Privacy explained

GDPR, data breach, cookies, DPO, profiling — every concept in plain language.

44 topics in this category

What is the AVG/GDPR?The AVG (in English: GDPR) is the EU privacy law since 25 May 2018. It governs what businesses, government and organisations may do with your personal data.Live
What is personal data?Personal data is any information that can identify a living person — directly (name, ID number) or indirectly (combinations of data).Live
What is a data breach?A data breach is any unauthorised access, loss or disclosure of personal data — from a stolen laptop to a misaddressed email.Live
What are cookies?Cookies are small text files that websites store on your device. Some are needed to make the site work, others track behaviour — those require your consent.Live
What is a DPO?A DPO (Data Protection Officer) oversees GDPR compliance within an organisation. Mandatory for public bodies, large-scale monitoring, and special category data (GDPR Art. 37).Live
What is a DPIA?A DPIA is a mandatory risk assessment before high-risk processing (GDPR Art. 35). When required + what must it contain?Live
What is a processor?A processor processes personal data on behalf of someone else (the controller). Hosting provider, email service, SaaS supplier — processor with own GDPR obligations.Live
What is a controller?The data controller determines purpose + means of processing — and bears primary GDPR responsibility.Live
The 6 lawful basesEvery processing of personal data must rest on one of six lawful bases — consent, contract, legal obligation, vital interests, public interest, or legitimate interest.Live
Special category dataHealth, race, religion, political views, biometrics, genetics, union membership, sex life — special categories receive extra protection under GDPR Art. 9.Live
What is profiling?Profiling is automated analysis to evaluate or predict someone — behaviour, creditworthiness, buying patterns, health. With or without consent?Live
Automated decision-makingA decision made solely by algorithm + with legal or similarly significant effect. GDPR Art. 22 sets strict limits + grants right to human review.Live
Data minimisationCollect only what's strictly necessary for the stated purpose — nothing more. One of the six GDPR principles.Live
Purpose limitationData collected for purpose A may not simply be repurposed for purpose B. Purpose limitation prevents function creep and is a core GDPR principle.Live
Storage limitationData may not be retained longer than necessary for the purpose. A core GDPR principle (Art. 5(1)(e)). Business must determine retention periods in advance.Live
Privacy by designGDPR Art. 25 mandates: privacy must be built in from the first sketch of every product/process, and the most privacy-friendly settings must be on by default.Live
DPAContract between controller and processor on how personal data is handled — mandatory under GDPR Art. 28.Live
RoPAMandatory internal documentation of all processing activities. Cornerstone of accountability (Art. 30 GDPR).Live
What are SCCs?EU Commission-approved model contracts for transferring data to third countries without an adequacy decision (GDPR Art. 46).Live
Schrems IIThe CJEU ruling that invalidated Privacy Shield and tightened requirements for SCC use on US data transfers (16 July 2020).Live
Adequacy decisionEU decision that a third country provides "adequate" data protection (GDPR Art. 45) — data may then flow without extra contracts or safeguards.Live
EU AI ActWorld's first comprehensive AI law (in force 1 August 2024). Classifies AI systems by risk and sets requirements for high-risk applications.Live
Portrait lawDutch Copyright Act Art. 21: a recognisable image of you may not be published if you have a reasonable interest in stopping it.Live
Online trackingPixels, cookies, fingerprinting, beacons — how companies track your behaviour across sites, and what you can concretely do.Live
Browser fingerprintingA tracking technique that uniquely identifies your device without cookies — via browser version, fonts, screen, plugins and more. Consent required.Live
Dark patternsManipulative UI choices pushing you toward unwanted outcomes — pre-ticked boxes, hidden opt-outs, endless pop-ups. Incompatible with GDPR.Live
What is the UAVG?The Dutch implementation law alongside GDPR — covers national specifics, BSN use, journalistic exemption, and details GDPR leaves to member states.Live
ePrivacy DirectiveEU directive (2002/58/EC) specifically covering cookies, email marketing and telecommunications — implemented in Dutch Telecoms Act Art. 11.7 + 11.7a. Stricter than GDPR for these topics.Live
72-hour breach dutyOn a data breach with risk, the controller must notify the AP within 72 hours. On high risk also notify affected persons. Failure to notify = fine up to €10m / 2% turnover.Live
Digital Services ActEU regulation (in force 17 Feb 2024) requiring platforms to provide transparency, faster illegal-content takedown, dark-pattern bans, and consumer protection.Live
Digital Markets ActEU regulation limiting market power of "gatekeepers" (Google, Meta, Apple, Amazon, Microsoft, ByteDance, Booking) and enforcing interoperability. In force from 7 March 2024.Live
EDPBEU umbrella body of all national data protection authorities (AP, CNIL, etc). Issues binding guidelines, resolves cross-border disputes, coordinates enforcement.Live
PseudonymisationEncrypting personal data with a key allowing re-identification — remains personal data under GDPR. Anonymisation removes that key — falls outside GDPR.Live
All GDPR rightsComplete index of your 8 GDPR rights plus the right to complain. Per right: what it is, how to exercise, response time, escalation if refused.Live
BSN misuseBSN = unique personal number with high identity-theft risk. Only share with legally entitled parties. KopieID app redacts BSN on ID copies.Live
Who may ask BSN?Legally: government, employer, healthcare, tax authority, banks (anti-ML), pension fund, schools. Almost never: webshop, landlord, sports club, association, hotel.Live
UAVG + childrenNetherlands uses 16 as threshold for independent digital consent (UAVG Art. 5). Under 16 = parental consent mandatory. Stricter than many EU countries.Live
Do-Not-Call RegisterSince 1 July 2021 no longer opt-out but opt-in regime — cold calls require prior consent. The old register has been abolished.Live
WBTR + associationsDutch Governance Act (since 1 July 2021): sharper director liability, including for GDPR violations. Associations must take privacy seriously.Live
CCTV sign rulesMandatory visible at every camera. Must state: filming occurs, who is responsible, contact route, and purpose. Reference to extended info (privacy statement) required.Live
Cookie wall — allowed?Only under strict conditions. EDPB 2024 guideline: alternative must be truly equivalent, price proportionate, no exclusivity on free route.Live
Meta Pixel finesMeta Pixel (Facebook tracking snippet) shares user data with Meta. Without valid consent + DPA = GDPR + Schrems II breach. AP fines 2023-2025.Live
Consent Mode v2Google's framework for passing consent to Analytics + Ads. Mandatory for EU traffic since March 2024. Misconfigured = GDPR fine + data loss.Live
PGB + GDPRWith a Personal Care Budget (PGB) YOU are the controller for your care providers. Administration, breaches, and data subject rights are your responsibility.Live