An action is included in an action plan and represents some transformation or processing in an organization or a system.

An action plan comprises a series of actions, its objective being to reduce risks and events that have a negative impact on company activities or to improve a process or an organization efficiency.

The processing activity owner provides a detailed description of the processing activity (excluding assessment).

Computing devices are hardware pieces that can host and run software. Together with their hosted applications, they provide Information and IS services.

Policy documents enable you to attach documents or specify a URL concerning privacy-relevant information the organization might use to give evidence of the company accountability​.

Consent is a freely given, specific, informed and explicit consent by statement or action signifying agreement to the processing of their personal data.

Data category is used to group different personal data.

A data controller is the entity that determines the purposes, conditions and means of the processing of personal data.

See Right to be forgotten.

Data Portability is the requirement for controllers to provide the data subject with a copy of his or her data in a format that allows for easy use with another controller.

A Data Processor is the entity that processes data on behalf of the Data Controller.

The Data Protection Authority is a national authority tasked with the protection of data and privacy as well as monitoring and enforcement of the data protection regulations within the Union.

The Data Protection Officer (DPO) is an expert on data Privacy who ensures that an entity is adhering to the policies and procedures set forth in the data privacy law.

A Data Subject is a natural person whose personal data is processed by a controller or processor.

Under a data privacy law, a data transfer is a transfer or copy of personal data.

A data protection impact assessment (DPIA) is a privacy-related impact assessment whose objective is to identify and analyze how data privacy might be affected by certain actions or activities. Under a data privacy law, data protection impact assessments are mandatory in certain cases such as profiling.

A Data Subject category is a type of stakeholder which interacts with your organization in the context of the enterprise architecture environment, such as private sector customer, a supplier.

A data subject request is a formal request by a data subject to a controller to take action on his/her personal data.

An establishment corresponds to the location (site) of a legal entity.

An IT support correspondent is in charge of providing IT support.

Joint controllers can work jointly to determine the purposes and means of a processing activity.

A Legal Entity is a company or an organization which has legal rights and obligations.

Minimization is a principle stating that personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

A National Representative is a representative of the legal entity in one of the Member States. Typically, a non-European legal entity should appoint national representatives in all European Member States where there are data subjects whose personal data is processed by the legal entity.

An organizational chart contains the hierarchical structure of the organization DPOs. It shows the relationship between the appointed DPOs and helps identifying the responsibilities within the organization. It is automatically populated based on the information provided on the legal entities.

Personal Data consists of any information related to a natural person or 'Data Subject', that can be used to directly or indirectly identify the person.

Personal Data Breach is a breach of security leading to the accidental or unlawful access to, destruction, misuse, etc. of personal data.

A physical archive corresponds to the premises in which historical records are located.

Privacy by Design is a principle that calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition.

A processing activity consists of any operation performed on personal data, whether or not by automated means, including collection, use, recording, etc.

Profiling consists of any automated processing of personal data intended to evaluate, analyze, or predict data subject behavior.

The purpose of a processing activity is the main objective of this processing activity. Examples: satisfaction survey, customer management, site monitoring.

A record of processing activities must include significant information about data processing, including data categories, the group of impacted people, the purpose of the processing and the data receivers. It must be provided to authorities upon request.

A regulation framework is a set of directives, compulsory or not, defined by a governement in a law, by standard bodies as 'best practices' or as an internal policy in an organization.

A representative is a person in the European Union explicitly designated by the controller to be addressed by the supervisory authorities.

A requirement is a need or expectation explicitly expressed, imposed as a constraint to be respected within the context of a regulation framework.

A retention enables to record the time lapse in which the data personal will be stored by the organization.

Right to Access entitles the data subject to have access to and information about the personal data that a controller has concerning them.

The Right to be forgotten is also known as Data erasure. it entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties cease processing of the data.

A risk represents any risk related to data privacy that should be identified and assessed during a DPIA process.

Safeguards are measures taken to ensure the legitimacy of data flows. They apply to transfers only.

Security measures are appropriate technical and organizational measures to be taken to ensure that the requirements of the regulation are met.

A sensitive activity is an activity whose impact on the overall processing risk is important.

A Supervisory Authority is a public authority which is established by a member state. It may be contacted by the legal entity for example to notify a data breach or to gather feedback on a processing activity DPIA.

A Third party is a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.