Data Protection Glossary

Data protection terminology can be complicated and change across regulations, frameworks, and jurisdictions. This data protection glossary provides concise, practical definitions of important data protection terms used in international regulations, standards, and best practices.

A

A core GDPR principle intended to ensure that controllers are responsible for demonstrating compliance with data protection principles in practice. Accountability requires that organisations put in place internal mechanisms and control systems that ensure compliance and provide evidence, such as audit reports, documentation, and records, to demonstrate compliance to regulators and data subjects.

An adequacy decision is a determination by the European Commission that a non-EU country or international organisation provides a level of data protection essentially equivalent to the EU’s. Adequacy decisions allow personal data to flow to that country without additional safeguards such as Standard Contractual Clauses, and the European Commission reviews them periodically and can withdraw them if protections weaken.

The AI Office is the European Commission body responsible for overseeing and enforcing the EU AI Act, particularly for general-purpose AI models and cross-border coordination. The AI Office supports national authorities, issues guidance, investigates non-compliance, and can impose penalties on providers of general-purpose AI models that breach their obligations, working alongside the EU AI Representative as the point of contact for non-EU providers.

The irreversible removal or transformation of personal data so that individuals can no longer be identified, either directly or indirectly. True anonymisation permanently breaks the link between data and identity, meaning the data falls outside the scope of data protection regulations. Achieving genuine anonymisation is technically challenging and requires consideration of all reasonably available re-identification methods.

Automated decision-making is a decision about a data subject made solely by automated means, without meaningful human involvement, that produces legal or similarly significant effects. Under Article 22 GDPR, individuals have the right not to be subject to purely automated decisions in most circumstances, and organisations relying on limited exceptions such as consent must still provide a way to obtain human review and contest the outcome, particularly where the decision involves profiling.

B

Internal data protection policies adopted by international organisations or multinational groups that enable legitimate transfers of personal data between different entities within the same corporate group. Binding Corporate Rules provide a legally binding framework that ensures consistent data protection standards across all group entities and require approval from data protection authorities.

Personal data resulting from specific technical processing of an individual’s physical, physiological, or behavioural characteristics, such as fingerprints, iris scans, facial recognition data, voice patterns, and DNA. Biometric data is typically treated as a special category of data requiring enhanced protection and specific legal justification for processing.

C

A United States privacy law was passed in California in 2018, granting California residents rights over their personal information, including the right to know what data is collected, the right to delete data, the right to opt out of data sales, and the right to non-discrimination. The CCPA applies to for-profit businesses that collect personal information from California residents and meet specific revenue or data volume thresholds.

Amendment and expansion of the CCPA, passed in California in 2020, added consumer rights, including the right to correct personal information, the right to limit the use of sensitive personal information, and rights related to automated decision-making. The CPRA established the California Privacy Protection Agency to enforce privacy law and impose penalties for violations.

A formal submission to a data protection authority or supervisory authority by an individual alleging that an organisation has violated their data protection rights. Data protection authorities have the power to investigate complaints and enforce compliance through investigations, orders, and penalties.

A GDPR principle that requires personal data be protected against unauthorised or accidental access, disclosure, or misuse. Confidentiality ensures that only authorised individuals can access personal data, requiring organisations to implement technical and organisational safeguards throughout the data lifecycle.

A conformity assessment is the process used to verify that a high-risk AI system meets the requirements of the EU AI Act before it is placed on the market. Conformity assessments can be carried out internally by the provider or externally by a notified body, depending on the AI system’s category, and result in a CE marking and an EU declaration of conformity.

The organisation or individual that determines the purposes, means, and methods of personal data processing. Controllers bear primary responsibility for compliance and must ensure that all data protection principles are met, including lawfulness, transparency, security, and individuals’ rights.

D

An incident where personal data is accessed, used, or disclosed without authorisation, or is accidentally or unlawfully destroyed, lost, or altered. Organisations must assess breaches and notify relevant parties. If a breach is likely to result in risk to individual rights, authorities and affected individuals must be notified.

