top of page


This page contains a list of definitions in alphabetical order.

Automated decision making

The ability to make decisions by technological means without human involvement e.g. the use of psychometrics tests to automatically accept/reject recruitment candidates, where there is no human intervention in the decision making process.

Binding Corporate Rules

Legally binding rules allowing multinational organisations to transfer information outside the EEA but only within their group of entities and subsidiaries


Consent means any freely given, specific informed and unambiguous indication of the individual's wishes by which he or she, by a statement or clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Data Controller

The legal person or body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Data Processor

A legal person or other body which processes personal data on behalf of the controller.  Entities acting strictly on the Data Processor's instructions and having no discretion as to manner and purposes in which PII is processed.


European Economic Area consisting of all the European Union countries plus Norway, Iceland and Liechtenstein.

Joint Controller

EU Model Clauses

Personal Data breach

PII (Personally Identifiable Information)

Privacy Shield 

Privacy notice

Process / processing activities


SPII (Sensitive PII)

Where two or more controllers jointly determine the purposes and means of processing.

Contracts based on the standard contractual clauses approved by the European Commission allowing for the transfer of personal data outside of the EEA.

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed

PII is also known as personal data.  It includes any information that alone, or used in conjunction with other information, can be used to identify a living individual and provide information related to them in a “biographical sense”. 

PII can include a person’s name or other identifier combined with, for example, contact details (E.g. address, phone number, email address, etc), data of birth, statements of opinion or intention about the individual, driving behaviours associated to a VIN/licence plate number, geo-location data, bank account or debit/credit card details, salary or payroll information etc.

Information relates to an individual in a “biographical sense” if: (1) the content tells you something about a person (e.g. their financial or professional situation) or allows you to learn, decide or record something about an individual: or (2) your use of the information could have an impact on an individual. 

A binding legal instrument under European law which can be used as a legal basis for transferring personal data to the US.  US companies needs to be certified under the Privacy Shield system for it to apply.

A binding legal instrument under European law which can be used as a legal basis for transferring personal data to the US.  US companies needs to be certified under the Privacy Shield system for it to apply.

Also known as information notices, fair processing notices or privacy policies.  This provides the necessary information to individuals about the collection and use of their data.  

Any operation or set of operations which is performed on PII, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to an individual, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

SPII is a subcategory of PII which is particularly privacy sensitive or could cause substantial harm or distress if lost or misused.  

SPII includes the racial/ethnic origin, political opinions, religious or other personal beliefs, trade union membership, physical/mental health, sexual orientation, information relating to criminal offences, or criminal proceeding/sentencing, biometric or genetic data.

bottom of page