Privacy & Data Protection Glossary

Clear, jargon-free definitions for 120+ privacy and compliance terms — from GDPR and CCPA to cookies, consent, and data transfers. Bookmark this page as your go-to reference.

A B C D E F G H I J K L M N O P R S T U V W Z

A

Accountability: A core GDPR principle (Article 5(2)) requiring controllers to not only comply with data protection principles but also to demonstrate compliance. This includes maintaining records of processing activities, conducting DPIAs, and implementing appropriate technical and organisational measures.; GDPR PrinciplesROPADPIA
Adequacy Decision: A determination by the European Commission that a non-EU country provides an adequate level of data protection, allowing free data transfers to that country without additional safeguards. Examples include Japan, South Korea, the UK, and (via the Data Privacy Framework) the US.; SCCsData Transfer
Age Verification: Mechanisms used to verify a user's age before providing access to services or collecting their data. Under GDPR Article 8, children's consent for online services requires parental authorisation (age threshold varies by member state, 13-16 years). COPPA sets the threshold at 13 in the US.; COPPAConsent
Anonymisation: The irreversible process of altering personal data so that an individual can no longer be identified, directly or indirectly. Truly anonymised data falls outside the scope of GDPR. Not to be confused with pseudonymisation.; PseudonymisationPersonal Data
Article 13 Notice: The information a data controller must provide to individuals when their personal data is collected directly from them. Includes the controller's identity, purposes, legal basis, recipients, retention periods, and data subject rights.; Privacy PolicyData Controller
Article 14 Notice: Similar to an Article 13 notice, but applies when personal data is obtained from a source other than the data subject. Must include the source of the data and the categories of data concerned.; Article 13 NoticeData Controller
Automated Decision-Making: Processing performed entirely by automated means without human involvement that produces a decision with legal or similarly significant effects on an individual. Under GDPR Article 22, data subjects have the right not to be subject to purely automated decisions, with limited exceptions for contract necessity, legal authorisation, or explicit consent.; ProfilingDPIA

B

BCRs (Binding Corporate Rules): Internal data protection policies adopted by multinational companies to allow transfers of personal data between entities within the same corporate group across international borders, including outside the EEA. Must be approved by a supervisory authority.; Data TransferSCCs
Biometric Data: Personal data resulting from specific technical processing relating to the physical, physiological, or behavioural characteristics of a natural person, such as facial images, fingerprint scans, iris patterns, or voice recognition data. Classified as special category data under GDPR Article 9 when used for identification purposes.; Special Category DataPersonal Data
Breach Notification: The obligation under GDPR Article 33 to notify the supervisory authority within 72 hours of becoming aware of a personal data breach that poses a risk to individuals' rights. Article 34 requires notifying affected individuals if the breach poses a high risk.; Data BreachSupervisory Authority
Browser Fingerprinting: A technique that collects information about a user's browser configuration (canvas, WebGL, fonts, plugins, screen size) to create a unique identifier for tracking purposes. GDPR Recital 30 classifies device fingerprints as personal data, and the ePrivacy Directive requires consent.; CookiesTrackingePrivacy