The principle requires that only personal data that is adequate, relevant, and necessary for specific purposes should be collected and processed. Data minimisation prevents excessive data collection and reduces privacy risks by limiting the amount of personal information an organisation holds.

A written contract between a data controller and a data processor specifying the nature, scope, and purpose of processing, security obligations, data subject rights, and confidentiality requirements. Data Processing Agreements are legally required when a controller engages a processor to handle personal data on its behalf.

An independent public body (also called a supervisory authority) responsible for monitoring compliance with data protection law, investigating complaints, and protecting individual rights. Data Protection Authorities have investigative and enforcement powers, including issuing guidance, conducting audits, and imposing penalties.

Data protection by design and by default is a GDPR obligation requiring organisations to build data protection safeguards into systems from the outset and to ensure that, by default, only personal data necessary for a specific purpose is processed. Article 25 GDPR applies this to both technical system design and default user settings, and it works alongside Privacy by Design and Data Minimisation as core accountability principles.

A structured analysis is required when an organisation plans processing activities that pose a high risk to individual rights and freedoms. Data Protection Impact Assessments identify potential risks, evaluate their likelihood and severity, and document measures implemented to mitigate them. They demonstrate accountability and help organisations build privacy protections from project inception.

An independent expert appointed by organisations to oversee data protection compliance and act as a liaison with data protection authorities. Data Protection Officers monitor compliance, maintain processing records, handle individual requests, and provide advice on data protection obligations. In many jurisdictions, public authorities and organisations that process large volumes of data must appoint a Data Protection Officer.

The time period for which organisations may keep personal data. Data protection frameworks require that personal data be kept only as long as necessary for the purposes for which it was collected. Organisations must establish and document retention schedules and securely delete or anonymise data once the retention period expires.

A data sharing agreement is a contract between two or more controllers setting out the purpose, scope, and terms under which personal data will be shared between them. Unlike a Data Processing Agreement, a data sharing agreement governs sharing between independent controllers, including joint controllers, and typically covers security, retention, and how data subject requests will be handled by each party.

Any identified or identifiable natural person to whom personal data relates. Data subjects have specific rights under data protection laws, including the right to access their data, rectify inaccurate information, object to processing, and request deletion. Organisations must recognise and respect data subjects’ rights throughout their data-handling practices.

A formal request from an individual to an organisation regarding their personal data. Data subject requests include access, rectification, deletion, objection, and portability requests. Organisations must have procedures for receiving, verifying, and responding to data subject requests within the legally specified timeframes.

The movement of personal data across borders, particularly outside the jurisdiction where it was collected. Data transfers to countries without adequate data protection frameworks require legal mechanisms such as Standard Contractual Clauses, Binding Corporate Rules, or adequacy decisions to ensure data remains adequately protected.

The Digital Services Act is an EU regulation (2022/2065) that sets rules for online platforms, marketplaces, and intermediary services covering content moderation, transparency, and user safety. The DSA intersects with data protection law around targeted advertising and recommender system profiling, with stricter obligations for very large online platforms and search engines. 

Direct marketing is the communication of advertising material to specific individuals by post, phone, email, or other electronic means. It’s regulated both under GDPR’s lawful basis requirements and under specific ePrivacy rules such as PECR, which generally require prior consent for electronic marketing and always require a working right to object. 

E

EU law (2009/136/EC) complements data protection regulations by addressing the confidentiality of electronic communications and regulating the use of cookies. The ePrivacy Directive requires consent before storing information on users’ devices and restricts the use of personal data for electronic marketing.

The European Data Protection Board (EDPB) represents all EU Member States’ data protection authorities and is responsible for ensuring consistent application of data protection law across the EU. The EDPB issues guidelines and opinions that provide authoritative interpretation of data protection requirements. The European Data Protection Supervisor (EDPS) oversees data protection compliance within EU institutions.

The right of individuals to request that organisations delete their personal data. Also known as the “right to be forgotten,” this right applies when data is no longer necessary for its original purpose, when the individual withdraws consent, when the individual objects to processing, or when data was processed unlawfully. Exceptions exist for legal obligations and other legitimate purposes.

