This web site uses cookies. You are free to manage your cookie settings in your web browser at any time. For more about how we use cookies, please read our data privacy policy.

GDPR glossary of terms

GDPR glossary of terms and definitions

Glossary of terms used in the GDPR
GDPR regulatory definitions


The GDPR contains articles and recitals. Articles describe the legal components of the regulation. See also the recital glossary entry.

Binding Corporate Rules

These are personal data protection policies which are adhered to by a controller or processor established in an EU country to enable personal data transfers to a controller or processor in third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity.

They are a set of rules that allow multinational companies and organisations to transfer personal data that they control from the EU to their affiliates outside the EU (but within the organisation).

Biometric data

This is personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of an individual, which allow or confirm the unique identification of the individual.


Consent refers to a permission for personal data processing given by a data subject in response to a request for consent initiated by a controller. The consent given by the data subject must be freely given and explicit. The request for consent must be unconditional. specific, unambiguous and clear. The consent request and consent (or lack of) must be recorded.


A controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. It is the entity that determines the purposes, conditions and means of the processing of personal data

Cross-border processing

Cross-border processing falls into two types:

  1. Personal data processing in more than one EU country where the controller or processor is established in more than one EU country.
  2. Personal data processing by a controller or processor in a single EU country which substantially affects or is likely to substantially affect data subjects in more than one EU country.

Data Privacy Impact Assessment (DPIA)

A tool used to identify and reduce the privacy risks of entities by analysing the personal data that are processed and the policies in place to protect the data.

Data Protection Authority

National authorities tasked with the protection of data and privacy as well as monitoring and enforcement of the data protection regulations within the Union

Data Protection Officer (DPO)

An expert on data privacy who works independently to ensure that an entity is adhering to the policies and procedures set forth in the GDPR.

Data subject (an individual)

An individual whose personal data is processed by a controller or processor.

Data Subject Access Request (SAR or DSAR)

A request made by a data subject to a controller to exercise a data subject right.

Data subject rights

All data subjects have the following rights over the personal data that an organisation holds about them:

  1. see their personal data;
  2. request a copy of their personal data to transfer to another organisation;
  3. temporarily restrict processing that is likely to cause or is causing them damage or distress;
  4. object to processing that is likely to cause or is causing them damage or distress;
  5. opt-out of receiving direct marketing material;
  6. opt-out of decisions being taken by automated means;
  7. have their personal data rectified, blocked, erased or destroyed;
  8. lodge a complaint with the regulator;
  9. claim compensation for damages caused by a breach of the GDPR.

Delegated acts

Non-legislative acts enacted to supplement existing legislation and provide criteria or clarity.


An exemption from a law or regulation.


A legislative act that sets out a goal that all EU countries must achieve through their own national laws.


Data (personal or otherwise) that is protected through technological measures to ensure that the data is only accessible/readable by those with specified access.


A natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;

Filing system

A filing system is any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.

Genetic data

This is personal data relating to the inherited or acquired genetic characteristics of an individual which give unique information about the physiology or the health of that individual and which result from an analysis of a biological sample from the individual.

Group of undertakings

A controlling undertaking and its controlled undertakings.

Health data

This is personal data related to the physical or mental health of an individual, including the provision of health care services, which reveal information about the individual's health status;

Information society service

A service defined as: "any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services". In simpler words it is a service (usually but not always for a fee) that allows an individual to access or interact remotely with the service via any electronic means. Examples would be internet services, social media, etc.

International organisation

Any organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or based on, an agreement between two or more countries.

Main establishment and only applies to controllers and processors with more than one establishment in different EU countries
Main establishment falls into two types:

  1. Controller: the establishment in an EU country where personal data processing decisions are made. This may or may not be the head office.
  2. Processor: the place of its central administration or the place where the main processing activities take place.

Model contract clause

A contract written by the EU to govern data transfers to third countries. If used, the wording may be extended but may not be altered either in content or meaning.

Natural person

A human being. The term natural person is used to differentiate between people and organisations. An organisation is sometimes referred to as a legal person.

Personal data

Any information related to an individual that can be used to directly or indirectly identify the individual. Examples of indirect identifiers are an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity.

Personal data breach

The accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.


The GDPR has six principles:

  1. Lawfulness, fairness and transparency : be open about what you do
  2. Purpose limitation : do what you say you are going to do
  3. Data minimisation : only collect the data that you need
  4. Accuracy : keep data up-to-date
  5. Storage limitation : only keep data for as long as you must
  6. Integrity and confidentiality : always keep the data secure

The Controller is accountable for respecting the six principles and must be able to demonstrate compliance with them.

Privacy by design and by default

By design, means the inclusion of data protection in the designing of systems, rather than an addition after the fact. By default, is that all processes must default to a fail-safe state regarding personal data processing.


Any operation or set of operations performed upon personal data by any systems (automated or manual). For example: collection, recording, organising, structuring, storing, adapting, altering, retrieving, consulting, using, disclosing by transmission, disseminating or otherwise making available, aligning or combining, restricting, erasure or destruction.


A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller under explicit instructions given by the controller.


Any form of automated processing of personal data intended to evaluate, analyse, or predict data subject behaviour.


Processing personal data so that it cannot be linked to a specific data subject without the use of additional information, if such additional information is kept separately, and technical and organisational measures are used to ensure no linkage to an identified or identifiable person.


An entity to which personal data are disclosed.


A recital is text that sets out reasons for the provisions of an act, while avoiding normative language and political argumentation. Recitals must be considered when interpreting the meaning of an article.


A binding legislative act that must be applied in its entirety across the EU.

Relevant and reasoned objection

An objection to a draft decision as to whether there is a GDPR infringement, or whether envisaged action in relation to the controller or processor complies with the GDPR, which clearly demonstrates the significance of the risks posed by the draft decision about the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union;


A natural or legal person established in the EU who, designated by the controller or processor in writing, represents the controller or processor regarding their respective obligations under this Regulation. A representative is required for any controller or processor that must comply with the GDPR and is established in a third country.

Special categories of personal data (aka sensitive data)

This is personal data about racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data or data about an individual's sex life or sexual orientation.

Supervisory authority

An independent organisation established to protect natural persons regarding the processing of their personal data.

Third country

A country that is not in the European Union or the EEA.