The Article 29 Working Party
The Article 29 Working Party (also referred to as “A29WP” or “WP29”) consists of representatives of the EU’s national supervisory authorities, the European Data Protection Supervisor (“EDPS”) and the European Commission. Together this group form the “European Data Protection Board” (“EDPB”), with similar membership but an independent Secretariat.
A person, corporate or body who, alone or jointly, determines the purposes and means for processing personal data.
A person, corporate or body which processes the personal data on behalf of the data controller.
Data Protection Directive
The European Directive 95/46/EC previously governed the processing of personal data in the EU and will now be replaced by the GDPR.
Data Protection Act
The Data Protection Act 1998 (also referred to as “DPA98” or “DPA”) is the UK legislation passed as a result of the EU Data Protection Directive. This piece of legislation will be replaced in the UK, first by the GDPR on 25th May 2018, and then by the UK Data Protection Bill in March 2019 when the UK leaves the EU.
Data Protection Bill
The UK Data Protection Bill 2017, published on 14th September 2017, will enact the GDPR, plus additional UK-specific enhancements regarding personal data, into UK law following the UK’s departure from the EU in March 2019. This Bill is currently progressing through Parliament for amendment and review, and the final draft has not yet been published.
A Data Protection Officer. Appointment is obligatory under the GDPR where:
- processing is carried out by a public authority; or
- the “core activities” of a data controller / data processor either:
- require “the regular and systematic monitoring of data subjects on a large scale” or;
- consist of processing of special categories of data or data about criminal convictions “on a large scale”.
The European Data Protection Board; it will replace the Article 29 Working Party and its functions will include ensuring consistency in the application of the GDPR, advising the EU Commission, issuing guidelines, codes of practice and recommendations, accrediting certification bodies and issuing opinions on draft decisions of supervisory authorities.
The European Economic Area includes all 28 EU member states, plus Iceland, Lichtenstein and Norway. It does not include Switzerland.
The General Data Protection Regulation was finally adopted as Regulation (EU) 2016/679 on 27 April 2016, and can be found online at
This version of the Guide incorporates guidance published by the Article 29 Working Party in December 2016.
This is any information relating to an identified/ identifiable, natural person, a ‘data subject’. A data subject is a natural person, who can be identified, or is identifiable, directly or indirectly.
The GDPR imposes a new obligation on data controllers and data processors to conduct a Data Protection Impact Assessment (otherwise known as a privacy impact assessment, or PIA) before undertaking any processing that presents a specific privacy risk by virtue of its nature, scope or purposes. Chapter IV Section 3 sets out a non-exhaustive list of categories of processing that will fall within this provision.
A wide definition covering any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means. Examples of processing include the collection, recording, organisation, storage, use and destruction of personal data.
The technique of processing personal data so that it can no longer be attributed to a specific individual without the use of additional information, which must be kept separately and be subject to technical and organisational measures to ensure non-attribution.
Right to erasure/right to be forgotten
A data subject’s existing right to deletion of their personal data, in certain circumstances, has been extended to a new ‘right of erasure’ in circumstances detailed in Chapter III Section 3 GDPR.
Special categories of data
Often known as ‘sensitive data’. The GDPR has extended the definition to include both biometric and genetic data.
This is the data subject’s right to obtain from the data controller, on request, certain information relating to the processing of his/ her personal data as detailed in Chapter III Section 2 GDPR.
Supervisory authority/lead authority
Supervisory authorities are national data protection authorities, empowered to enforce the GDPR in their own member state. The ‘one-stop-shop’ concept: where a business is established in more than one Member State, it will have a ‘lead authority’, determined by the place of its ‘main establishment’ in the EU. A supervisory authority which is not a lead authority may also have a regulatory role, for example where processing impacts on data subjects in the country where that supervisory authority is the national authority.
The transfer of personal data to countries outside the EEA or to international organisations, which is subject to restrictions detailed in Chapter V GDPR. As with the Data Protection Directive, data does not need to be physically transported to be transferred. Viewing data hosted in another location would amount to a transfer for GDPR purposes.
This term is used in a variety of contexts in the GDPR, most often to refer to a legal entity that is engaged in “economic activity”. The term has a particular meaning in the context of the GDPR’s provisions regarding financial penalties. Undertakings will be subject to penalties calculated as a percentage of their annual worldwide turnover. In this context, the term imports principles developed in the context of EU competition law.