EU regulation (2024/1689) establishing a comprehensive legal framework for artificial intelligence systems used in the EU. The AI Act categorises AI systems by risk level and imposes requirements for high-risk AI systems, including documentation, transparency, human oversight, and impact assessments. The regulation addresses AI-specific risks to fundamental rights and freedoms, including privacy. Prohibited AI practices became effective February 2, 2025, while broader high-risk requirements apply from August 2026 onwards.

An EU AI Representative is a local point of contact in the EU appointed by providers of high-risk AI systems that have no EU establishment. Required under Article 54 of the EU AI Act, the role mirrors the EU Representative requirement under GDPR Article 27: it handles communications with the AI Office and national market surveillance authorities and keeps required technical documentation available for inspection. 

An EU Representative is a local point of contact in the European Union appointed by a controller or processor with no EU establishment that processes the personal data of people in the EU. Required under Article 27 GDPR, the EU Representative handles correspondence with Data Protection Authorities and data subjects and holds a copy of the organisation’s Records of Processing Activity, though appointing one does not reduce the controller’s own legal liability.

F

A Fundamental Rights Impact Assessment is a mandatory evaluation certain deployers of high-risk AI systems must carry out under the EU AI Act to identify risks the system poses to individuals’ fundamental rights. An FRIA covers how the system will be used, who is likely to be affected, and what safeguards and human oversight measures are in place, playing a similar role to a Data Protection Impact Assessment but focused on the AI Act rather than GDPR.

G

The primary data protection regulation in the European Union, effective since 2018, governs the processing of personal data and protects the rights of EU data subjects. The GDPR applies to organisations that process the personal data of EU residents, regardless of where the organisation is located, and sets requirements for lawfulness, transparency, security, individual rights, and accountability.

A general-purpose AI model is an AI model trained on broad data at scale that can perform a wide range of tasks and be integrated into many different downstream applications. Under the EU AI Act, providers of general-purpose AI models face transparency obligations, and models classified as posing “systemic risk” face additional evaluation, testing, and incident-reporting requirements overseen by the AI Office. 

H

U.S. federal law protects the privacy and security of health information in the healthcare industry. HIPAA applies to covered entities (healthcare providers, health plans, healthcare clearinghouses) and their business associates. It requires safeguards for protected health information, individual rights to access and amend health information, and notification requirements for breaches.

A high-risk AI system is an AI system that the EU AI Act classifies as posing a significant risk to health, safety, or fundamental rights, such as systems used in recruitment, credit scoring, law enforcement, or critical infrastructure. High-risk AI systems must complete a conformity assessment and a Fundamental Rights Impact Assessment before entering the market, alongside requirements for risk management, data governance, technical documentation, and human oversight.

I

International standard for information security management systems. ISO/IEC 27001 specifies requirements for establishing, implementing, maintaining, and improving an information security management system. Organisations can achieve certification by demonstrating compliance with the standard’s security controls and management requirements, which support data protection compliance.

An international standard providing guidelines and recommendations for information security management controls. ISO/IEC 27002 offers detailed guidance on implementing the controls required by ISO/IEC 27001, including specific measures for data protection, access control, encryption, incident management, and security awareness.

International standard extending ISO/IEC 27001 and 27002 specifically to address privacy management. ISO/IEC 27701 provides requirements and guidance for managing personal data through privacy information management systems (PIMS), supporting compliance with data protection regulations like GDPR, CCPA, LGPD, and similar frameworks. It helps organisations integrate privacy considerations into their broader information security programs and is the first international standard specifically for privacy information management.

J

Joint controllers are two or more controllers who jointly determine the purposes and means of processing the same personal data. Under Article 26 GDPR, joint controllers must set out their respective compliance responsibilities in a transparent arrangement, often formalised through a data sharing agreement, and individuals may exercise their rights against either party regardless of the internal arrangement. 

K

The GDPR is based on key principles including lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, confidentiality, and accountability.

L

The legal justification is required before processing any personal data. Data protection frameworks typically specify multiple lawful bases such as consent, contractual necessity, legal obligation, vital interests protection, public task performance, and legitimate interests. Every instance of personal data processing must fall under at least one lawful basis.

