Digital Lexicon – Aurele IT

Introduced by the GDPR, this notion is based on the will to make the actors concerned by the protection of Personal Data responsible. They now have the obligation to document their compliance with the GDPR, through the implementation of a personal data governance system, in particular in order to provide proof of their compliance with Data Protection rules.

A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z

A

Accountability

Adequacy decision

Decision of the European Commission establishing that a non-EU country (known as a “third country”) offers a level of protection of personal data comparable to that guaranteed in the EU. Third countries that have been addressed by an adequacy decision include: Andorra; Argentina; Canada; Israel; Japan; New Zealand; Uruguay. Complete list (in French)

Authentification

Process of controlling the legitimacy of a request for access to a system, aimed at protecting user data against fraud attempts. Authentication generally takes the form of a password, to which is added another means of authentication, such as a telephone number or voice recognition.

B

Big Data
Big data is the set of massive data whose volume collected, processing speed and variety of sources imply the use of Artificial Intelligence (AI). Big Data has a market value.

C

CCPA
CCPA is an acronym for California Consumer Privacy Act, legislation passed on June 28, 2018 by the legislature of the State of California relating to the protection of personal data of California residents, effective January 1, 2020.

CJUE

The Cour de Justice de l’Union européenne is the Court of Justice of the European Union.

Cloud Computing
Provision of IT services (including servers, storage, databases, network management, software, analysis tools, artificial intelligence) via the Internet. The Cloud offers faster innovation, flexible resources and economies of scale. There are several types of Cloud architecture, including Public Cloud and Private Cloud.

CNIL

The Commission Nationale de l’Informatique et des Libertés (CNIL) is an independent administrative authority created by the French Data Protection Act of January 6, 1978. It is in charge of ensuring the protection of personal data contained in computer or paper files and processing, both public and private.

It is responsible for ensuring that information technology is at the service of the citizen and that it does not infringe on human identity, human rights, privacy, or individual or public freedoms. It has a role of warning, advising and informing all sections of the public, but also has the power to monitor and sanction.

Consent
In Personal Data law, consent is a clear, specific, unambiguous and freely given indication by a user in the form of a declaration or a positive act, by which he authorizes the processing of his personal data.

Cookie
Computer file deposited and read on a terminal, particularly when consulting a website. Cookies have several uses: they can be used to memorize a customer identifier with a commercial site or to trace the navigation of the Internet user for statistical or advertising purposes. By deliberation of July 4, 2019, the CNIL adopted guidelines on Cookies.

CPRA
California Privacy Rights Act, refers to the proposed legislation to supplement the CCPA to strengthen California residents’ control over their personal data. It was the subject of Proposition 24 in California’s recent ballot, and following its approval will enter into force on 1 January 2023.

Credential stuffing

This consists in repeated attempts to access a web site or a web service by malware using access credentials (most often username and password) which were previously obtained through a data breach.

CRM
Customer Relationship Management, the acronym refers to the set of tools and techniques designed for Customer Relationship Management (CRM). The CRM software package captures, processes and analyzes information about customers and prospects, with the aim of building customer loyalty.

D

Data Controller
Organism that determines the purposes and means of a Treatment.

Data Protection Agreement

Within the meaning of Article 28 of the GDPR, it is a contract which binds the processor and the controller and determines the purpose and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, and the obligations and rights of the controller.

DNS
Domaine Name System. Computer service for translation of Internet domain names into IP addresses or other records.

DPO
The Data Protection Officer was introduced by GDPR. He replaces the former Correspondant Informatique et Libertés (CIL) with more extensive responsibilities. The DPO is responsible for implementing compliance within the organization that appointed him, with respect to all Personal Data Processing implemented by that organization. Its designation is made mandatory by the DPO in certain cases.

E

EDPD
The European Data Protection Board is a working group set up by article 29 of the directive of October 24, 1995 and successor to the G29. The EDPD brings together the representatives of the national data protection authority of each Member State. Its mission is to contribute to the elaboration of European standards and to advise the European Commission on any project having an impact on the rights and freedoms of individuals.

ERP
Enterprise Ressource Planning, the acronym stands for a company’s business process management software. The ERP software package offers in particular solutions for managing orders, stocks, or e-commerce. In a logic of cost optimization, it can be complemented by a CRM software package ensuring the company’s customer satisfaction approach.

E-Réputation
Online reputation of a natural or legal person, made accessible to any Internet user via search engines. The control of the E-reputation implies the user’s increased vigilance regarding the publication of contents concerning him. The RGPD allows any person to request the deletion of data concerning him/her, however this also implies obtaining a de-referencing from search engines, which can be difficult to obtain.

Escrow
In digital law, process which consists in concluding an agreement between the editor of a software and its co-contracting party, aiming at entrusting the source codes of the software to a third party escrow agent, in order to ensure the co-contracting party the possibility of accessing them, in particular in the event of failure of the editor. In France, the best known software escrow companies are the Agence pour la Protection des Programmes (APP) and Logitas.

F

FAANGS
Acronym used in the English-speaking world to identify the big web companies : Facebook, Amazon, Apple, Netflix and Google). In the French-speaking world, they are referred to as GAFA, meaning Google, Apple, Facebook and Amazon. The main characteristic of the Web giants is their international scope in terms of users and data storage, which gives them an almost unbeatable lead in the fields of e-commerce, advertising and access to Personal Data.

