A Glossary of GDPR terms
Here are some of the key terms and definitions as used in relation to the GDPR
Processing data into a form in which identification is not possible even with additional information. This kind of data is no longer personal information.
See also Pseudonymisation.
Automated individual decision-making and profiling
Profiling is the automised processing of personal data to analyse or predict personal aspects such as economic situation, purchasing behaviour, health, performance at work, or other behaviour.
In the case of a negative bank loan decision, for example, the data subject has the right to contest the automised decision and demand it to be reviewed by a natural person.
Automated individual decision-making and profiling may not make use of special categories of data, such as ethnicity, political views or religious beliefs, except in specific and exceptional circumstances.
See also Special categories of personal data.
Any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject signifies agreement to their personal data being processed.
The principles of the Personal Data Act that will be repealed after the GDPR is enforced that require consent as the grounds for data processing and explicit consent for the processing of special categories data remain unchanged. The consent must be freely given, specific, informed and unambiguous. In the case of special categories of personal data, the consent must also be explicit.
The consent must be indicated by a clear affirmative action, such as written, electronic or spoken statement.
The consent must cover all intended purposes of the data processing.
Silence, pre-ticked boxes, inactivity, failure to opt-out, or passive acquiescence do not constitute valid consent.
If the consent is sought electronically the request must be clear and concise and it may not cause undue interference in the use of the service it is given for.
Where any processing activity is performed on the basis of consent, the controller must be able to demonstrate that it has obtained valid consent from the affected data subjects.
See also Special categories of personal data, Demonstrating compliance
The supervisory authority can impose warnings or reprimands, sanctions, ban on data processing or administrative fines on data controllers for non-compliance.
The amount of the administrative fine is deliberated on case-specifically and depends on many factors, such as the gravity of the violation and intentionality. According to the GDPR it must be effective, proportionate and dissuasive
This means that the fine for a similar violation may vary from €10 000 to €500 000 € and even to €50 million, depending on the circumstances.
The maximum fine for lower level infringements is €10 million. Companies with a worldwide annual turnover of € 500 million or more, however, may be issued up to 2% of the annual turnover of the prior financial year.
The maximum fine that can be imposed for serious infringements of the GDPR is twice as high: the greater of €20 million or 4 % of an undertaking’s worldwide turnover for the preceding financial year.
See also Supervisory authority.