One of several lawful bases for processing personal data when the organisation or a third party pursues legitimate business interests that do not override individuals’ rights and freedoms. Processing under legitimate interests requires balancing organisational interests against individual privacy expectations and must be necessary and proportionate.

A Legitimate Interests Assessment is a documented test organisations complete before relying on legitimate interests as a lawful basis for processing personal data. An LIA involves a purpose test, a necessity test, and a balancing test against the individual’s rights, and keeping a record of the assessment supports the accountability principle if the basis is later challenged.

Brazil’s General Data Protection Law, effective since 2020, protects the rights of Brazilian data subjects and applies to organisations that process the personal data of Brazilian residents. The LGPD follows a similar structure to GDPR, requiring lawful bases for processing, individual rights, security measures, and accountability. It applies to the processing of personal data of individuals located in Brazil or carried out in Brazil.

N

A natural person is a living individual human being, as distinct from a legal person such as a company or organisation. Data protection law protects the personal data of natural persons specifically; deceased individuals and purely corporate information generally fall outside its scope.

The NIS2 Directive is an EU law (2022/2555) that strengthens cybersecurity requirements for organisations in critical and important sectors, replacing the original NIS Directive. NIS2 requires risk management measures and incident reporting, and increasingly overlaps with GDPR’s Confidentiality and Data Breach notification obligations for organisations subject to both regimes, and is often assessed alongside ISO/IEC 27001 certification. 

O

The right to object allows individuals to object to processing of their personal data carried out for direct marketing, legitimate interests, or public task purposes. Where someone objects to direct marketing, processing must stop immediately with no exceptions; for other bases, the controller must stop unless it can show compelling legitimate grounds that override the individual’s interests. 

P

PECR is the UK regulation implementing the E-Privacy Directive, governing electronic marketing, cookies, and similar tracking technologies. PECR works alongside the UK Data Protection Act 2018 and generally requires consent before storing information on a user’s device or sending electronic marketing.

Any information relating to an identified or identifiable natural person. The definition is broad and includes names, identification numbers, location data, online identifiers, email addresses, IP addresses, and any other information that directly or indirectly identifies someone or could identify them when combined with other data.

The Canadian federal privacy law governs how private-sector organisations collect, use, and disclose personal information. PIPEDA applies to for-profit businesses engaged in commercial activities and establishes individual rights, including access, accuracy, consent, and complaint mechanisms. Canadian provinces have enacted similar privacy legislation with substantially equivalent protections.

The right to data portability lets data subjects receive personal data they’ve provided to a controller in a structured, machine-readable format, and have it transmitted directly to another controller where feasible. It applies only where processing is based on consent or contract and carried out by automated means, unlike the Right of Access, which applies regardless of lawful basis.

A principle requiring that organisations integrate data protection considerations into technology, systems, and business processes from the earliest stages of development. Privacy by design embeds privacy protections into project foundations rather than retrofitting compliance after implementation.

An organisation or individual that processes personal data on behalf of a data controller. Processors must follow the controller’s instructions and implement appropriate security measures. Processors act under written contracts specifying the scope of processing and security obligations.

Profiling is the automated processing of personal data used to evaluate personal aspects of an individual, such as predicting their behaviour, preferences, health, or economic situation. Profiling is regulated more strictly where it forms part of automated decision-making that produces legal or similarly significant effects.

A prohibited AI practice is a use of AI the EU AI Act bans outright because the risk to individuals is considered unacceptable, such as social scoring by public authorities and AI that manipulates behaviour to cause harm. Prohibited practices became enforceable from 2 February 2025, well ahead of the broader high-risk AI system compliance deadlines.

The processing of personal data in a way that prevents direct identification without the use of additional information kept separately and secured. Unlike anonymisation, pseudonymisation is reversible; with access to linking information, individuals can be re-identified. Pseudonymised data remains personal data but presents reduced privacy risks.

R

A recipient is any natural or legal person, public authority, or other body to which personal data is disclosed, regardless of whether it’s a third party. The definition of recipient under GDPR is broad and includes other controllers and processors, distinguishing it from the narrower concept of a third party.