C

CCPA (California Consumer Privacy Act): A California state privacy law (effective January 2020, amended by CPRA in 2023) granting residents the right to know what personal information is collected, to delete it, to opt-out of its sale or sharing, and to non-discrimination. Applies to for-profit businesses meeting specific revenue, data volume, or revenue-from-data thresholds.; CPRAPrivacy Rights
CNIL (Commission Nationale de l'Informatique et des Libertés): France's independent data protection authority responsible for enforcing GDPR, the French Data Protection Act, and ePrivacy rules. Known for high-profile fines against Google (€150M), Facebook (€60M), and Amazon (€35M) for cookie consent violations. Also publishes widely referenced compliance guidance.; Supervisory AuthorityGDPR
Compliance Audit: A systematic review of an organisation's data processing activities against applicable privacy laws and regulations. Covers consent mechanisms, privacy policies, data retention practices, security measures, vendor agreements, and internal governance. Can be internal or performed by a third party.; ROPADPIAAccountability
Consent: Under GDPR, any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which they agree to the processing of their personal data. Must be as easy to withdraw as to give. Pre-ticked boxes or inactivity do not constitute valid consent.; Legitimate InterestLegal BasisCookie Consent
Consent Management Platform (CMP): A tool that manages user consent for cookies and data processing on a website. A CMP typically displays a cookie banner, records consent choices, and controls which scripts fire based on user preferences. Must integrate with IAB TCF or Google Consent Mode for ad tech compliance.; Cookie BannerConsentGoogle Consent Mode
Content Security Policy (CSP): An HTTP security header that controls which resources (scripts, styles, images, fonts) a browser is allowed to load on a page. CSP mitigates cross-site scripting (XSS) attacks and data injection by whitelisting trusted content sources. A strong CSP is a key indicator of website security maturity.; Security HeadersXSS
Controller (Data Controller): The natural or legal person, public authority, or body that determines the purposes and means of processing personal data. The controller bears primary responsibility for compliance, including appointing a DPO, conducting DPIAs, and responding to data subject requests.; ProcessorJoint Controller
Cookie: A small text file placed on a user's device by a website. First-party cookies are set by the domain the user visits; third-party cookies are set by other domains (typically ad networks or analytics). Under ePrivacy rules, most cookies require prior informed consent, with limited exceptions for strictly necessary cookies.; Cookie BannerePrivacyTracking
Cookie Banner: A user interface element displayed on websites to inform visitors about cookie usage and obtain their consent before setting non-essential cookies. Must provide clear accept/reject options. Pre-ticked checkboxes or "by continuing to browse" disclaimers are not valid consent mechanisms.; ConsentCMPePrivacy
Cookie Wall: A mechanism that blocks access to website content unless the user accepts all cookies. Most European DPAs consider cookie walls non-compliant with GDPR because consent cannot be "freely given" if access to a service is conditional on accepting non-essential cookies. The EDPB's guidelines explicitly discourage this practice.; Cookie BannerConsentDark Pattern
COPPA (Children's Online Privacy Protection Act): A US federal law requiring websites and online services directed at children under 13 to obtain verifiable parental consent before collecting personal information from children. Applies to operators of commercial websites and online services.; Age VerificationPrivacy Rights
CPPA (Consumer Privacy Protection Act): Canada's proposed replacement for PIPEDA, introducing a rights-based framework closer to GDPR. Includes stronger consent requirements, a right to data portability, algorithmic transparency, a private right of action, and administrative monetary penalties up to 5% of global revenue or C$25M.; PIPEDAPrivacy Rights
CPRA (California Privacy Rights Act): An amendment to the CCPA effective January 2023 that created the California Privacy Protection Agency (CPPA), introduced the right to correct inaccurate data, expanded opt-out rights to sharing (not just sale), and added requirements for sensitive personal information.; CCPAPrivacy Rights
Cross-Border Data Transfer: The movement of personal data from one country or jurisdiction to another, particularly from the EEA/UK to a third country. Requires a legal mechanism such as an adequacy decision, SCCs, BCRs, or a derogation under Article 49.; Adequacy DecisionSCCsBCRs

