AGIDAT – Datenschutz | Informationssicherheit

GDPR Glossary

Plain-English definitions of key data protection terms and abbreviations.

Data protection is full of abbreviations and legal terms. This glossary explains the most important ones in plain English — no legal background required.

Accountability
The GDPR principle (Art. 5(2)) requiring controllers to be able to demonstrate compliance with all data protection principles — not just comply, but prove it.
Consent
One of the six lawful bases for processing (Art. 6(1)(a)). Must be freely given, specific, informed, and unambiguous. Withdrawal must be as easy as giving it.
Controller
The natural or legal person that determines the purposes and means of processing personal data (Art. 4(7)). Bears primary GDPR responsibility.
Data Processing Agreement (DPA)
A contract required under Art. 28 GDPR between a controller and any processor acting on its behalf. Sets out the processor's obligations and restrictions.
Data Protection Impact Assessment (DPIA)
A risk assessment required under Art. 35 GDPR before processing that is "likely to result in a high risk" to individuals' rights and freedoms.
Data Protection Officer (DPO)
A designated expert required under Art. 37 GDPR in certain organizations. Can be internal or external. Must have expert knowledge of data protection law and be independent.
Data Subject
The identified or identifiable natural person whose personal data is being processed (Art. 4(1)).
GDPR
General Data Protection Regulation — EU Regulation 2016/679, in force since 25 May 2018. The primary data protection law of the European Union.
Information Security Officer (ISO)
Responsible for operational information security management within an organization. Distinct from the DPO, though both roles may overlap.
Legitimate Interest
Lawful basis under Art. 6(1)(f) GDPR. Requires a three-part balancing test: the interest must be legitimate, necessary, and not overridden by the individual's rights.
NIS2 Directive
EU Directive on measures for a high common level of cybersecurity (2022/2555). Expands mandatory cybersecurity obligations to many more sectors than the original NIS Directive.
Personal Data
Any information relating to an identified or identifiable natural person (Art. 4(1)). Includes names, email addresses, IP addresses, location data, and more.
Processor
An entity that processes personal data on behalf of and under instruction from a controller (Art. 4(8)). Must operate under a Data Processing Agreement.
Pseudonymization
Processing personal data in such a way that it can no longer be attributed to a specific individual without additional information (Art. 4(5)). Reduces but does not eliminate GDPR obligations.
Records of Processing Activities (RoPA)
Documentation required under Art. 30 GDPR listing all processing activities, their purposes, legal bases, data categories, recipients, and retention periods.
Special Category Data
Particularly sensitive personal data (Art. 9 GDPR) including health data, biometric data, political opinions, religious beliefs, and sexual orientation. Subject to stricter processing requirements.
Technical and Organizational Measures (TOMs)
Security measures required under Art. 32 GDPR to protect personal data, including encryption, access controls, pseudonymization, backup procedures, and staff training.