Documentation maintained by data controllers and processors detailing all personal data processing activities. ROPA must include information about processing purposes, categories of personal data processed, recipients of the data, retention periods, and technical and organisational security measures. ROPA serves as evidence of accountability and compliance with data protection obligations.

The right to restriction of processing lets data subjects limit how their personal data is used in specific situations, such as while its accuracy is disputed or while an objection is being considered. Where processing is restricted, data may still be stored but not otherwise processed without consent, except for legal claims.

The right of individuals to request and receive a copy of their personal data held by an organisation, along with information about how it is processed. Organisations must respond to access requests within specified timeframes, typically providing data in a commonly used electronic format.

The right of individuals to request correction of inaccurate personal data. Organisations must correct inaccurate information without undue delay and, where feasible, inform third parties who received the inaccurate data of the correction.

S

A broader category than “special category data,” sensitive personal information includes data that requires enhanced protection under data protection frameworks. Examples include health information, financial data, biometric data, behavioural data, genetic information, and social security numbers. Processing sensitive personal information typically requires explicit consent or other specific legal justifications.

Special category data is personal data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, biometric data used for identification, health data, or data about sex life or sexual orientation. Processing special category data is prohibited by default and requires both a standard lawful basis and a specific Article 9 condition, such as explicit consent — a narrower category than Sensitive Personal Information. 

Pre-approved contractual language authorising personal data transfers from one jurisdiction to another where data protection laws may differ. Standard Contractual Clauses provide a legal basis for international transfers when no adequacy decision exists, though organisations must conduct impact assessments to identify and mitigate country-specific risks.

A sub-processor is a third party engaged by a data processor to carry out processing activities on behalf of the controller. Under Article 28 GDPR, a processor must get the controller’s prior written authorisation before engaging a sub-processor, and remains fully liable to the controller for the sub-processor’s compliance with its data protection obligations. 

A formal request from an individual for a copy of their personal data and information about how the organisation processes it. Organisations must respond within specified timeframes, providing all personal data held about the individual along with processing details.

A Swiss Representative is a local point of contact in Switzerland appointed by a controller with no Swiss establishment that processes the personal data of people in Switzerland. Required under Article 14 of the Swiss FADP, the role is functionally equivalent to the EU Representative and UK Representative requirements, though it operates under Swiss law rather than EU law.

T

Any country outside the jurisdiction covered by a data protection framework (for example, outside the EU/EEA under GDPR). Transfers to third countries require legal mechanisms such as adequacy decisions, Standard Contractual Clauses, or Binding Corporate Rules to ensure adequate data protection.

Any individual or organisation other than the data subject, data controller, data processor, or employees authorised to process data under the controller’s authority. Third parties can be external recipients of data or independent controllers making their own processing decisions.

The principle requires that organisations provide individuals with clear, accessible information about how their personal data is collected, used, and protected. Transparency typically includes privacy notices and other disclosures, helping individuals understand data handling practices.

U

UK legislation implementing and supplementing GDPR requirements in the United Kingdom. The Data Protection Act 2018 defines UK-specific rules for data processing, establishes the role of the Information Commissioner’s Office (ICO), and extends data protection to areas not covered by GDPR, including law enforcement processing and national security. It applies to organisations that process the personal data of UK residents.

A UK Representative is a local point of contact in the UK appointed by a controller or processor with no UK establishment that processes the personal data of people in the UK. Required under the UK GDPR’s equivalent to Article 27, the requirement took effect from 1 January 2021 when the UK became a third country from the EU’s perspective, meaning most non-EU companies now need separate EU and UK Representatives rather than one combined appointment.

V

Systems that capture and store images or video footage containing personal data. Video surveillance must be lawful, necessary, and proportionate, and must include clear signage informing individuals that they are being monitored. Access must be restricted to authorised personnel, and retention must be limited to what is necessary.

Conclusion

This glossary provides a foundational understanding of essential data protection terminology across multiple jurisdictions and regulatory frameworks. For organisation-specific compliance guidance, consult your data protection authority, legal counsel, or a data protection professional who can contextualise these terms within your particular circumstances and jurisdiction.