D

Dark Pattern: A deceptive user interface design that manipulates users into making unintended choices, such as making it harder to reject cookies than to accept them, or using confusing double negatives. The EDPB and various DPAs have issued guidelines classifying dark patterns as violations of GDPR's fairness and transparency principles.; ConsentCookie Banner
Data Breach: A security incident leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. Under GDPR, controllers must assess the risk to individuals and, if significant, notify the supervisory authority within 72 hours.; Breach NotificationSecurity
Data Controller: See Controller.; Controller
Data Localisation: Legal requirements mandating that personal data of a country's citizens or residents must be collected, processed, or stored within that country's borders. Russia, China, and several other nations enforce strict data localisation laws. This creates challenges for global businesses using cloud services.; Cross-Border Data TransferData Sovereignty
Data Mapping: The process of identifying and documenting all personal data an organisation collects, processes, stores, and shares. A data map tracks data flows from collection point to deletion, including which systems store data, who has access, and where data is transferred. Essential for building a ROPA and conducting DPIAs.; ROPADPIAData Minimisation
Data Minimisation: A GDPR principle requiring that personal data collected and processed must be adequate, relevant, and limited to what is necessary for the stated purposes. Organisations should not collect "just in case" data.; Purpose LimitationGDPR Principles
Data Processing Agreement (DPA): A legally binding contract between a data controller and a data processor, required under GDPR Article 28. It must specify the subject matter, duration, nature and purpose of processing, types of personal data, categories of data subjects, and the controller's obligations and rights.; ControllerProcessor
Data Protection Impact Assessment (DPIA): A risk assessment process required under GDPR Article 35 when data processing is likely to result in a high risk to individuals' rights and freedoms. Mandatory for systematic large-scale monitoring, processing sensitive data at scale, or automated decision-making with legal effects.; Risk AssessmentHigh Risk Processing
Data Protection Officer (DPO): An independent expert appointed under GDPR Articles 37-39 to oversee an organisation's data protection strategy and compliance. Mandatory for public authorities, organisations whose core activities involve large-scale systematic monitoring, or those processing sensitive data at scale.; ControllerSupervisory Authority
Data Sovereignty: The principle that data is subject to the laws and governance of the country in which it is collected or stored. Increasingly relevant as cloud computing enables cross-border data storage, creating jurisdictional conflicts between data protection regimes.; Data LocalisationCross-Border Data Transfer
Data Subject: An identified or identifiable natural person whose personal data is processed. Data subjects have rights under GDPR including access, rectification, erasure, restriction, portability, and objection.; DSARPersonal Data
Data Subject Access Request (DSAR): A request by an individual to a controller to confirm whether their personal data is being processed and, if so, to receive a copy of that data along with specific supplementary information (purposes, categories, recipients, retention period). Must be responded to within one month.; Data SubjectPrivacy Rights
Digital Services Act (DSA): EU Regulation 2022/2065 establishing obligations for online platforms and intermediaries regarding illegal content, transparency, and user protection. Requires transparency in advertising, algorithmic recommender systems, and risk assessments for very large online platforms (VLOPs) with 45M+ monthly users.; EU AI ActTransparency
DKIM (DomainKeys Identified Mail): An email authentication method that allows the receiving server to verify that an email was sent by the domain it claims to be from and was not altered in transit. Works by attaching a digital signature to outgoing emails. Essential for email deliverability and preventing spoofing.; DMARCSPFEmail Security
DMARC (Domain-based Message Authentication, Reporting & Conformance): An email authentication protocol that builds on SPF and DKIM to protect domains from email spoofing and phishing. A DMARC policy tells receiving servers what to do with emails that fail authentication (none, quarantine, or reject). Essential for protecting brand reputation and email deliverability.; DKIMSPFEmail Security

E

EAA (European Accessibility Act): EU Directive 2019/882 requiring products and services — including websites and mobile apps — to meet accessibility standards (aligned with WCAG 2.1 AA) from June 28, 2025. Applies to businesses selling to EU consumers.; WCAGAccessibility
EDPB (European Data Protection Board): The EU body composed of representatives from each national Data Protection Authority and the European Data Protection Supervisor. The EDPB ensures consistent application of GDPR across the EU, issues guidelines and opinions, and resolves disputes between DPAs.; Supervisory AuthorityGDPR
Encryption: The process of converting data into a coded format that can only be read by authorised parties with the decryption key. GDPR Article 32 explicitly mentions encryption as a technical measure for securing personal data. Types include encryption at rest (stored data) and encryption in transit (data being transmitted, e.g., HTTPS/TLS).; SecurityHTTPS
ePrivacy Directive: EU Directive 2002/58/EC (amended by 2009/136/EC) governing electronic communications privacy, including rules on cookies, direct marketing, and confidentiality of communications. Often called the "Cookie Law." Will eventually be replaced by the ePrivacy Regulation.; PECRCookiesCookie Banner
Erasure (Right to): Also known as the "right to be forgotten." Under GDPR Article 17, individuals can request deletion of their personal data when it is no longer necessary, consent is withdrawn, the data was unlawfully processed, or a legal obligation requires deletion.; DSARData Subject
EU AI Act: EU Regulation 2024/1689 establishing harmonised rules on artificial intelligence. Classifies AI systems by risk level (unacceptable, high, limited, minimal) and imposes requirements including transparency obligations for AI-generated content, conformity assessments for high-risk systems, and prohibitions on certain AI practices.; AITransparency
EU-US Data Privacy Framework (DPF): An adequacy framework adopted by the European Commission in July 2023 enabling personal data transfers from the EU to certified US organisations. Replaced the invalidated Privacy Shield. Companies must self-certify through the US Department of Commerce and commit to a set of privacy principles.; Adequacy DecisionData TransferSchrems II

