Data Protection Glossary

A systematic assessment required when processing activities are likely to result in high risk to individuals' rights. See DPIA.

The GDPR article defining the DPO's tasks and responsibilities: monitoring GDPR compliance, providing advice, cooperating with supervisory authority, and serving as point of contact for data subjects.

The principle requiring organisations to demonstrate compliance with GDPR through documentation, policies, and records. The organisation is responsible for proving compliance, not the other way around.

Internal rules adopted by multinational organisations to ensure compliant transfer of personal data across group entities. BCRs must be approved by supervisory authorities and demonstrate equivalent safeguards to GDPR.

A security incident resulting in accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of personal data. Organisations must notify CNPD within 72 hours and affected individuals without undue delay.

Portugal's independent supervisory authority responsible for enforcing GDPR and other data protection laws. The CNPD investigates complaints, conducts audits, and issues decisions and fines for non-compliance.

A senior executive responsible for information security strategy and governance. The CISO and DPO may work together but have distinct responsibilities; the DPO focuses on data protection law compliance while CISO focuses on security practices.

Freely given, specific, informed, and unambiguous affirmation by a data subject to process their personal data. One of six lawful bases under GDPR Article 6. Consent must be withdrawal-friendly and cannot be a condition for service unless necessary.

The organisation that determines the purposes and means of personal data processing. Controllers are responsible for GDPR compliance, data subject rights, and appointing a DPO if required.

An independent expert appointed by controllers or processors to monitor GDPR compliance, provide advice, cooperate with supervisory authorities, and act as point of contact for data subjects. Can be internal or external. Mandatory for public authorities and organisations whose core activities involve large-scale systematic monitoring.

A systematic evaluation required for high-risk processing activities. DPIAs identify risks to data subjects' rights and implement mitigation measures. Required before deploying new processing activities likely to result in high risk. Also called AIPD in Portuguese.

Any natural person whose personal data is processed. Data subjects have rights under GDPR including access, rectification, erasure, restriction, portability, and objection.

A request by an individual to exercise their GDPR rights: access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20), or objection (Art. 21). Organisations must respond within 30 days.

A representative appointed by non-EU organisations that process personal data of EU residents. Acts as single point of contact in the EU for supervisory authorities. Required unless organisation has no establishment in EU and does not regularly monitor EU residents.

A data subject's right (Article 17 GDPR) to request deletion of their personal data under specific circumstances. Cannot be exercised if data is needed for legitimate interests or legal obligations. Response deadline: 30 days.

The principle requiring transparent, lawful processing of personal data. Organisations must inform data subjects how their data is used, who has access, and their rights. Fundamental to GDPR compliance.

Regulation (EU) 2016/679, the primary data protection regulation in the European Union. Applies to organisations processing personal data of EU residents. Sets standards for consent, rights, accountability, and imposes significant penalties for non-compliance (up to €20 million or 4% of global revenue).

Transfer of personal data outside the EU/EEA. Requires adequate safeguards such as Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), or adequacy decisions. Subject to supplementary measures post-Schrems II ruling.

One of six legal grounds required to process personal data under Article 6 GDPR: (1) Consent, (2) Contract, (3) Legal Obligation, (4) Vital Interests, (5) Public Task, (6) Legitimate Interests. Every processing activity must rely on at least one lawful basis.

The Network and Information Security Directive 2, strengthening cybersecurity requirements for critical infrastructure and essential services. Complements GDPR by requiring comprehensive security measures. Being implemented in Portuguese law with 2025 deadline for critical entities.

Any information relating to an identified or identifiable natural person. Includes names, identification numbers, location data, online identifiers, and factors specific to physical, physiological, genetic, mental, economic, cultural, or social identity.

Any operation performed on personal data: collection, storage, use, analysis, sharing, deletion, etc. Virtually any interaction with personal data constitutes processing and requires a lawful basis under GDPR.

Requirement to integrate data protection into the design and default settings of systems and processes. Organisations must consider privacy from the earliest stages of system development, not as an afterthought.

An organisation that processes personal data on behalf of a controller. Processors must enter into Data Processing Agreements (DPAs) with controllers and provide appropriate safeguards. Examples: cloud providers, outsourced service providers.

A data subject's right (Article 15 GDPR) to obtain confirmation of whether their data is processed and to receive a copy of the data. Organisations must respond within 30 days. A cornerstone GDPR right demonstrating transparency.

A data subject's right (Article 20 GDPR) to receive their personal data in a structured, commonly-used, machine-readable format and transmit it to another controller. Promotes competition and data subject autonomy.

A data subject's right (Article 16 GDPR) to correct inaccurate personal data. Organisations must update records without undue delay. Response deadline: 30 days.

EU-approved contractual terms enabling personal data transfers to jurisdictions outside the EU/EEA with appropriate safeguards. Updated after Schrems II ruling to include supplementary technical measures. Commonly used for international groups and cloud providers.

High-risk personal data including race, ethnicity, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, and sex life. Processing is prohibited unless one of specific exemptions applies (Article 9 GDPR).

Additional protective measures required post-Schrems II ruling when transferring personal data to third countries. Include encryption, contractual obligations, technical controls, and assessments of legal protections in destination country.

Assessment required by Schrems II to evaluate laws and practices in third countries before transferring personal data. Organisations must assess whether destination country provides adequate protection under GDPR. If not, supplementary measures required.

The principle requiring organisations to be clear and open about how personal data is processed. Includes privacy notices, privacy policies, and clear communication of data subject rights. Fundamental to fair processing.