The data-protection terms a privacy team actually uses, defined in plain language by practitioners. For the full walkthrough, read the GDPR compliance guide.
The EU regulation governing how organizations collect, use, and protect the personal data of people in the EU. It applies based on whose data is processed, not where the organization is located.
Any information relating to an identified or identifiable person, including a name, email address, location, device identifier, or account number.
A sensitive subset of personal data, such as health, biometric, or data revealing race, religion, or political views. It receives extra protection and needs an additional Article 9 condition, often explicit consent, on top of a lawful basis.
The living person whom the personal data is about. GDPR grants data subjects enforceable rights over their own data, including access and erasure.
Almost anything done with personal data: collecting, storing, using, sharing, altering, or deleting it. Every processing activity needs a lawful basis.
The organization that decides why and how personal data is processed. The controller carries primary accountability under GDPR and is the party people exercise their rights against.
An organization that processes personal data on a controller's instructions and does not decide the purpose. A cloud vendor handling a client's data is usually a processor.
Two or more organizations that together decide the purpose and means of processing. They must agree and be transparent about who is responsible for what.
One of the six legal grounds in Article 6 that every processing activity must rest on: consent, contract, legal obligation, vital interests, public task, or legitimate interests.
A lawful basis where the person agrees to the processing. Valid consent is freely given, specific, informed, and unambiguous, and must be as easy to withdraw as it was to give.
A lawful basis that balances an organization's genuine interest against the person's rights and expectations. It requires a documented balancing assessment and is not available to public authorities.
The principle that data is collected for specified, explicit, legitimate purposes, and not quietly reused for an unrelated purpose later.
The principle that an organization collects only the data that is adequate, relevant, and necessary for the stated purpose.
The principle that personal data is kept only as long as the purpose requires, governed by retention schedules and timely deletion.
The principle that a controller must be able to demonstrate compliance with GDPR, not just claim it, through documentation, records, and audit trails.
A request from a person for a copy of the personal data an organization holds about them, plus information on how and why it is used. The response is generally due within one month.
Also called the right to be forgotten. The right to have personal data deleted in defined circumstances, such as when consent is withdrawn or the data is no longer needed. It is not absolute, and legal obligations can override it.
The right to receive one's personal data in a structured, machine-readable format, where the processing is based on consent or contract and is carried out by automated means.
A structured assessment of the privacy risk in a processing activity, required under Article 35 before high-risk processing begins.
An independent officer who advises on and monitors data-protection compliance and acts as the contact point for the regulator. Mandatory for public authorities, large-scale systematic monitoring, or large-scale special category processing.
The obligation to report a personal data breach to the supervisory authority within 72 hours of becoming aware of it, and to notify affected individuals where the risk to them is high.
A security failure leading to the destruction, loss, alteration, or unauthorized disclosure of or access to personal data.
The independent national regulator that enforces GDPR in an EU member state, receives breach notifications, handles complaints, and can issue fines.
Moving personal data outside the EU. It is restricted unless the destination provides adequate protection or a valid transfer mechanism is in place.
A formal EU determination that a country provides protection essentially equivalent to GDPR, which allows data to flow there without additional safeguards.
EU-approved contract templates that provide a lawful safeguard for transferring personal data to a country without an adequacy decision. They are paired with a transfer impact assessment of the destination's laws.
Internal data-protection rules approved by a supervisory authority that allow personal data transfers within a multinational corporate group.
The contract required by Article 28 between a controller and a processor. It sets out the subject matter, duration, and purpose of the processing and the processor's specific obligations.
The transparency document that tells people what personal data an organization collects, why, the lawful basis, how long it is kept, and how to exercise their rights.
The requirement to build data protection into systems and processes from the start, through privacy-friendly default settings and technical measures, rather than bolting it on later.
Processing personal data so it can no longer be attributed to a specific person without separately kept additional information. It is a recognized safeguard, though pseudonymized data is still personal data.
A decision made solely by automated means that has legal or similarly significant effects on a person. People have the right to human review, to contest the decision, and to an explanation.
The Article 30 inventory documenting what personal data an organization processes, for what purpose, who it is shared with, and how long it is kept. It is the backbone of accountability.
Compliance Command Center turns these concepts into a defensible, regulator-ready GDPR program, run by practitioners and backed by software.
See Compliance Command Center Read the guides