F

First-Party Data: Data collected directly by an organisation from its own audience or customers through its own channels (website, app, CRM). Considered more privacy-friendly than third-party data and increasingly important as third-party cookies are deprecated.; Third-Party DataCookies

G

GDPR (General Data Protection Regulation): EU Regulation 2016/679, the primary data protection law in the European Union, effective May 25, 2018. Applies to any organisation processing personal data of individuals in the EU/EEA, regardless of where the organisation is located. Establishes principles, rights, and obligations for data protection. Maximum fines: €20M or 4% of global annual turnover.; DPADPOData Subject
Genetic Data: Personal data relating to the inherited or acquired genetic characteristics of a natural person, obtained from biological sample analysis (e.g., DNA, RNA). Classified as special category data under GDPR Article 9, requiring explicit consent or another specific exception for processing.; Biometric DataSpecial Category Data
Google Consent Mode: A framework by Google that adjusts the behavior of Google tags (Analytics, Ads) based on the consent state of users. Version 2 (v2) is required from March 2024 for advertisers using Google Ads in the EEA and UK. Operates through consent signals: ad_storage, analytics_storage, ad_user_data, and ad_personalization.; ConsentCMPCookies
GPC (Global Privacy Control): A browser-level signal that communicates a user's privacy preferences to websites, specifically their wish to opt out of the sale or sharing of personal information. Recognised under CCPA/CPRA and several US state privacy laws as a legally valid opt-out mechanism. Supported by Firefox, Brave, and the DuckDuckGo browser.; Opt-OutCCPADo Not Track

H

High Risk Processing: Data processing that is likely to result in a high risk to the rights and freedoms of natural persons. Triggers the requirement for a DPIA under GDPR Article 35. Includes large-scale profiling, systematic monitoring of public areas, and processing special categories of data at scale.; DPIARisk Assessment
HSTS (HTTP Strict Transport Security): A security header that instructs browsers to only communicate with a website over HTTPS, preventing downgrade attacks and cookie hijacking. Once set, the browser will automatically convert all HTTP requests to HTTPS for the specified duration. A max-age of at least one year and includeSubDomains are recommended best practices.; HTTPSSecurity Headers
HTTPS (Hypertext Transfer Protocol Secure): The encrypted version of HTTP using TLS/SSL to protect data transmitted between a user's browser and a web server. GDPR Article 32 implicitly requires HTTPS as an appropriate technical measure for protecting personal data in transit. Modern browsers flag HTTP-only sites as "Not Secure."; TLSEncryptionSecurity

