Data Protection Glossary A-Z


Compliance can be complex with lots of jargon and legalese. At Trace® we’re driven to make data governance accessible, clear and easy to understand.

Here’s a useful glossary to help you make sense of key compliance terms we might use in our application or content, or you might come across in privacy. Think of it as your go to A-Z when it comes to the world of data regulations.


Data controllers need to demonstrate compliance with data protection principles in practice. The accountability principle requires that controllers put relevant systems, practices and tech in place to protect data, and comply; they also need to be ready to evidence that to stakeholders and supervisory authorities.


Per Article 45 of the GDPR, the European Commission makes an adequacy decision on a third country (i.e. a country not bound by the GDPR) or international organisation based on whether there is an adequate level of protection of personal data. When the third country or organisation is deemed to be adequate, this means personal data can flow there from the EU and EEA countries. Trace’s platform and global data visualiser will guide and show you whether your data is in an adequate country or not.

Binding corporate rules (BCRs)

Binding corporate rules (BCRs) are a legal tool for multinational companies to ensure an adequate level of protection for the intra-group transfers of personal data from a country in the EU or the EEA to a third country.


Cloud computing uses a network of remote servers hosted on the Internet to store, manage, and process data, rather than a local server or a personal computer. If you are a data controller using cloud computing services to process personal data, you need to consider the measures used to protect data and where data is stored (geographically). Trace® will help you review your cloud data processors for compliance and adequacy.


Consent refers to any freely given, specific and informed indication of the wishes of a data subject, by which he/she agrees to personal data relating to him/her being processed. Consent is one of the legal bases for processing personal data.


Cookies are short text files stored on the user’s device by a web site, they are normally used to provide a more personalised experience and to remember user profile without the need of a specific login. For more on cookies, see the E-privacy Directive 2009/136/EC.

Data controller 

The data controller determines the purposes and means of the processing of personal data. The actual processing may be delegated to another party, called the data processor. The controller is responsible for the lawfulness of the processing, for protecting the data, and respecting the rights of the data subject. The controller is also the point of contact for requests from data subjects’ right requests or for breaches.

Data minimiSation 

This principle implies that data controllers should collect only the personal data they really need, and should keep it only for as long as they need it. According to the GDPR, personal data must be "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed".

Data protection authority (DPA)

A Data Protection Authority (DPA) is an independent body in charge of: monitoring the processing of personal data within its jurisdiction; providing advice to the competent bodies with regard to legislative and administrative measures relating to the processing of personal data; and hearing complaints lodged by citizens with regard to the protection of their data protection rights.

Data Protection Impact Assessment (DPIA)

Data controllers need to assess the impact of planned processing operations on the protection of personal data when processing is likely to result in a high risk to the rights and freedoms of natural persons. The Trace® application provides you a DPIA to use.

Data protection officer (DPO)

You need to appoint a Data Protection Officer (DPO) if you are a public authority or body, or if you carry out certain types of processing activities. DPOs should be independent and expert, they monitor compliance, inform and advise on data protection obligations, and are contact points for data subjects and the supervisory authority.

Data residency

Data residency is the physical location or locations of a business’ data; so this could be within your office if you have personal data in paper form (e.g. in a filing cabinet) or on a computer drive, or it could be in a data centre located in another country if you (or your vendor) are using a cloud solution to process data. Where personal data under your control ‘resides’ matters as it needs to be in an adequate country to comply with GDPR, for example.

With Trace®, our unique data residency visualiser helps you see where your data categories are in the world, to help you gain assurance that they are in an adequate location, or take action if not.

Data retention

Data retention refers to the obligations on the part of controllers to retain personal data for certain purposes. It’s how long you need to and can keep data for.

Data sovereignty

Data is subject to the laws and governance structures within the country it is collected in.

Data subject

The data subject is the person whose personal data are collected, held or processed. This might be a customer or employee for example.

Data transfer

Transfers are subject to specific safeguards when the recipient is located in a country outside the EU / EEA.

Payment Card Industry Data Security Standard (PCI DSS)

PCI DSS is an information security standard which organisations who process credit card data need to comply with. The standard was created to increase controls around cardholder data to reduce credit card fraud, recognising that this kind of data is high risk and merits extra protection.

Personal data

Personal data means any information relating to an identified or identifiable natural person (‘data subject’), so a person who can be identified, directly or indirectly from an identifier such as a name, ID number, location data or to one or more factors specific to their physical, physiological, genetic, mental, economic, cultural or social identity. The name and the social security number are two examples of personal data which relate directly to a person.


Privacy is the ability of an individual to be left alone, out of public view, and in control of information about oneself. The right to privacy is enshrined in the Universal Declaration of Human Rights (Article 12) as well as in the European Convention of Human Rights (Article 8).

