Library / Glossary
Privacy term glossary.
Plain-English definitions with regulatory context. Useful when an auditor uses an acronym without explaining it, or when you need to translate compliance-speak for an engineering team.
25 terms
B
C
-
ControllerThe entity that determines the purposes and means of processing personal data — the party legally accountable for the processing.
-
Cross-Border TransferMovement of personal data from a jurisdiction with strict protection (e.g. EEA) to one without — permitted only via specific legal mechanisms.
D
-
Data MinimizationThe principle that personal data collected and processed should be limited to what is necessary for the stated purpose.
-
Data Processing Agreement (DPA)A contract between a data controller and a data processor governing how the processor handles personal data on the controller's behalf.
-
Data Protection Officer (DPO)An independent role with responsibility for advising on, and monitoring compliance with, GDPR within an organisation.
-
Data ResidencyA requirement that personal data be stored or processed within a specified geographic boundary.
-
Data SubjectThe identified or identifiable natural person whose personal data is being processed.
-
Data Protection Impact Assessment (DPIA)A documented analysis of how a high-risk processing activity will affect data subjects, required under GDPR Article 35.
-
Data Subject Access Request (DSAR)A request from a data subject to a controller for confirmation of, and access to, their personal data being processed.
L
-
Lawful BasisOne of six legal grounds under GDPR Article 6 that must apply for any processing of personal data to be lawful.
-
Legitimate InterestsA lawful basis under GDPR Article 6(1)(f) allowing processing necessary for the legitimate interests of the controller or a third party, balanced against data subject rights.
P
R
-
Retention PeriodThe defined period for which personal data is kept before being deleted or anonymised, set by reference to the purpose of processing.
-
Records of Processing Activities (RoPA)An internal inventory of all processing activities a controller or processor carries out, required under GDPR Article 30.
S
-
Special Categories of Personal DataCategories of personal data that GDPR Article 9 prohibits processing by default, with limited exceptions.
-
Standard Contractual Clauses (SCCs)European Commission–approved model contract clauses used to legitimise transfers of personal data outside the EEA.
-
SubprocessorA third party engaged by a processor to carry out specific processing activities on behalf of the controller.