G

GDPR
EU Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, which entered into force on 25 May 2018.

H

Health data
Data relating to the health of an individual. It falls into the category of special data and is specifically protected as such by the DMPR.

I

Interoperability
In relation to software, it refers to the ability of the software to interact with other software. Interoperability is based on an open format and differs from simple compatibility in that it allows interaction between independent software, whereas compatibility results from translating from one format to another on a case-by-case basis, especially when the formats are closed. The requirement for any software vendor to enable interoperability avoids the creation of closed systems that captivate users.

IP Adress
Identification number of a device connected to the Internet network that is permanently or temporarily assigned. The IP Address is a personal data according to the CNIL.

ISP
Internet Service Provider. The acronym refers to any organization offering an Internet connection. In France, they are mainly: Orange, SFR, Free, La Poste Mobile, Bouygues Télécom.

J

K

L

LCEN
Loi pour la Confiance dans l’Economie Numérique, law n 2004-575 of June 21, 2004 transposing directive 2000/31/CE of June 8, 2000. It sets the legal framework for the exercise of e-commerce activities, online services and Internet service providers.

LIL
French Law known as “Loi Informatique et Libertés” n° 78-17 of January 6, 1978, relating to data processing, files and freedoms. The choice was made to maintain this law in compliance with GDPR.

M

N

O

P

Personal Data
Notion defined in the French Data Protection Act (loi informatique et liberté) and in GDPR designating any information relating to an identified or identifiable natural person. Identification may result from a single piece of data or from the cross-referencing of a set of data. The control of their Personal Data by users implies the granting of certain rights such as the right to access, modify, delete their data.

Personal Data Violation
Security breach causing the destruction, loss of alteration of personal data.

Phishing
A technique used by fraudsters to extract a user’s personal information. It often takes the form of an e-mail from a sender posing as an official or familiar organization (bank, tax authorities, etc.).

Privacy by default
Principle requiring organizations to adopt measures for the protection of personal data downstream of the design of any project involving Data Processing.

Privacy by design
Principle requiring organizations to integrate GDPR requirements from the design stage of any project involving Data Processing.

Privacy Shield
A self-certification mechanism for companies established in the United States that was recognized by the European Commission in August 2016 as providing an adequate level of protection for personal data transferred by a European entity to companies established in the United States. It has been invalidated by the CJEU’s decision of July 16, 2020.

Private Cloud
A set of Cloud computing resources used exclusively by an organization. The private Cloud can be physically located in the company’s local data center. Some companies also use service providers to host their Private Cloud.

Processing of Personal Data
An operation or set of operations, involving Personal Data and pursuing one or more specified purposes. Both automated and manual processing are subject to data protection legislation.

Processor
Enitity that carries out the Processing of Personal Data on behalf of a Data Controller. Since the entry into force of the GDPR, the Processor assumes new responsibilities.

Profiling
Process of Automated processing of the data of a natural person allowing the statistical evaluation of certain aspects such as work performance, economic situation, centers of interest.

Pseudonymization
Changing the identification keys of an individual. Pseudonymization should not be confused with “anonymization”, which makes any process of re-identification of a person impossible. GDPR applies fully to pseudonymized data because it remains traceable to a natural person.

Public Cloud
Owned and operated by a third-party service provider, it provides computing resources, such as servers and storage, via the Internet. In a public cloud, all hardware, software and infrastructure is owned by the cloud provider.

Q

R

RGPD
Acronym for Règlement général sur la protection des données : french equivalent of GDPR.

Right of access
The data subject’s right under GDPR to request from a controller access to their personal data processed by such controller.

Right of rectification
The data subject’s right under GDPR to request from a controller to correct or complete their personal data pertaining to the purpose of the processing.

S

Safe Harbour
Set of principles for the protection of personal data negotiated between the US authorities and the European Commission in 2000. This self-certification mechanism allowed companies established in the United States that voluntarily adhere to it to receive personal data from the EU. The Safe Harbor program was invalidated by the European Court of Justice (ECJ) on October 6, 2015. It was replaced in 2016 by the Privacy Shield.

Sensitive Data
Sensitive Data is referred to by GDPR as “Special Categories of Personal Data”. This includes Personal Data that reveals the racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic identity, biometric characteristics, health, life or sexual orientation of an individual. Their Processing is in principle prohibited.

T

Traitement de Données personnelles
Opération ou ensemble d’opérations, portant sur des Données personnelles et poursuivant une ou plusieurs finalités déterminées. Les traitements automatisés comme les traitements manuels sont soumis à la législation sur la protection des données.

Transparence
Transparency, a central concept of data protection, requires organizations that process Personal Data to provide concise, transparent, comprehensible and easily accessible information to the persons concerned.

Treatment limitation
The right of the data subject, which complements the other rights conferred on the data (rectification, opposition, access, etc.) In case of dispute, the data subject may ask the Data Controller to suspend the use of the data. The Data Controller shall no longer use the data but shall keep them for the time necessary to verify the objection.

U

V

W

X

Y

Z

Florence Ivanier Aurele IT Avocats – January 2021

Copyright Aurele IT 2021 – Reproduction prohibited without prior permission. Definitions from the lexicon can occasionally be used provided that you cite the source as follows: Digital Lexicon by Aurele IT Avocats https://aurele-it.fr/lexique