I

IAB TCF (Transparency & Consent Framework): A standardised framework by the Interactive Advertising Bureau (IAB) enabling digital advertising companies to comply with GDPR and ePrivacy by standardising how consent signals are communicated through the ad tech supply chain. Currently at version 2.2.; CMPConsentAd Tech
ICO (Information Commissioner's Office): The UK's independent data protection authority responsible for enforcing the UK GDPR and Data Protection Act 2018. Has the power to issue fines, conduct audits, and provide guidance.; Supervisory AuthorityUK GDPR
Incident Response Plan: A documented set of procedures for detecting, responding to, and recovering from data security incidents and breaches. Should cover roles and responsibilities, classification criteria, escalation paths, communication templates (for DPAs and affected individuals), evidence preservation, and post-incident review. Critical for meeting GDPR's 72-hour breach notification deadline.; Data BreachBreach Notification
Information Security: The practice of protecting information and data from unauthorised access, use, disclosure, disruption, modification, or destruction. GDPR Article 32 requires controllers and processors to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including encryption, pseudonymisation, and regular testing.; EncryptionSecurity Headers
IP Address: A numerical label assigned to each device on a network. Under GDPR, IP addresses are considered personal data because they can identify or be used to identify a natural person, as confirmed by the CJEU in the Breyer case (C-582/14). Dynamic IP addresses are also personal data when combined with information held by an ISP.; Personal DataTracking

J

Joint Controller: Two or more controllers that jointly determine the purposes and means of processing personal data. Must establish a transparent arrangement specifying their respective responsibilities for GDPR compliance, particularly regarding data subject rights.; ControllerDPA

K

KVKK (Kişisel Verilerin Korunması Kanunu): Turkey's Personal Data Protection Law, modelled after the EU Data Protection Directive 95/46/EC. Establishes rights for data subjects, obligations for controllers, and a Data Protection Authority (KVKK Board). Requires explicit consent for processing sensitive data and cross-border transfer restrictions.; GDPRData Transfer

L

Lawful Basis (Legal Basis): One of six grounds under GDPR Article 6 that legitimise the processing of personal data: (1) consent, (2) contract, (3) legal obligation, (4) vital interests, (5) public task, (6) legitimate interest. Processing without a valid legal basis is unlawful.; ConsentLegitimate Interest
Lead Supervisory Authority: The DPA of the EU member state where a controller or processor has its main establishment. Under GDPR's one-stop-shop mechanism (Article 56), the lead authority coordinates with other concerned DPAs on cross-border processing cases. For example, Ireland's DPC is the lead authority for Meta, Google, and Apple on EU matters.; Supervisory AuthorityEDPB
Legitimate Interest: One of the six lawful bases under GDPR Article 6(1)(f). Allows processing when the controller or a third party has a legitimate interest, provided it does not override the data subject's fundamental rights and freedoms. Requires a documented Legitimate Interest Assessment (LIA).; Lawful BasisLIA
LGPD (Lei Geral de Proteção de Dados): Brazil's General Data Protection Law, effective September 2020. Modelled after GDPR, it applies to any processing of personal data collected in Brazil or of individuals in Brazil. Enforced by the ANPD (National Data Protection Authority). Fines up to 2% of revenue, capped at R$50M per violation.; GDPRData Transfer
LIA (Legitimate Interest Assessment): A three-part test to determine whether legitimate interest can be used as a lawful basis: (1) identifying the legitimate interest, (2) necessity — is the processing necessary to achieve it?, (3) balancing — do the individual's interests override the legitimate interest?; Legitimate InterestLawful Basis

M

Metadata: Data that provides information about other data — for example, email headers (sender, recipient, timestamps), file properties, or HTTP headers. Under GDPR, metadata can constitute personal data if it can be linked to an identifiable individual. The ePrivacy Directive also protects electronic communications metadata (location data, traffic data).; Personal DataePrivacy
Mixed Content: A security issue where a webpage served over HTTPS loads resources (scripts, images, iframes) over HTTP. This creates a vulnerability where an attacker could intercept the unencrypted resources. Browsers increasingly block mixed content to protect users.; HTTPSSecurity

N

NIS2 Directive: EU Directive 2022/2555 on the security of network and information systems, replacing the original NIS Directive. Expands the scope to more sectors (energy, transport, health, digital infrastructure), introduces stricter security requirements, mandatory incident reporting within 24-72 hours, and supply chain security obligations. Must be transposed into national law by October 2024.; Information SecurityIncident Response Plan
NIST Privacy Framework: A voluntary framework developed by the US National Institute of Standards and Technology to help organisations manage privacy risk. Structured around five functions: Identify, Govern, Control, Communicate, and Protect. Often used alongside the NIST Cybersecurity Framework for integrated risk management.; Risk AssessmentInformation Security

