Digital Lexicon Aurele IT


This digital glossary is primarily aimed at non-experts, providing definitions for commonly used terms in the digital realm. It is not intended to be exhaustive.

When a term is italicized within a definition, it means that it is defined elsewhere in the glossary.


A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z



Introduced by the GDPR, this notion is based on the will to make the actors concerned by the protection of Personal Data responsible. They now have the obligation to document their compliance with the GDPR, through the implementation of a personal data governance system, in particular in order to provide proof of their compliance with Data Protection rules.

Adequacy decision

Decision of the European Commission establishing that a non-EU country (known as a “third country”) offers a level of protection of personal data comparable to that guaranteed in the EU. Third countries that have been addressed by an adequacy decision include: Andorra; Argentina; Canada; Israel; Japan; New Zealand; Uruguay. Complete list (in French)

AI System

A machine-based system that is designed to operate with varying levels of autonomy and that may exhibit adaptiveness after deployment, and that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments [ AI Act art. 3.1]

AI regulatory sandbox

A controlled framework set up by a competent authority which offers providers or prospective providers of AI systems the possibility to develop, train, validate and test, where appropriate in real-world conditions, an innovative AI system, pursuant to a sandbox plan for a limited time under regulatory supervision [ AI Act art. 3.55]


Process of controlling the legitimacy of a request for access to a system, aimed at protecting user data against fraud attempts. Authentication generally takes the form of a password, to which is added another means of authentication, such as a telephone number or voice recognition.


Big Data
Big data is the set of massive data whose volume collected, processing speed and variety of sources imply the use of Artificial Intelligence (AI). Big Data has a market value.

Biometric data

Personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, such as facial images or dactyloscopic data [AI Act art. 3.34]

Biometric identification

The automated recognition of physical, physiological, behavioural, or psychological human features for the purpose of establishing the identity of a natural person by comparing biometric data of that individual to biometric data of individuals stored in a database [AI Act art. 3.35]


CCPA is an acronym for California Consumer Privacy Act, legislation passed on June 28, 2018 by the legislature of the State of California relating to the protection of personal data of California residents, effective January 1, 2020.

CE marking

A marking by which a provider indicates that an AI system is in conformity with the requirements set out in Chapter III, Section 2 and other applicable Union harmonisation legislation providing for its affixing [AI Act art. 3.24]


The Cour de Justice de l’Union européenne is the Court of Justice of the European Union.

Cloud Computing 
Provision of IT services (including servers, storage, databases, network management, software, analysis tools, artificial intelligence) via the Internet. The Cloud offers faster innovation, flexible resources and economies of scale. There are several types of Cloud architecture, including Public Cloud and Private Cloud.


The Commission Nationale de l’Informatique et des Libertés (CNIL) is an independent administrative authority created by the French Data Protection Act of January 6, 1978. It is in charge of ensuring the protection of personal data contained in computer or paper files and processing, both public and private.

It is responsible for ensuring that information technology is at the service of the citizen and that it does not infringe on human identity, human rights, privacy, or individual or public freedoms. It has a role of warning, advising and informing all sections of the public, but also has the power to monitor and sanction.

In Personal Data law, consent is a clear, specific, unambiguous and freely given indication by a user in the form of a declaration or a positive act, by which he authorizes the processing of his personal data.


Computer file deposited and read on a terminal, particularly when consulting a website. Cookies have several uses: they can be used to memorize a customer identifier with a commercial site or to trace the navigation of the Internet user for statistical or advertising purposes. By deliberation of July 4, 2019, the CNIL adopted guidelines on Cookies.

California Privacy Rights Act, refers to the proposed legislation to supplement the CCPA to strengthen California residents’ control over their personal data. It was the subject of Proposition 24 in California’s recent ballot, and following its approval will enter into force on 1 January 2023.

Credential stuffing

This consists in repeated attempts to access a web site or a web service by malware using access credentials (most often username and password) which were previously obtained through a data breach.

Customer Relationship Management, the acronym refers to the set of tools and techniques designed for Customer Relationship Management (CRM). The CRM software package captures, processes and analyzes information about customers and prospects, with the aim of building customer loyalty.


Data Controller
Organism that determines the purposes and means of a Treatment.

Data Protection Agreement

Within the meaning of Article 28 of the GDPR, it is a contract which binds the processor and the controller and determines the purpose and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, and the obligations and rights of the controller

Data Processing Limitation

The data processing limitation is a right of the data subject, which complements the other rights conferred on the data (rectification, opposition, access, etc.) In case of dispute, the data subject may ask the Data Controller to suspend the use of the data. The Data Controller shall no longer use the data but shall keep them for the time necessary to verify the objection.

