1Where a data protection impact assessment indicates that the processing would, in the absence of safeguards, security measures and mechanisms to mitigate the risk, result in a high risk to the rights and freedoms of natural persons and the controller is of the opinion that the risk cannot be mitigated by reasonable means in terms of available technologies and costs of implementation, the supervisory authority should be consulted prior to the start of processing activities. 2Such high risk is likely to result from certain types of processing and the extent and frequency of processing, which may result also in a realisation of damage or interference with the rights and freedoms of the natural person. 3The supervisory authority should respond to the request for consultation within a specified period. 4However, the absence of a reaction of the supervisory authority within that period should be without prejudice to any intervention of the supervisory authority in accordance with its tasks and powers laid down in this Regulation, including the power to prohibit processing operations. 5As part of that consultation process, the outcome of a data protection impact assessment carried out with regard to the processing at issue may be submitted to the supervisory authority, in particular the measures envisaged to mitigate the risk to the rights and freedoms of natural persons.

The processor should assist the controller, where necessary and upon request, in ensuring compliance with the obligations deriving from the carrying out of data protection impact assessments and from prior consultation of the supervisory authority.

A consultation of the supervisory authority should also take place in the course of the preparation of a legislative or regulatory measure which provides for the processing of personal data, in order to ensure compliance of the intended processing with this Regulation and in particular to mitigate the risk involved for the data subject.

1Where the processing is carried out by a public authority, except for courts or independent judicial authorities when acting in their judicial capacity, where, in the private sector, processing is carried out by a controller whose core activities consist of processing operations that require regular and systematic monitoring of the data subjects on a large scale, or where the core activities of the controller or the processor consist of processing on a large scale of special categories of personal data and data relating to criminal convictions and offences, a person with expert knowledge of data protection law and practices should assist the controller or processor to monitor internal compliance with this Regulation. 2In the private sector, the core activities of a controller relate to its primary activities and do not relate to the processing of personal data as ancillary activities. 3The necessary level of expert knowledge should be determined in particular according to the data processing operations carried out and the protection required for the personal data processed by the controller or the processor. 4Such data protection officers, whether or not they are an employee of the controller, should be in a position to perform their duties and tasks in an independent manner.

1Associations or other bodies representing categories of controllers or processors should be encouraged to draw up codes of conduct, within the limits of this Regulation, so as to facilitate the effective application of this Regulation, taking account of the specific characteristics of the processing carried out in certain sectors and the specific needs of micro, small and medium enterprises. 2In particular, such codes of conduct could calibrate the obligations of controllers and processors, taking into account the risk likely to result from the processing for the rights and freedoms of natural persons.

When drawing up a code of conduct, or when amending or extending such a code, associations and other bodies representing categories of controllers or processors should consult relevant stakeholders, including data subjects where feasible, and have regard to submissions received and views expressed in response to such consultations.

The right of rectification is the right to obtain from the controller the rectification without delay of inaccurate or incomplete personal data. To exercise the right of rectification, the data subject usually has to write to the controller of the processing operation. By way of illustration, if you need to change your personal address or if you find that information about you is inaccurate, you should exercise your right of rectification by contacting the controller who holds these data.

Data retention refers to all obligations on the part of controllers to retain personal data for certain purposes. To limit how long you keep personal data is part of data minimisation. The rule of thumb is "as long as necessary, as short as possible", although sometimes legal rules may impose fixed periods. Data that are no longer retained cannot fall into the wrong hands, nor be abused, meaning that defining and enforcing limited conservation periods helps to protect the people whose data are processed.

The right of an individual to inspect all personal data relating to them held by a data controller in an intelligible and, as far as is practicable, permanent format.

An individual

The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

Restriction of processing means the marking of stored personal data with the aim of limiting their processing in the future. This right can only be exercised where- - their accuracy is contested by the data subject, enabling though the controller to verify the accuracy, including the completeness of the data; - or the processing is unlawful and the data subject opposes their erasure and demands their restriction of processing instead. - or the controller no longer needs them for the accomplishment of its tasks but they have to be maintained for purposes of proof; - or the data subject has objected to processing to Article 23(1) pending the verification whether the legitimate grounds of the controller override those of the data subject. Personal data restricted can only be processed with the data subject's consent, for purposes of proof, or for the protection of the rights of a third party, or for reasons of important public interest of the Union or of a Member State.

A security patch is software that corrects errors in computer software code. Security patches are issued by software companies to address vulnerabilities discovered in the company’s product.  Vulnerabilities can also be found in the aftermath of a cyberattacker exploiting a vulnerability of an operating system – a vulnerability the software manufacturer was not previously aware of.  Applying security patches that respond to the latest threats, enhances device security.

Personal data containing information relating to an individual’s; racial and ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health, sexual life, or criminal history.

 

Personal data containing information relating to an individual’s; racial and ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health, sexual life, or criminal history.

The request of an individual to a data controller to exercise their right of access. The data controller must produce the requested information in an intelligible and, as far as is practicable, permanent format.

Any person other than; the data subject, the data controller, any data processor or other person authorised to process data for the data controller or processor, or any employee or agent of the data controller or data processor.

Anyone who has the potential to impact your security, usually in relation to cyber security.  Someone who is either a key driver of, or participates in, a malicious action that targets an organisation's IT security.

The movement of personal data from one organisation to another. This could also relate to the international transfer of data.

Taking appropriate measures to provide any information relating to processing to the data subject in a concise, intelligible and easily accessible form, using clear and plain language.