European Data Protection Supervisor
European Data Protection Supervisor

C

C

CCTV 

CCTV stands for "closed circuit television". It is a television system comprised of a camera or a set of cameras monitoring a specific protected area, with additional equipment used for viewing and/or storing the CCTV footage. The term itself originates from the fact that, as opposed to broadcast television, CCTV is usually a "closed" rather than "open" system with a limited number of viewers.

CCTV has been traditionally used for surveillance in specific locations with increased security needs such as banks, airports, military installations. In addition, in industrial plants, CCTV equipment has been used to remotely observe processes, for example, in hazardous environments. Increasing use of CCTV in public places has caused debate over public surveillance versus privacy.

See also: Video-surveillance

Cloud computing

Cloud computing is Internet-based computing, whereby shared resources, software and information are provided to computers and other devices on-demand. It is a "paradigm shift" following the shift from mainframe to client–server in the early 1980s. Cloud computing describes a new consumption and delivery model for IT services based on the Internet, and it typically involves the provision of dynamically scalable and often virtualised resources as a service over the Internet. It is a by-product and consequence of the ease-of-access to remote computing sites provided by the Internet.

Complaint 

According to Article 63(1) of Regulation (EU) 2018/1725, "every data subject shall have the right to lodge a complaint with the European Data Protection Supervisor if the data subject considers that the processing of personal data relating to him or her infringes this Regulation".

Article 68 of the Regulation also provides that "Any person employed by a Union institution or body may lodge a complaint with the European Data Protection Supervisor regarding an alleged infringement of the provisions of this Regulation, including without acting through official channels."

Anyone who believes that an EU institution or body violates his/her rights with regard to the processing of personal data may file a complaint with the European Data Protection Supervisor (EDPS). A staff member of an EU institution or body may also lodge a complaint with the EDPS even if he or she is not directly concerned by the violation.

In general, complainants are recommended to turn to the EDPS only after having contacted the controller and/or the Data protection officer of the institution or body concerned. However, complaints can also be lodged directly with the EDPS if this is deemed necessary.

Complaints to the EDPS must be in writing, either on paper or electronically, in principle using the complaint submission form available on the EDPS website. This form can be completed and sent electronically. Alternatively, it can be sent by fax or post including all relevant information as well as any supporting evidence.

If a complaint is found admissible, the EDPS will conduct an inquiry if he finds this appropriate. If the case is not resolved satisfactorily during the course of his inquiry, the EDPS will try to find a friendly solution which satisfies the complainant. If the attempt at conciliation fails, the EDPS may order the rectification, restriction of processing, erasure or destruction of data or even impose a ban on a particular data processing.

The EDPS is not competent to deal with issues involving national authorities or private entities in the EU countries, and has no power to compensate the person concerned by the violation of data protection rules.

In order to ensure the consistent treatment of complaints concerning data protection and to avoid unnecessary duplication, the European Ombudsman and the EDPS have signed a Memorandum of Understanding (pdf). It stipulates, among other things, that a complaint that has already been brought forward should not be reopened by the other institution unless significant new evidence is submitted.

Confidentiality 

Confidentiality in a general sense refers to the duty not to share information with persons who are not qualified to receive that information (see Article 5(f) of Regulation (EU) 2016/679 and Article 4(f) of Regulation (EU) 2018/1725). In a more specific sense, it refers to the confidentiality of communications provided for in Article 5 of the E-privacy Directive 2009/136/EC and in Article 36 of Regulation (EU) 2018/1725.

Consent 

In data protection terminology, consent refers to any freely given, specific and informed indication of the wishes of a data subject, by which he/she agrees to personal data relating to him/her being processed (see Article 4 sub 11 of Regulation (EU) 2016/679 and Article 3 sub 15 of Regulation (EU) 2018/1725).

Consent is an important element in data protection legislation, as it is one of the conditions that can legitimise processing of personal data. If it is relied upon, the data subject must unambiguously have given his/ her consent to a specific processing operation, of which he/she shall have been properly informed. The obtained consent can only be used for the specific processing operation for which it was collected, and may in principle be withdrawn without retroactive effect.

See also: Q&A on Consent

Controller 

See Data controller

Convention 108 (Council of Europe) 

Convention 108 refers to the Convention for the Protection of Individuals with regard to automatic processing of personal data which was adopted by the Council of Europe in 1981.

This Convention is the first legally binding international instrument adopted in the field of data protection.

It sets out minimum standards aimed at protecting the individuals against abuses which may accompany the collection and processing of personal data. It also seeks to regulate the transborder flow of personal data.

A total of 40 European states have ratified the Convention so far.

Cookies

Short text files stored on the user’s device by a web site.  Cookies are normally used to provide a more personalised experience and to remember user profile without the need of a specific login. Also it can be placed by third parties (such as an advertising network) in end users´ devices and maybe be used to track users when surfing across different websites associated to that third party.

See also E-privacy Directive 2009/136/EC.