A Glossary of Data Privacy Terms

Personal Data

Personal Data (AKA Personal information) is any information relating to an identified or identifiable natural person.

Data subject

A data subject is an identifiable living person who can be linked to personal data. This link can be direct such as a name or ID number, indirect such as through location or an online username, or through any other identifiers specific to their physical, physiological, genetic, mental, economic, cultural or social identity.

Data Processing

Data processing refers to any operation performed on personal data. This includes collecting, storing, organizing, changing, using, sharing, limiting, or deleting that data.

Restriction of processing

Restriction of processing means marking someone’s stored personal data to prevent it being processed in future. It stays stored, but you only handle it in narrow cases, like with consent or for legal claims.

Profiling

Profiling is any form of automated processing that uses automated analyze personal data with the goal of predicting or evaluating personal aspects of a living person, such as their behavior, preferences, health, work performance, or interests. Companies often use profiling to make decisions or predictions about their audience.

Pseudonymization

Pseudonymization is the process of swapping personal data with pseudonyms (e.g. codes, tokens, hashes or encrypted values) so it cannot be used to identify a data subject without additional information, such as a “linking key” or “re-identification key”. The additional information is kept separate and protected, so only authorized people can use it to reconnect the personal data when needed. In some ways, it’s like using numbered cloakroom tickets. The coats (real identities) stay in the back room, and people only see ticket numbers (pseudonyms).

Data Controller

A data controller is the person or organization that decides why and how personal data will be used.

Data Processor

A data processor is a person or organization that handles personal data for a controller, following the controller’s instructions.

Recipient

A recipient is any person or organization that is given access to personal data, or to whom personal data is disclosed, no matter whether they are a third party or not.

Third party

A third party is any person or organization that is not the data subject, controller, processor, or someone working under their direct authority with permission to handle the data.

User Consent

In the context of data privacy, user consent is the act of a person (the user) giving you permission to collect and use their personal information for a specific purpose.

Personal data breach

Any time personal data is accessed or disclosed without authorization, destroyed accidentally or unlawfully, altered, or stolen, it’s referred to as a data breach. Companies that fall victim to data breaches are required to assess whether the breach poses a risk to their data subjects, and if so, notify their data protection authority within 72 hours.

How to respond to a data breach under the GDPR.

Genetic data

Genetic data is personal information about someone’s inherited or acquired genetic characteristics that reveals unique details about their body or health, usually found by testing a sample like blood, saliva, or tissue.

Biometric data

Biometric data is personal information created by technical analysis of someone’s physical features or behavior that can uniquely identify them. This includes fingerprints, facial images, iris scans, or voice patterns. This data comes from specialized processing that measures characteristics like body structure, biological traits, or how someone acts.

Data concerning health

Data concerning health means any personal information about a person’s physical or mental health that shows something about their health status, such as details from previous medical care or a treatment they received.

Filing system

A filing system is any organised set of personal data that you can search using clear rules. It can sit in one place, in many locations, or be spread across different teams or countries.

Main establishment

A main establishment is basically the headquarters for a controller or processor.

• For a controller with offices in several EU countries, it is usually the EU head office, unless another EU office actually decides why and how personal data is used and has the power to carry out those decisions.
• For a processor with offices in several EU countries, it is usually the EU head office. If there is no EU head office, it is the EU office where the main processing activities happen under the GDPR.

Representative

A representative is a person or company based in the EU, formally appointed in writing by a controller or processor, to act on their behalf and handle their GDPR duties in the EU.

Enterprise

An enterprise is any person or organization doing business or economic work, regardless of how it’s legally set up. This includes partnerships and associations that carry out regular business activities.

Binding corporate rules

Binding corporate rules are internal privacy policies that a company creates to set the protection standards from the EU to their offices or partners in countries outside the EU. Essentially a shared privacy policy.

A BCR outlines how personal data is expected to be collected, stored, processed, transferred and retained across the group. It also includes data security measures, data subject rights, breach management, accountability, transparency, and processing principles that apply to all processing of personal data within the corporate group.