased if they are irrelevant, incomplete or prohibited, or have the use of those data prohibited. If the controller does not react, the data subject may address the DPO, which will attempt to mediate. The data subject may also submit a complaint to the EDPS.
Right to object
You may always object to the use of your data, provided that you have serious reasons for this. Regulation 45/2001 gives you the right:
  1. to object at any time, on compelling legitimate grounds relating to his or her particular situation, to the processing of data relating to him or her, except in the cases covered by Article 5(b), (c) and (d). Where there is a justified objection, the processing in question may no longer involve those data;
  2. to be informed before personal data are disclosed for the first time to third parties or before they are used on their behalf for the purposes of direct marketing, and to be expressly offered the right to object free of charge to such disclosure or use.
Risk (Information Security)
A risk is the potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization (for example a virus deleting a file). It is measured in terms of a combination of the probability of an event and its consequence.
A risk is characterized by two factors: the probability that an incident will occur and the gravity of the potential direct consequences and the indirect impact.


Safe Harbor Principles
In consultation with the European Commission, the American Department of Commerce elaborated the Safe Harbor Principles, intended to facilitate the transfer of personal data from the European Union to the United States. If companies make a statement to the American Department of Commerce agreeing with these principles and declaring they are prepared to respect them (meaning, among other things, that the American Federal Trade Commission can check whether their respect these principles), they are considered as companies ensuring adequate safeguards for data protection.
To learn more details about Safe Harbor Principles read this text.
Security measures (Information Security)
Security measures, also called "protective measures" or "security controls", are procedures or decisions that limit risks. Security measures can be effective in several ways: by lessening possible dangers, correcting vulnerabilities or limiting the possible direct consequences or indirect impact. It is also possible to work with time: if incidents are traced better and sooner, action can be taken before the situation gets any worse.
Standard Contractual Clauses
For persons wishing to transfer data outside the European Community, the European Commission has elaborated standard contractual clauses, which allow for a data transfer meeting the European legal conditions for data protection (article 25 ff of Directive 95/46/EC). In other words, the parties signing these contracts are considered as parties ensuring adequate safeguards for the protection of privacy.


Threat or Breach (Information Security)
A threat is any unexpected event that can damage one of the organisation's assets and therefore prejudice personal data protection.
There are environmental threats (fire), technical threats (system failures) or human threats.


Unambiguous, free and informed consent

Consent is understood:

to have been freely given.

  • In other words, the data subject was not pressured to say "yes";
  • to be specific, meaning that the consent relates to a well-defined processing operation;
  • to be informed. The data subject has received all useful information about the planned processing.

It is not necessary for the consent to be given in writing, but oral consent does create problems with the burden of proof in case of



Vulnerability (Information Security)
Vulnerability is the weakest link of an asset or a group of assets that can be exploited by one or more imminent dangers (developer's mistake, wrong installation). In most cases vulnerability is due to the fact that an asset is not sufficiently protected, rather than to the asset itself.