O

Opt-In: A mechanism requiring active, affirmative action by the user before data is collected or processed. GDPR generally requires opt-in consent for cookies (except strictly necessary ones), direct marketing emails, and special category data processing.; ConsentOpt-Out
Opt-Out: A mechanism allowing users to withdraw consent or object to data processing after it has started. CCPA primarily uses an opt-out model (e.g., "Do Not Sell My Personal Information"), while GDPR leans toward opt-in. The Global Privacy Control (GPC) signal is a browser-level opt-out.; ConsentCCPAGPC

P

PDPA (Personal Data Protection Act): Data protection legislation adopted by several countries in Southeast Asia, notably Singapore (2012) and Thailand (2019). Singapore's PDPA is enforced by the PDPC, covers consent-based data processing, establishes a Do Not Call Registry, and imposes fines up to S$1M. Thailand's PDPA closely mirrors GDPR with explicit consent requirements and data subject rights.; GDPRPrivacy Rights
PECR (Privacy and Electronic Communications Regulations): UK regulations implementing the ePrivacy Directive. Cover rules on cookies, electronic marketing, and the privacy of electronic communications. Enforced by the ICO alongside UK GDPR.; ePrivacyICOCookies
Personal Data: Any information relating to an identified or identifiable natural person ("data subject"). Includes names, email addresses, IP addresses, cookie identifiers, location data, biometric data, and any factor specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.; Data SubjectSpecial Category Data
PIPEDA (Personal Information Protection and Electronic Documents Act): Canada's federal privacy law governing how private-sector organisations collect, use, and disclose personal information in the course of commercial activity. Being replaced by the Consumer Privacy Protection Act (CPPA) pending Parliamentary approval.; CPPAData Transfer
Pixel (Tracking Pixel): A tiny 1x1 transparent image embedded in a webpage or email that sends information back to a server when loaded. Used to track page views, email opens, and user behaviour. Common examples include the Meta Pixel (formerly Facebook Pixel) and LinkedIn Insight Tag. Under GDPR, tracking pixels require prior informed consent.; TrackerConsent
Privacy by Design: A GDPR requirement (Article 25) that organisations integrate data protection into the design of their systems and processes from the outset, not as an afterthought. Includes data minimisation by default, pseudonymisation, and building in privacy safeguards.; Data MinimisationGDPR Principles
Privacy Impact Assessment (PIA): A broader risk assessment process (predating GDPR) for identifying and mitigating privacy risks in new projects, systems, or processes. While GDPR formalised this as the DPIA, many organisations still use the term PIA for less formal assessments or assessments under non-EU privacy laws (e.g., PIPEDA, CCPA impact assessments).; DPIARisk Assessment
Privacy Notice (Privacy Policy): A public-facing document explaining what personal data an organisation collects, why, how it's used, who it's shared with, how long it's retained, and what rights individuals have. GDPR Articles 13 and 14 specify the minimum required contents.; Article 13 NoticeTransparency
Privacy Shield: A former EU-US data transfer framework invalidated by the Court of Justice of the EU (CJEU) in the Schrems II ruling (July 2020) due to inadequate protection against US government surveillance. Replaced by the EU-US Data Privacy Framework (DPF) in July 2023.; Schrems IIEU-US Data Privacy Framework
Processor (Data Processor): A natural or legal person, public authority, or body that processes personal data on behalf of and under the instructions of a controller. Must be governed by a DPA under GDPR Article 28. Examples: cloud hosting providers, email marketing services, analytics platforms.; ControllerDPASub-Processor
Profiling: Any form of automated processing of personal data to evaluate certain personal aspects of a natural person, including analysing or predicting work performance, economic situation, health, personal preferences, interests, reliability, behaviour, location, or movements. Subject to additional safeguards under GDPR Article 22.; Automated Decision-MakingDPIA
Pseudonymisation: Processing personal data so that it can no longer be attributed to a specific data subject without the use of additional information, which is kept separately under technical and organisational measures. Unlike anonymisation, pseudonymised data remains personal data under GDPR but is considered a security safeguard.; AnonymisationSecurity
Purpose Limitation: A GDPR principle requiring that personal data is collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes. Organisations must clearly define purposes before processing begins.; Data MinimisationGDPR Principles

