214 definitions sourced from tracked regulators, courts and standards bodies. Every entry cites the primary source the term came from — no dictionary filler. Filter by domain, jurisdiction, or tag your personal set.
The controller's obligation to demonstrate compliance with the data-protection principles in Article 5(1), and to hold records, documentation, and governance capable of evidencing that compliance on demand to a supervisory authority.
A decision by the European Commission that a third country (or territory, sector, or international organisation) ensures an adequate level of protection for personal data. Once adopted, transfers to that destination require no further authorisation under Chapter V.
A machine-based system designed to operate with varying levels of autonomy and that may exhibit adaptiveness after deployment, and that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations or decisions that can influence physical or virtual environments.
A decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects the data subject. Article 22 prohibits such decisions by default, subject to enumerated exceptions (contract performance, consent, or authorised by law).
Internal rules for data transfers within multinational companies, approved by the competent supervisory authority, providing appropriate safeguards for onward transfers of personal data to group members in third countries.
Personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.
The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where determined by Union or Member State law, the controller (or the specific criteria for its nomination) may be provided for by law.
Essential and important entities in sectors including energy, transport, banking, health, drinking water, digital infrastructure, public administration, and space, whose disruption would significantly impact the Union's economy or the functioning of its society. NIS2 imposes risk-management, incident-reporting and governance obligations on these entities.
A systematic assessment of the risks to rights and freedoms of natural persons arising from envisaged processing, particularly when using new technologies. Mandatory where processing is likely to result in a high risk (Art. 35(1)); the controller must consult the supervisory authority prior to processing if residual risks remain high (Art. 36).
AI-generated or manipulated image, audio or video content that resembles existing persons, objects, places, entities or events and would falsely appear to a person to be authentic or truthful. Deployers must disclose that content is artificially generated (Art. 50(4)), subject to artistic, satirical and law-enforcement exceptions.
A general-purpose AI model trained on a broad dataset using self-supervision at scale and designed for generality of output, capable of being integrated into a variety of downstream systems or applications. Providers of GPAI models with systemic risk are subject to Chapter V obligations including model-evaluation, risk mitigation, and incident reporting.
AI systems identified as high-risk under Article 6, in either of two routes: (a) embedded in products under EU harmonising legislation listed in Annex I; or (b) systems falling within the use-cases in Annex III (biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration, administration of justice, democratic process). Subject to risk-management, data-governance, documentation, transparency, human-oversight, accuracy-robustness-cybersecurity obligations.
A lawful basis for processing where necessary for the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject. Requires a documented balancing test (LIA).
A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. Bound by Art. 28 written instructions and a controller-processor contract.
An attack against an LLM-backed application where a crafted input causes the model to deviate from operator-intended instructions, either directly (attacker enters prompt) or indirectly (poisoned content in retrieved context). Mitigations include instruction isolation, input filtering, and privilege separation for tool-calling.
A continuous iterative process planned and run throughout the lifecycle of a high-risk AI system. Must identify and analyse known and reasonably foreseeable risks, estimate risks arising from intended use and reasonably foreseeable misuse, evaluate risks from post-market monitoring, and adopt targeted mitigation measures.
An independent public authority established by a Member State with the competence to monitor the application of the GDPR on the territory of that Member State. Cooperates under the one-stop-shop, consistency and mutual-assistance mechanisms (Arts. 56–67).
Disclosure requirements for providers and deployers of certain AI systems: users must be informed when interacting with an AI system (Art. 50(1)), synthetic outputs must be machine-detectable (Art. 50(2)), deep-fakes must be disclosed (Art. 50(4)), and emotion-recognition or biometric-categorisation systems must notify affected persons (Art. 50(3)).
Showing 18 of 214 definitions · A–T letters loaded · Load remaining terms →
PrinciplesAI
Your usage is tracked locally by Plausible Analytics and GlitchTip (self-hosted in Germany). Opt out anytime in Settings. Learn more.