Data Breach Jargon Buster
Don’t get lost in legal speak
At National Data Compliance, our expert data breach lawyers understand that making a data breach compensation claim can seem difficult. And not knowing what to expect can be stressful.
To protect you from any unnecessary worry, we make sure you are fully informed at every step of the process.
To help with this, our handy data breach jargon buster explains some of the key legal phrases and terminology you might come across when making a claim.
DATA PRIVACY GLOSSARY
Adequacy Decision: this refers to a country based outside the EU that is deemed to have sufficient laws and protections, such that it would be treated as being within the EU legislative framework for the purposes of the GDPR. Countries with an adequacy decision are Andorra, Argentina, Canada, Faroe Island, Japan, Uruguay, Israel, Guernsey, Jersey, Isle of Man, New Zealand, Switzerland.
Article 6 GDPR – this details all the lawful grounds companies are allowed to process personal data. The ones you need to be concerned about are (i) Consent (ii) Legitimate Purposes (i.e the provision of a service).
Binding Corporate Rules: a set of binding rules put in place to allow multinational companies and organisations to transfer personal data that they control from the EU to their affiliates outside the EU (but within the organisation).
Biometric data: personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.
Consent: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. NDC DOES NOT USE CONSENT OF ITS DATA SUBJECTS – WE RELY ON LEGITEMATE PURPOSE.
Data controller: is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by the Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Data processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Data subject: a natural person whose personal data is processed by a data controller or processor.
Data Transfer: This will refer to a transfer of Personal Data outside the EU. If Personal Data is being transferred outside the EU it can be done one of the following ways (i) a company implements binding corporate rules (as above) (ii) the company registers for Privacy Shield – but this only works for US transfers (iii) sign Model Clauses (iv) have consent of the Data Subject.
Genetic data: personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.
GDPR General Data Protection Regulations -EU Regulation No regulation 2016/679
Model Clauses: This refers to a contract prescribed by EU law. It is in a set form and cannot be amended – it allows a data controller to transfer personal data to either another data controller or a data processor based outside the EU.
Personal data: any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Personal data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Privacy impact assessment: a process designed to help organisations identify and mitigate privacy risks associated with proposed data processing activities. For further information, see the University’s Privacy Impact Assessment guidance.
Principles: the fundamental principles imbedded within the GDPR which set out the main responsibilities for organisations.
Processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Profiling: any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Pseudonymisation: the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, as long as such additional information is kept separately and technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
Restriction on processing: the marking of stored personal data with the aim of limiting their processing in the future.
Right of access: entitles the data subjects to have access to have access to and information about the personal data being processed by the data controller.
Special categories of personal data: personal data revealing a data subjects racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership or the processing of genetic data, biometric data for the purposes of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
Subject Access Request (often referred to as SAR or D SAR) – Where a data subject demands that data controller or processor (normally a company or employer) delivers up all the personal data they hold on that data subject.
Common legal phrases and terminology
After the Event (ATE) Insurance
If your claim is not successful, you will be responsible for a share of the Defendant’s costs. These costs will have been incurred in defending the claim. When we take out ATE Insurance on your behalf, we protect you from having to pay these costs and expenses if you lose your case.
Claimant
The person making the claim.
Conditional Fee Agreement (CFA)
A CFA is also known as a No-Win, No-Fee agreement between you and your solicitor. It states that you won’t have to pay a penny if your claim is unsuccessful.
Data Protection Breach
A data protection breach refers to any situation where personal data has been wrongly accessed, altered, disclosed, destroyed, or lost. A data protection breach can occur because of hackers and other cybercriminals, or by human error, negligence and poor security processes.
Data Protection Hack
A data protection hack is caused by people with malicious intent who break into a company’s systems to steal information.
Defendant
The organisation that has breached your data and who you are claiming against.Disbursements
A payment we make on your behalf to a third party.
Evidence
It’s essential to get as much evidence as possible in data breach cases. This includes things like:
- Bank and credit card statements
- Correspondence (letters, emails, etc.) with banks, credit card providers, credit reference agencies, etc.
- Credit score reports (with dates of any dips)
- Details about medical appointments/prescriptions that relate to this data breach
- Anything else that may be relevant to support your claim.
National Data Claims asks for evidence throughout the claims process. And, we have a handy and secure online form to allow you to upload evidence quickly and easily.
Further Information Form
A legal document that asks for specific information about the data breach incident you were involved in. For example, it might ask about any bookings/purchases you made with a defendant and details of the card you used to do this.
Group Action
A group action claim is where a group of people – sometimes even thousands of people – have been affected by the same issue. Group action cases are also known as class actions or multi-party actions.
With a group action claim, the claimants collectively bring their cases to court against a defendant. These victims then fight together to achieve compensation in the High Court of Justice.
Where cases are very similar, group actions can be a powerful tool and can have a bigger impact than a single claim.
Group Litigation Order (GLO)
An order of the court in England and Wales, a GLO allows people who have suffered common or related issues to have their cases managed collectively via a group action.
Group Register
The group register is a large database of everyone seeking to claim against the defendant.
Letter of Claim
A Letter of Claim lets the defendant know that we plan to start proceedings against them on your behalf.
Information Commissioner’s Office (ICO)
An independent authority, set up to uphold information rights in the public interest, and to promote openness by public bodies and data privacy rights. While the ICO does not award compensation, it does have the power to impose hefty fines on organisations in breach of their duties.
Impact Form
A legal document that asks how the breach has affected you. This could include things such as spam/nuisance phone calls and emails, cancelled cards, financial loss and emotional distress. You can fill in our Impact Form online.
Litigation Management Agreement
A legal agreement between you, your solicitors, and all the other claimants in the group action. It establishes how the case will be managed in the most cost-effective and least troublesome way to you.
N1 Claim Form
A two-page court document. It briefly outlines your claim against the defendant.
No-Win, No-Fee
Also known as a CFA, a no-win, no-fee agreement is a contract between you and your solicitor. It states that you won’t have to pay a penny if your claim is unsuccessful.
Part 36 Offer
A Part 36 Offer is an offer of settlement. It can be made by either the claimant or the defendant. A Part 36 Offer aims to settle a claim early without the matter having to go to court.
Particulars of Claim
The Particulars include all the necessary details and background information the court needs from us to make a data breach compensation claim. This document also sets out what we hope to achieve on your behalf. A Particulars of Claim is needed only if court proceedings are necessary.
Representative Action
A representative action is a type of group action. Representative actions are launched when a group of people are affected by the same issue and have experienced the same level of harm.
Schedule 2 Form
The Schedule 2 form asks you about any financial losses, distress, and/or inconvenience you have suffered as a result of the data breach. Sometimes this means providing information that you have already supplied to us. We appreciate that this is frustrating, but the impact of a data breach isn’t always immediately apparent. So, it’s vital that we regularly assess the level of loss and upset you have suffered to ensure you receive the maximum compensation possible.
Statement of Truth
A Statement of Truth is a statement that confirms that the facts stated in a document are true. For example, we often ask you to sign a Statement of Truth to verify that a defendant has advised you that you were involved in the data breach incident.
Signing a Statement of Truth which you know contains false evidence can negatively impact the success of your claim. Contempt of court proceedings may also be brought against you if you have provided statements that you do not believe to be true. So, before you sign a Statement of Truth, you should verify this to be correct.
Success Fee
If your claim is successful, we will charge a success fee. This fee covers the costs we have incurred in representing you in your case. At Keller Lenkner UK, our success fee is capped at 25% of any compensation you receive. So, you will always receive 75% of any compensation awarded.