R

Records of Processing Activities (ROPA): Documentation required under GDPR Article 30 detailing all data processing activities, including purposes, categories of data and data subjects, recipients, retention periods, and security measures. Controllers and some processors (250+ employees or high-risk processing) must maintain these records.; ControllerProcessor
Rectification (Right to): Under GDPR Article 16, individuals have the right to obtain the correction of inaccurate personal data and the completion of incomplete personal data. Controllers must respond to rectification requests without undue delay and inform any recipients of the corrected data.; Data SubjectPrivacy Rights
Referrer Policy: An HTTP header that controls how much referrer information (the URL of the previous page) is included with requests made from a page. Privacy-focused policies like "strict-origin-when-cross-origin" or "no-referrer" prevent leaking sensitive URL parameters to third-party sites, which is especially important when URLs contain personal data.; Security HeadersPrivacy by Design
Retention Period: The duration for which personal data is stored. Under GDPR's storage limitation principle, data must not be kept longer than necessary for the purposes for which it was collected. Organisations must define and document retention periods for each category of data.; Data MinimisationPurpose Limitation
Right to Access: Under GDPR Article 15, individuals have the right to obtain confirmation of whether their data is being processed and, if so, to receive a copy of the data along with information about the purposes, categories, recipients, retention period, source, and existence of automated decision-making.; DSARData Subject
Right to Portability: Under GDPR Article 20, individuals have the right to receive their personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller. Applies only to data processed by automated means based on consent or contract.; Data SubjectPrivacy Rights
Right to Restriction: Under GDPR Article 18, individuals can request that processing of their personal data is restricted (i.e., stored but not actively used) in specific circumstances: when accuracy is contested, processing is unlawful but the data subject opposes erasure, the controller no longer needs the data but the data subject needs it for legal claims, or pending verification of an objection.; Data SubjectPrivacy Rights

S

Schrems II: A landmark 2020 ruling by the Court of Justice of the EU (Case C-311/18) that invalidated the EU-US Privacy Shield and imposed additional requirements on Standard Contractual Clauses (SCCs). Named after Austrian privacy activist Max Schrems. The ruling requires organisations to assess whether the recipient country's laws provide essentially equivalent data protection before transferring data.; Privacy ShieldSCCsTransfer Impact Assessment
SCCs (Standard Contractual Clauses): Pre-approved contractual terms adopted by the European Commission that provide appropriate safeguards for international data transfers to countries without an adequacy decision. The 2021 modernised SCCs replaced all previous versions as of December 27, 2022.; Data TransferBCRsAdequacy Decision
Security Headers: HTTP response headers that enhance website security: Content-Security-Policy (CSP), Strict-Transport-Security (HSTS), X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and Permissions-Policy. Implementing these is considered a technical measure for GDPR Article 32 security obligations.; SecurityHTTPS
Sensitive Data (Special Category Data): Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning a person's sex life or sexual orientation. Processing is prohibited under GDPR Article 9 unless a specific exception applies.; Personal DataConsent
Server-Side Tracking: A method of collecting analytics and marketing data by sending events from a website to a server-side endpoint, which then forwards the data to third-party services (e.g., Google Analytics, Meta). Provides greater control over what data is shared, reduces client-side JavaScript, and is more resistant to ad blockers, but still requires compliance with cookie consent rules under GDPR.; TrackerGoogle Consent Mode
SPF (Sender Policy Framework): An email authentication standard that allows domain owners to specify which mail servers are authorised to send email on behalf of their domain. Receiving servers check the SPF record in DNS to verify the sender. Helps prevent email spoofing but should be used alongside DKIM and DMARC for full protection.; DKIMDMARCEmail Security
Storage Limitation: A GDPR principle (Article 5(1)(e)) requiring that personal data is kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which it is processed. Organisations must implement data retention schedules, periodic reviews, and automated deletion policies.; Retention PeriodGDPR Principles
Sub-Processor: A third party engaged by a data processor to carry out specific processing activities on behalf of the controller. Under GDPR Article 28(2), processors must obtain prior written authorisation from the controller before engaging sub-processors.; ProcessorDPA
Supervisory Authority (DPA): An independent public authority established by an EU member state to monitor and enforce GDPR compliance. Examples: CNIL (France), BfDI (Germany), AEPD (Spain), DPC (Ireland), Garante (Italy), ICO (UK). Has the power to investigate, audit, issue warnings, and impose administrative fines.; EDPBGDPR