Privacy by design

Privacy by design sets out we should consider privacy and data protection up front, into the design specifications and architecture of information and communication systems and technologies, in order to facilitate compliance with privacy and data protection principles. In other words think of how to protect data from the outset, not as an after thought.

Processing (of personal data)

According to Article 3 (3) of Regulation (EU) 2018/1725, processing of personal data refers to "any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction."

Processor (or Data processor)

According to Article 3 (12) of Regulation (EU) 2018/1725, a processor is "a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller."

For example, a CCTV security company monitoring their client’s office building is not processing personal data of the persons entering a building for its own purpose, but rather on behalf of the their client (i.e. the owner of the building).

Processor agreement (or data processing agreement)

Transfers of personal data from a data controller to a data processor must be secured by a Data Processing Agreement (DPA). The contract must stipulate that the data processor shall act only on instructions from the data controller. The data processor must provide sufficient guarantees in respect of the technical security measures and organisational measure governing the processing to be carried out, and must ensure compliance with such measures. Trace’s platform includes access to your DPA creation toolkit.


Automated processing of personal data where personal data is used to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. 


Processing of personal data so that it can no longer be attributed to a specific data subject without the use of additional information, as long as such additional information is kept separately and technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.


The ‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.


To comply (with Article 30 of the GDPR), data controllers need to maintain records of processing activities under their responsibility and processors should maintain records of categories of processing activities under their responsibility. Trace® helps you map your personal data to auto build this “Record of Processing Activity (RoPA)” or Inventory.

Retention periods

Data retention refers to all obligations on the part of controllers to retain personal data for certain purposes. To limit how long you keep personal data is part of data minimisation. The rule of thumb is "as long as necessary, as short as possible", although sometimes legal rules may impose fixed periods.

Right of access

The right of access is the right for any data subject to obtain from the controller of a processing operation the confirmation that data related to him/her are being processed, the purpose(s) for which they are processed, as well as the logic involved in any automated decision process concerning him or her.

This right also allows the data subject to receive communication in an intelligible form of the data undergoing processing and of information regarding the processing. This right can be exercised without constraint, at any time within 1 month  from the receipt of the request, and is free of charge.

Right of information

Everyone has the right to know that their personal data are processed and for which purpose. The right to be informed is essential because it determines the exercise of other rights.

Right of rectification

The right of rectification is the right to obtain from the controller the rectification without delay of inaccurate or incomplete personal data. To exercise the right of rectification, the data subject typically has to write to the controller of the processing operation.

Right to object

According to Regulation (EU) 2018/1725 "The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (a) of Article 5(1), including profiling based on that provision. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims."

The data subject may use automated means by technical specifications in order to exercise their right to object in the context of the use of information society services, without prejudice to Articles 36 and 37 (see Article 23 sub (3) of Regulation (EU) 2018/1725 ).

Right to restriction of processing

Restriction of processing means the marking of stored personal data with the aim of limiting processing in the future.

Personal data restricted can only be processed with the data subject's consent, for purposes of proof, or or for the protection of the rights of a third party, or for reasons of important public interest of the Union or of a Member State.

Special categories of personal data

Special categories of personal data include data that reveals "racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural's sex life or sexual orientation" (Article 10 of Regulation (EU) 2018/1725; Article 9 of the GDPR)

The processing of such information is in principle prohibited, except in specific circumstances. It is possible to process sensitive data for instance if the processing is necessary for the purpose of medical diagnosis, or with specific safeguards in the field of employment law, or with explicit consent of the data subject.

Standard contractual clauses (SCC)

Standard contractual clauses are legal tools to provide adequate safeguards for data transfers from the EU or the EEA to third countries.

The European Commission has adopted three Decisions declaring Standard Contractual Clauses to be adequate, and therefore, companies can incorporate the clauses into a transfer contract when they need to use SCCs.

Security breach

A breach of security occurs where a stated organisational policy or legal requirement regarding information security has been violated. However, every incident which suggests that the confidentiality, integrity or availability of the information has been compromised can be considered a security incident. Every security breach will always be initiated by a security incident which, only if confirmed, may become a breach.

Third country

A third country is a country which is not bound by the General Data Protection Regulation (GDPR) - as opposed to the 28 Member States of the EU and the three EEA countries Norway, Liechtenstein and Iceland.

Third countries may be recognised as offering an adequate level of protection for personal data in order to enable transfers of personal data from the EU and EEA Member States to them, which means that personal data can flow from the EU and EEA Member States to that country. Trace® shows you which countries are adequate and by using our data modelling tool you can uncover whether your data resides in an adequate country.