GDPR Dictionary

What is GDPR?
The General Data Protection Regulation (GDPR) is a European Union (EU) regulation on data protection and privacy for all individuals within the EU and the European Economic Area (EEA). It also addresses the export of personal data outside the EU and EEA areas. GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. It came into effect on 25 May 2018.
 

Data Subject: Any individual about whom an organization holds personal information. In the IEEE context, the organization could be IEEE, Societies, Councils, and Technical Communities. 

Personal Data:  Any information relating to an identified or identifiable person (data subject). Examples include name, telephone number, email address, location data, IP address or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.

Consent: A data subject’s recorded acceptance of use of their data for specific purposes Consent must be freely given, the user must be presented with a choice to opt-in, meaning no pre-checked boxes. For interactions with IEEE, the specific purposes are outlined in the IEEE Privacy Policy.    

Data Subject Request: A formal request by an individual from the EU to avail themselves of their rights under GDPR. This would include obtaining copies of their data, requesting changes to it, restricting the processing of it, deleting it, or receiving it in an electronic format so it can be moved to another data controller.

Data Controller: Any entity that determines the purposes, conditions, and means of the processing of personal data. In many situations IEEE may be considered a Data Controller because of its collection and use of personal data.  

Data Processor: Any entity that processes personal data on behalf of the controller. A data processor may be a person or third-party organization that the data controller chooses to use for specific purposes to process data.

IEEE Data User: As part of their responsibilities, IEEE volunteers, staff, and associated third parties acting on behalf of IEEE (referred to as "IEEE Data Users") may have the opportunity to obtain access, and/or process personal data of individuals who interact with IEEE. 

Distinction between Data Controller, Data Processor, and IEEE Data User: Data Controllers are the entities that determine the purposes, conditions, and means of the processing of personal data, so they determine how data will be  collected, stored, used, secured, and retained (so, for us, the IEEE is usually the Data Controller). Data Processors are third-party entities who process data on behalf of the Data Controllers (so, this would be our vendors and consultants who are contractually obligated to process our data). Data Users are the persons who act as agents of the Data Controller, so the employees and volunteers, who collect, process, use, secure, and retain the personal data as a part of the ongoing activities of the Data Controller.

IEEE Privacy Policy: A universal policy that applies to all personal data collected and processed by IEEE staff, volunteers acting on behalf of IEEE, contractors and partners doing business on behalf of IEEE, as well as all legal entities. All IEEE data must be in compliance with the IEEE Privacy Policy.