T

Third-Party Cookie: A cookie set by a domain other than the one the user is visiting. Primarily used for cross-site tracking and advertising. Major browsers are deprecating or restricting third-party cookies. Google Chrome planned phase-out but has pivoted to a user-choice model.; CookieFirst-Party DataTracking
Third-Party Data: Data acquired from external sources that did not originally collect it from the data subjects. Often aggregated and sold by data brokers. Under GDPR, processing third-party data requires a valid legal basis and transparency about the data source (Article 14 notice). Increasingly scrutinised by regulators.; First-Party DataArticle 14 Notice
TLS (Transport Layer Security): A cryptographic protocol that provides end-to-end encryption for data in transit over the internet. The successor to SSL. TLS 1.3 (the current standard) is faster and more secure than previous versions. Websites should disable TLS 1.0 and 1.1, which are considered insecure and deprecated.; HTTPSEncryptionSecurity
Tracker: Any technology (cookies, pixels, scripts, fingerprinting) used to monitor user behaviour across websites or applications. Examples include Google Analytics, Facebook Pixel, and HubSpot tracking code. Under GDPR and ePrivacy, most trackers require prior consent.; CookieBrowser FingerprintingConsent
Transparency: A fundamental GDPR principle requiring that personal data is processed in a lawful, fair, and transparent manner. Individuals must be informed in clear and plain language about how their data is collected, used, and shared.; Privacy NoticeArticle 13 Notice
Transfer Impact Assessment (TIA): An assessment required following the Schrems II ruling to evaluate whether the level of data protection in the recipient country is essentially equivalent to that in the EEA, taking into account the laws and practices of the recipient country and any supplementary measures.; SCCsData TransferSchrems II

U

UK GDPR: The retained version of the EU GDPR incorporated into UK law after Brexit, as amended by the Data Protection Act 2018. Substantially similar to EU GDPR but enforced by the ICO. Data transfers from the EU to the UK are governed by an adequacy decision (extended to June 2025).; GDPRICOAdequacy Decision

V

Vendor Risk Assessment: The process of evaluating third-party vendors and service providers to determine the privacy and security risks they pose. Under GDPR, controllers must ensure their processors provide sufficient guarantees (Article 28). Assessments should cover data processing locations, sub-processors, security certifications (ISO 27001, SOC 2), breach history, and data transfer mechanisms.; ProcessorSub-ProcessorDPA

W

WCAG (Web Content Accessibility Guidelines): Internationally recognised guidelines published by the W3C for making web content accessible to people with disabilities. WCAG 2.1 Level AA is the standard referenced by the European Accessibility Act (EAA) and many national accessibility laws.; EAAAccessibility

Z

Zero-Party Data: Data that a customer intentionally and proactively shares with a brand, such as preferences, purchase intentions, personal context, and how they want to be recognised. Unlike first-party data (observed behaviour), zero-party data is explicitly provided. Examples include survey responses, preference centre selections, and quiz answers. Considered the most privacy-compliant form of customer data.; First-Party DataConsent

Check your website's privacy compliance — free

Now that you know the terms, see how your website measures up. Run a complete privacy audit in under 60 seconds.

Start Free Audit