Data protection glossary


Anonymisation is the alteration of personal data so that the individual details about personal and factual and factual circumstances can no longer be attributed to a natural person or can only be attributed to a natural person with a disproportionate amount of and manpower to a natural person.

The difference between anonymisation and pseudonymisation can be found under “Pseudonymisation”.


A commissioned data processing governed the transfer and processing of personal data prior to the entry into force of the GDPR in 2019. Afterwards, commissioned data processing was replaced by the data processing agreement.


The principle here is not to request or store unnecessary data that is not necessary for the purpose in question.

Principles for the processing of personal data: Art. 5 para. 1 lit. c UK GDPR (data minimisation)

According to Art. 25 (1) of the UK GDPR, data minimisation should be made possible at the time of collection and processing with the available technical means, e.g. through pseudonymisation and/or anonymisation of personal data.

According to Article 28 UK GDPR, a data processor is a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller.

It is important to note that the data processor only acts “on behalf” of the controller and consequently only acts on the instructions of the controller.

In some cases, data processors do not process the data themselves, but may involve subcontractors. This depends on the processing contract with the controller.

Article 35 of the UK GDPR contains all information about a data protection impact assessment.

According to Article 35 (4) of the UK GDPR, the Commissioner must draw up a list of processing operations for which a data protection impact assessment is necessary in any case.

Companies must delete all data that they no longer need and for which there are no retention obligations. According to Art. 24 (1) of the UK GDPR, the management must designate a responsible person for the deletion or take appropriate measures. According to Art. 5 (2) of the UK GDPR, this must be done in a verifiable form. According to recital 39 to the UK GDPR, a review of these deletion processes should take place regularly.

There is no legal requirement for a written deletion concept, but a written form must be chosen to prove that a deletion concept exists.

This contract should secure the transfer of personal data (from a controller to a data processor) and the use and/or processing of these data. This DPA should meet certain minimum requirements, which are regulated in Article 28 UK GDPR.


This is data whose information can be attributed to a natural person.

A processing of personal data may be manual or automated. Processing is considered to be the following:

  • the collection of data
  • the collection of data
  • the organisation of data
  • the ordering of data
  • the storage of data
  • the adaptation or modification of data
  • reading data
  • the retrieval of data
  • the use of data
  • the disclosure by transmission of data
  • the dissemination or any other form of making data available
  • the matching or linking of data
  • the restriction of data
  • the erasure or destruction of data

Pseudonymisation is the replacement of personal identifiers by a marker for the purpose of excluding or significantly
the purpose of excluding or significantly complicating the identification of the person concerned. 

“Pseudonym” comes from the Greek and means something like “to appear under a false name”.

The difference between pseudonymising and anonymising can be found under “Anonymising”.


These standard contractual clauses are so-called “model contracts” that can be used to demonstrate an appropriate guarantee under Art. 46 UK GDPR for the transfer of personal data to secure/unsecure third countries.

Social media marketing (SMM) is a part of online marketing. Here, social media such as Facebook, Twitter or Instagram are used to communicate specific messages to selected target groups. SMM involves tactical and strategic planning for communicating corporate messages, product information, interaction with users and generating visitors for one’s website.

Also known at the time as “sensitive data”. Here we are specifically talking about the following data:

  • racial and ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • trade union membership
  • genetic data
  • biometric data uniquely identifying a natural person
  • health data
  • data concerning sexual life or sexual orientation

Abbreviation for the Swiss ‘State Policy Commission of the National Council’ (Staatspolitischen Kommission des Nationalrats).

The SPK is a committee of the Swiss Parliament that deals with the following issues:

  • Organisation and procedures of the government and the federal administration
  • Parliamentary law (subject to the special topics/competences of the bureaux)
  • Separation of powers, division of competences between the federal authorities (including constitutional jurisdiction)
  • Federal personnel
  • Relations between the Confederation and the cantons (general and institutional issues, guarantee of cantonal constitutions)
  • Political rights
  • Role of the state in opinion-forming
  • Citizenship
  • Identity documents
  • Aliens law
  • Asylum law
  • Data protection
  • Relations between state and religion

Our supervisor authority in UK is the national Information Commissioner’s Office (ICO). The supervisory authorities in the EU, also called data protection supervisory authorities, are independent bodies in each EU country.

Their job is to ensure compliance with data protection laws.

They are allowed to carry out checks, impose fines and are supposed to be available as free help for enquiries.


TOMs are the measures required by Art. 32 UK GDPR to be taken by the controller and/or data processor to ensure the security of personal data during data processing.

Transparency in the sense of the UK GDPR means that the data subject must be informed whenever his or her personal data are processed by the processing entity. Only in this way can the data subject also exercise his or her rights enshrined in the UK GDPR.