Anonymization refers to a technological, usually automated process used to modify personal data in such a way that it is no longer possible to attribute the data to any specific person.
Binding corporate rules
These are personal data protection policies which are adhered to by a controller or processor established on the territory of an EU member state for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity.
are data that result from specific technical processes and that relate to the physical, physiological, or behavioral characteristics of a natural person, which make it possible to verify or confirm the unique identity of that natural person, such as facial images or dactyloscopic data. The processing of biometric data is subject to special conditions, specified in Article 9 of the GDPR.
of the data subject means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
The controller is the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
means either of the following:
a) Processing of personal data which takes place in the context of the activities of a controller’s or processor’s establishments in more than one member state in the EU, in cases where the controller or processor is established in more than one member state; or
b) Processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the EU, but which substantially affects or is likely to substantially affect data subjects in more than one member state
A data breach is an incident that compromises the confidentiality, integrity, or accessibility of personal data.
Data concerning health
are personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about that person’s health status. The processing of data concerning health is subject to special conditions, specified in Article 9 of the GDPR.
Data Protection Officer
The Data Protection Officer is a person named by the controller or processor (in some cases, the controller or processor is obligated to name a Data Protection Officer). The Data Protection Officer supports the controller or processor in ensuring compliance with the GDPR and the Data Protection Act (Datenschutzgesetz, DSG). In this capacity, the Data Protection Officer performs an advisory and supervisory function.
The data subject is the person whose personal data are processed. According to the GDPR, only natural persons qualify as data subjects.
An enterprise is defined as a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity.
are personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question. The processing of genetic data is subject to special conditions, specified in Article 9 of the GDPR.
Group of undertakings
This refers to a controlling undertaking (enterprise) and its controlled undertakings.
An international organization is an organization and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.
a) In the case of a controller with establishments in more than one member state, the place of its central administration in the EU, unless the decisions on the purposes and means of the processing of personal data are taken at another establishment of the controller in the EU and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment
b) In the case of a processor with establishments in more than one member state, the place of its central administration in the EU, or, if the processor has no central administration in the EU, the establishment of the processor in the EU where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under the GDPR.
Personal data means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
Personal data breach
This refers to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
Processing means any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
is a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller pursuant to Article 28 of the GDPR.
Profiling is defined as any form of automated processing of personal data consisting in the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
Pseudonymization is the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person. In contrast to anonymous data, pseudonymized data are regarded as personal data and are therefore subject to the regulations of the GDPR.
is a natural or legal person, public authority, agency, or another body to which the personal data are disclosed, regardless of whether this is a third party or not. However, public authorities which may receive personal data as part of a particular inquiry in accordance with EU or member state law are not regarded as recipients. In these cases, the processing of such data by public authorities is in compliance with the applicable data protection rules according to the purposes of the processing.
A representative is a natural or legal person established in the EU who, designated by the controller or processor in writing pursuant to Article 27 of the GDPR, represents the controller or processor with regard to their respective obligations under the GDPR.
Special categories of personal data
This refers to personal data that reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation.
This is an independent, national institution set up by EU member states pursuant to Article 51 of the GDPR. In Austria, the national supervisory authority is the Austrian Data Protection Authority. For more information, please go to www.dsb.gv.at.
is any natural or legal person, public authority, agency, or body other than the data subject, the controller, the processor, and any persons who, under the direct authority of the controller or processor, are authorized to process personal data.