Jump to table of contents

Key Terms

Consent: the agreement of a data subject to share personal data. In order to satisfy GDPR, consent must be unambiguous (and in the case of sensitive personal data must be explicit, i.e. “opt-in”), and must be able to be withdrawn.

Data Controller: the entity that dictates the terms for processing data. With respect to PKP applications, this would be the editorial management team.

Data Processor: the entity that manages all processing of the data on behalf of the controller - typically the journal, conference or press manager in combination with any systems administrators and service providers.

Data Subject: a natural person whose personally identifying information may be tracked within a given system.

General Data Protection Regulation (GDPR): The EU’s new comprehensive set of regulations for the handling of personal data on the Internet by service providers. It goes live on May 25 2018, and is pertinent to anyone who manages personally identifying information of EU citizens. The complete regulation is available here: https://www.eugdpr.org/. The GDPR defines the responsibilities that Data Controllers and Data Processors must adhere to with respect to the collection, processing, storage and destruction of any Personally Identifying Data that can identify a Data Subject.

Lawful Basis for Processing Personal Data: the basis by which a data controller must explain their ability to process data. The most common lawful basis is by consent.

Personally Identifying Information (PII), or Personal Data: any information that can potentially be used to identify a person, such as: their name(s); email address; mailing address; phone number; social network posts; or an IP address.

Publisher: For the purposes of this policy and document, publisher refers to those responsible for the scholarly publication, be it a journal, book or other artifact, and may, in the absence of a formal publisher, refer to the editor-in-chief or the editorial team behind a single independent journal.

Rights of the Individual (Data Subject): The GDPR mandates the following rights of the individual, which it refers to as the “data subject”:

  • the right to be informed;
  • the right of access;
  • the right to rectification;
  • the right to erasure;
  • the right to restrict processing;
  • the right to data portability;
  • the right to object;
  • the right not to be subject to automated decision-making including profiling.

In order to adhere to the GDPR, people acting in the role of data controller, in conjunction with those serving as a data processor, must provide adequate means for individuals to assert these rights.