Skip to content

Step by Step Guide to understanding Data Privacy and GDPR terms

Find easy explanations of some of the most common technical Data Privacy & GDPR terms.

Central Online Collection System (COCS): A Central Online Collection System (COCS) is a platform for the collection and management of data from various sources in a consistent and efficient manner. It is typically used by organizations in the EU to comply with data protection regulations such as GDPR. It helps to improve data accuracy and efficiency, reduce costs and protect personal data by providing a secure and centralized system.

Data Controller: The entity that determines the purposes and means of processing personal data. This is typically the organization that collects and uses the data.

Data Processor: An entity that processes personal data on behalf of the data controller. This could include service providers like cloud hosting providers or data analytics firms.

Data Protection Impact Assessment (DPIA) : A Data Protection Impact Assessment (DPIA) is a risk management process required under EU’s General Data Protection Regulation (GDPR) for certain types of data processing activities. It involves assessing the potential risks to individuals’ rights and freedoms, and implementing measures to mitigate those risks. It helps to ensure that data protection is built into the design of systems and processes, and that any residual risks are minimized.

Data Protection Officer (DPO): A person responsible for monitoring an organization’s compliance with data protection laws and regulations. This role is mandatory for certain types of organizations under the GDPR.

Data Subject: The individual whose personal data is being processed.

File Exchange Service: File exchange service is the IT solution provided by the European Commission, known as S-CircaBC, allows for secure submission of statements of support to Member States for verification and certification. This solution utilizes the existing Commission IT system and is also used for the submission of statements of support collected on paper, as an alternative to the central online collection system outlined in Article 10(1)(5) of the Regulation on the European citizens’ initiative.

General Data Protection Regulation (GDPR): The EU’s comprehensive data protection regulation that came into effect in May 2018. It replaces the 1995 Data Protection Directive and strengthens EU citizens’ privacy rights.

Joint controllers: refers to two or more entities who jointly determine the purposes and means of processing personal data.

Legal Entity: refers to an organization that has a legal personality, such as a company or a government agency.

Organizers (Group of): refers to a group of people who initiates an action or event, in this context it could be considered a group who initiates a European Citizens’ Initiative.

Personally Identifiable Data (PID): Information that can be used to identify a natural person. This includes things like names, addresses, and identification numbers, as well as sensitive information like health data and biometric data.

Privacy by Design: The principle that privacy should be built into products and services from the outset, rather than being tacked on as an afterthought.

Privacy Impact Assessment (PIA): An assessment of the privacy risks associated with a particular project or activity, and the measures that will be taken to mitigate those risks.

Processing: refers to any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means.

Representative: refers to a person appointed to act on behalf of another person or entity.

Right to Access: The right of individuals to obtain confirmation as to whether or not their personal data is being processed, and to access that data if it is.

Right to be Forgotten: The right of individuals to have their personal data erased in certain circumstances.

Sensitive Data: refers to personal data that reveals information like health, sexual orientation, political opinions, or biometric data.

Signatory: refers to a person who signs a document as a way of expressing their agreement or support.

Statement of Support: refers to a document expressing agreement or support for a particular initiative, proposal or action.

The EU Data Protection Regulation (EU-DPR) : The EU Data Protection Regulation (EUDPR) is a regulation adopted by the European Union (EU) in 2016 which replaces the 1995 Data Protection Directive. It strengthens EU citizens’ privacy rights by giving them more control over their personal data and introducing new obligations on data controllers and processors. It applies to all organizations operating in the EU and also to those outside the EU if they process the personal data of EU citizens.






This guidance should not be considered as an enforceable right or legitimate expectation, and cannot replace the legal framework, including binding contracts like joint controllership agreements. The responsibility of the representative of the group of organizers as data controller, to comply with GDPR obligations and rules, is not affected by this guidance. The binding interpretation of EU legislation is the exclusive competence of the Court of Justice of the European Union and the Commission’s views expressed in this guidance are without prejudice to its position before the Court of Justice. This guidance is subject to modifications without notice as it reflects the state of the art at the time of its drafting.