Deep fake

AI-generated or manipulated image, audio or video content that resembles existing persons, objects, places, entities or events and would falsely appear to a person to be authentic or truthful [AI Act art. 3.60]


A natural or legal person, public authority, agency or other body using an AI system under its authority except where the AI system is used in the course of a personal non-professional activity [AI Act art. 3.4]


A natural or legal person in the supply chain, other than the provider or the importer, that makes an AI system available on the Union market [AI Act art. 3.7]

Domaine Name System. Computer service for translation of Internet domain names into IP addresses or other records.

The Data Protection Officer was introduced by GDPR. He replaces the former Correspondant Informatique et Libertés (CIL) with more extensive responsibilities. The DPO is responsible for implementing compliance within the organization that appointed him, with respect to all Personal Data Processing implemented by that organization. Its designation is made mandatory by the DPO in certain cases.


The European Data Protection Board is a working group set up by article 29 of the directive of October 24, 1995 and successor to the G29. The EDPD brings together the representatives of the national data protection authority of each Member State. Its mission is to contribute to the elaboration of European standards and to advise the European Commission on any project having an impact on the rights and freedoms of individuals.

Emotion recognition system

An AI system for the purpose of identifying or inferring emotions or intentions of natural persons on the basis of their biometric data [AI Act art. 3.39]

Enterprise Ressource Planning, the acronym stands for a company’s business process management software. The ERP software package offers in particular solutions for managing orders, stocks, or e-commerce. In a logic of cost optimization, it can be complemented by a CRM software package ensuring the company’s customer satisfaction approach.

Online reputation of a natural or legal person, made accessible to any Internet user via search engines. The control of the E-reputation implies the user’s increased vigilance regarding the publication of contents concerning him. The RGPD allows any person to request the deletion of data concerning him/her, however this also implies obtaining a de-referencing from search engines, which can be difficult to obtain.

In digital law, process which consists in concluding an agreement between the editor of a software and its co-contracting party, aiming at entrusting the source codes of the software to a third party escrow agent, in order to ensure the co-contracting party the possibility of accessing them, in particular in the event of failure of the editor. In France, the best known software escrow companies are the Agence pour la Protection des Programmes (APP) and Logitas.


Acronym used in the English-speaking world to identify the big web companies : Facebook, Amazon, Apple, Netflix and Google). In the French-speaking world, they are referred to as GAFA, meaning Google, Apple, Facebook and Amazon. The main characteristic of the Web giants is their international scope in terms of users and data storage, which gives them an almost unbeatable lead in the fields of e-commerce, advertising and access to Personal Data.


EU Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, which entered into force on 25 May 2018.

General purpose AI model

An AI model, including where such an AI model is trained with a large amount of data using self-supervision at scale, that displays significant generality and is capable of competently performing a wide range of distinct tasks regardless of the way the model is placed on the market and that can be integrated into a variety of downstream systems or applications, except AI models that are used for research, development or prototyping activities before they are placed on the market [ AI Act art. 3.63]

General purpose AI system

An AI system which is based on a general-purpose AI model and which has the capability to serve a variety of purposes, both for direct use as well as for integration in other AI systems [AI Act art. 3.66]


Health data
Data relating to the health of an individual. It falls into the category of special data and is specifically protected as such by the DMPR.


Input data

Data provided to or directly acquired by an AI system on the basis of which the system produces an output [AI Act art. 3.33]

Intended purpose

The use for which an AI system is intended by the provider, including the specific context and conditions of use, as specified in the information supplied by the provider in the instructions for use, promotional or sales materials and statements, as well as in the technical documentation [ AI Act art. 3.8]

In relation to software, it refers to the ability of the software to interact with other software. Interoperability is based on an open format and differs from simple compatibility in that it allows interaction between independent software, whereas compatibility results from translating from one format to another on a case-by-case basis, especially when the formats are closed. The requirement for any software vendor to enable interoperability avoids the creation of closed systems that captivate users.

IP Adress
Identification number of a device connected to the Internet network that is permanently or temporarily assigned. The IP Address is a personal data according to the CNIL.

Internet Service Provider. The acronym refers to any organization offering an Internet connection. In France, they are mainly: Orange, SFR, Free, La Poste Mobile, Bouygues Télécom.




Loi pour la Confiance dans l’Economie Numérique, law n 2004-575 of June 21, 2004 transposing directive 2000/31/CE of June 8, 2000. It sets the legal framework for the exercise of e-commerce activities, online services and Internet service providers.

French Law known as “Loi Informatique et Libertés” n° 78-17 of January 6, 1978, relating to data processing, files and freedoms. The choice was made to maintain this law in compliance with GDPR.






A provider, product manufacturer, deployer, authorised representative, importer or distributor [AI Act art. 3.8]


Personal Data
Notion defined in the French Data Protection Act (loi informatique et liberté) and in GDPR designating any information relating to an identified or identifiable natural person. Identification may result from a single piece of data or from the cross-referencing of a set of data. The control of their Personal Data by users implies the granting of certain rights such as the right to access, modify, delete their data.

