The obligation of the controller to not only comply with all GDPR principles, but to be able to actively demonstrate that compliance — Art. 5(2) GDPR.

A report submitted without disclosing the reporter's identity, so that neither the reporting channel nor the affected organisation can identify the

A systematic, independent examination to determine whether processes and measures comply with defined requirements.

A comprehensive information security framework developed by Germany's Federal Office for Information Security (BSI) for systematic IT protection.

A management process that ensures an organization can continue delivering critical services during and after disruptive incidents.

The total amount of greenhouse gas emissions caused directly and indirectly, often broken down into Scope 1, 2, and 3.

A 12-step information security model designed as an accessible entry point for smaller organizations, particularly municipalities and SMEs.

A systematic approach to ensuring that an organisation adheres to legal, regulatory, and internal requirements.

A freely given, specific, informed, and unambiguous indication of a data subject's wishes, as required by Art. 7 GDPR.

The EU directive 2022/2464 that introduces expanded sustainability reporting requirements for companies above certain thresholds.

A breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of personal data, reportable to

A systematic plan for the timely deletion of personal data once the purpose for which it was collected has ceased to apply, as required by Art. 17

A contractual arrangement required by Art. 28 GDPR whenever a service provider processes personal data on behalf of a controller.

The totality of measures taken to comply with data protection legal requirements, in particular the GDPR.

A structured risk analysis required by Art. 35 GDPR before processing activities that are likely to result in a high risk to the rights of data

The person designated under Art. 37 GDPR to oversee data protection compliance within an organisation.

The rights of natural persons to access, rectify, erase, restrict, port, and object to the processing of their personal data under Art. 15–21 GDPR.

EU Regulation 2022/2554 establishing ICT risk management, incident reporting, and resilience testing requirements for the financial sector.

The analysis of both how sustainability topics affect the company and how the company's activities affect the environment and society.

The framework for evaluating companies based on environmental, social, and governance criteria.

The standards developed by EFRAG that CSRD-obligated companies must use to prepare their sustainability reports.

The EU classification system for defining environmentally sustainable economic activities.

Directive (EU) 2019/1937 on the protection of persons who report breaches of Union law, which all EU member states were required to transpose by 17

The German law on human rights and environmental due diligence obligations in global supply chains.

The integrated approach to managing corporate governance, risk management, and compliance adherence.

The world's most widely used sustainability reporting framework, developed by the Global Reporting Initiative.

The designated function that organisations with 50 or more employees must establish under the HinSchG to receive and handle reports of wrongdoing.

A systematic framework of policies, processes, and controls for managing an organization's information security risks.

The international standard specifying requirements for establishing, implementing, maintaining, and continually improving an ISMS.

Exists when two or more controllers jointly determine the purposes and means of processing personal data, as defined in Art. 26 GDPR.

The ability of software to manage multiple legally separate organisations (tenants) within a single system with strict data separation.

EU Directive 2022/2555 strengthening cybersecurity requirements for essential and important entities across the European Union.

The process of determining whether an organization qualifies as an essential or important entity under the NIS 2 Directive.

The obligation of affected entities to report significant security incidents to the competent authority within 24 hours of detection.

An external, impartial trusted intermediary – often a lawyer – who serves as a confidential point of contact for whistleblowers and is bound by strict

Any information relating to an identified or identifiable natural person, as defined in Art. 4(1) GDPR.

The legal prohibition on taking adverse measures – such as dismissal or demotion – against whistleblowers as a consequence of their report.

The mandatory register of all processing activities that every controller must maintain under Art. 30 GDPR.

The systematic process of identifying, analyzing, and evaluating risks to an organization's information security.

A cloud-based delivery model in which software is accessed and used over the internet as a service.

The classification of greenhouse gas emissions into direct (Scope 1), energy-related indirect (Scope 2), and other indirect (Scope 3).

An event that compromises or threatens the confidentiality, integrity, or availability of information or information systems.

A mandatory ISO 27001 document that lists all Annex A controls, states which are applicable, and explains why others are excluded.

The mandatory feedback that organisations must provide to a whistleblower within three months of acknowledging their report, informing them of any

Security safeguards that controllers and processors must implement under Art. 32 GDPR to ensure a level of protection appropriate to the risk.

The transfer of personal data to countries outside the EEA, which requires specific safeguards under Art. 44–49 GDPR.

The German automotive industry's information security assessment catalogue, audited through the TISAX scheme managed by the ENX Association.

The German law protecting whistleblowers, transposing EU Whistleblower Directive 2019/1937 into national law.

A technical system enabling the secure and, where applicable, anonymous submission of reports about legal violations.

The act of reporting misconduct, legal violations, or unethical behaviour within an organisation to a responsible authority.