Personal Data Violation
Security breach causing the destruction, loss of alteration of personal data.

A technique used by fraudsters to extract a user’s personal information. It often takes the form of an e-mail from a sender posing as an official or familiar organization (bank, tax authorities, etc.).

Privacy by default
Principle requiring organizations to adopt measures for the protection of personal data downstream of the design of any project involving Data Processing.

Privacy by design
Principle requiring organizations to integrate GDPR requirements from the design stage of any project involving Data Processing.

Privacy Shield
A self-certification mechanism for companies established in the United States that was recognized by the European Commission in August 2016 as providing an adequate level of protection for personal data transferred by a European entity to companies established in the United States. It has been invalidated by the CJEU’s decision of July 16, 2020.

Private Cloud
A set of Cloud computing resources used exclusively by an organization. The private Cloud can be physically located in the company’s local data center. Some companies also use service providers to host their Private Cloud.

Processing of Personal Data
An operation or set of operations, involving Personal Data and pursuing one or more specified purposes. Both automated and manual processing are subject to data protection legislation.

Enitity that carries out the Processing of Personal Data on behalf of a Data Controller. Since the entry into force of the GDPR, the Processor assumes new responsibilities.

Process of Automated processing of the data of a natural person allowing the statistical evaluation of certain aspects such as work performance, economic situation, centers of interest.


A natural or legal person, public authority, agency or other body that develops an AI system or a general-purpose AI model or that has an AI system or a general-purpose AI model developed and places it on the market or puts the AI system into service under its own name or trademark, whether for payment or free of charge [AI Act art. 3.3]

Changing the identification keys of an individual. Pseudonymization should not be confused with “anonymization”, which makes any process of re-identification of a person impossible. GDPR applies fully to pseudonymized data because it remains traceable to a natural person.

Public Cloud
Owned and operated by a third-party service provider, it provides computing resources, such as servers and storage, via the Internet. In a public cloud, all hardware, software and infrastructure is owned by the cloud provider.




Real-time remote biometric identification system

A remote biometric identification system, whereby the capturing of biometric data, the comparison and the identification all occur without a significant delay, comprising not only instant identification, but also limited short delays in order to avoid circumvention [AI Act art. 3.42]

Reasonably foreseeable misuse

The use of an AI system in a way that is not in accordance with its intended purpose, but which may result from reasonably foreseeable human behaviour or interaction with other systems, including other AI systems [AI Act art. 3.13]

Remote biometric identification system

An AI system for the purpose of identifying natural persons, without their active involvement, typically at a distance through the comparison of a person’s biometric data with the biometric data contained in a reference database [AI Act art. 3.41]


Acronym for Règlement Général sur la Protection des Données : French equivalent of GDPR.

Right of access
The data subject’s right under GDPR to request from a controller access to their personal data processed by such controller.

Right of rectification
The data subject’s right under GDPR to request from a controller to correct or complete their personal data pertaining to the purpose of the processing.


Safe Harbour
Set of principles for the protection of personal data negotiated between the US authorities and the European Commission in 2000. This self-certification mechanism allowed companies established in the United States that voluntarily adhere to it to receive personal data from the EU. The Safe Harbor program was invalidated by the European Court of Justice (ECJ) on October 6, 2015. It was replaced in 2016 by the Privacy Shield.

Sensitive Data
Sensitive Data is referred to by GDPR as “Special Categories of Personal Data”. This includes Personal Data that reveals the racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic identity, biometric characteristics, health, life or sexual orientation of an individual. Their Processing is in principle prohibited.

Sensitive operational data

Operational data related to activities of prevention, detection, investigation or prosecution of criminal offences, the disclosure of which could jeopardise the integrity of criminal proceedings [AI Act art. 3.38]


Testing data 

Data used for providing an independent evaluation of the AI system in order to confirm the expected performance of that system before its placing on the market or putting into service [AI Act art. 3.32]

Training data

Data used for training an AI system through fitting its learnable parameters [AI Act art. 3.29]

Transparency, a central concept of data protection, requires organizations that process Personal Data to provide concise, transparent, comprehensible and easily accessible information to the persons concerned.



Validation data

Data used for providing an evaluation of the trained AI system and for tuning its non-learnable parameters and its learning process in order, inter alia, to prevent underfitting or overfitting [AI Act art. 3.30]






Florence Ivanier Aurele IT Avocats – January 2021

Copyright Aurele IT 2021 – Reproduction prohibited without prior permission. Definitions from the lexicon can occasionally be used provided that you cite the source as follows: Digital Lexicon by Aurele IT Avocats