63 terms explained in plain language. From GDPR to cookies — understand the language of digital privacy.
The irreversible process of altering data so that individuals can no longer be identified, even indirectly.
A determination by the European Commission that a non-EU country provides an adequate level of data protection.
Application Programming Interface — a way for software systems to communicate with each other programmatically.
A chronological record of system activities that provides evidence of who did what, when, and why.
Internal data protection policies approved by a supervisory authority for multinational corporations to transfer data within their group.
The legal obligation to inform authorities and affected individuals when a personal data breach occurs.
A freely given, specific, informed, and unambiguous indication of agreement to data processing.
The California Consumer Privacy Act — a US state law giving California residents control over their personal information.
The California Privacy Rights Act — an amendment to the CCPA that expanded consumer rights and created the California Privacy Protection Agency.
Special data protection rules that apply when processing personal data of children — GDPR sets the baseline at age 16.
A small text file stored by your browser that lets websites remember information between page visits.
The transfer of personal data from one country to another — subject to special rules under the GDPR.
A document that explains what cookies and similar technologies a website uses, their purpose, and how users can control them.
The entity that determines the purposes and means of processing personal data.
An entity that processes personal data on behalf of a data controller.
The identified or identifiable person whose personal data is being processed.
The principle that only the minimum amount of personal data necessary should be collected and processed.
The right to receive your personal data in a structured, machine-readable format and transfer it to another service.
A security incident that leads to the unauthorized access, disclosure, or loss of personal data.
Data Protection Impact Assessment — a risk assessment required before high-risk data processing activities.
Data Protection Officer — an independent expert responsible for monitoring an organisation's data protection compliance.
The policies and practices governing how long personal data is stored before being deleted or anonymized.
A legally binding contract between a data controller and a data processor that governs how personal data is handled.
The EU directive that regulates cookies, electronic communications, and online tracking — complements the GDPR.
The process of converting data into a coded form so that only authorised parties can read it.
A cookie set by the website you are currently visiting — used for authentication, preferences, and site functionality.
A tracking technique that identifies users by collecting unique characteristics of their browser and device — without using cookies.
The General Data Protection Regulation — the EU's comprehensive data protection law, effective since May 2018.
An international standard for information security management systems (ISMS) — the most widely recognised security certification.
Two or more controllers who jointly determine the purposes and means of processing personal data.
A legal basis for processing data when the controller's interest outweighs the data subject's rights.
The lawful ground under which personal data may be processed — the GDPR defines six possible bases.
A browser API that lets websites store data on your device with no expiration date — similar to cookies but with more capacity.
Any information that can identify a living individual, directly or indirectly.
Personal data must be collected for specified, explicit purposes and not further processed in an incompatible way.
An approach that embeds privacy protections into systems and processes from the start, rather than adding them later.
Processing personal data so it can no longer be attributed to a specific person without additional information kept separately.
Any form of automated processing of personal data to evaluate or predict aspects of a person's behavior, preferences, or characteristics.
A document informing individuals about how their personal data is collected, used, and protected — often used interchangeably with privacy policy.
A cookie that remains on your device until it expires or you manually delete it.
Payment Card Industry Data Security Standard — a set of security requirements for organisations that handle credit card data.
A systematic process for evaluating how a project or system will affect the privacy of individuals.
A public document that explains how an organisation collects, uses, stores, and shares personal data.
A former EU–US data transfer framework invalidated by the Court of Justice of the EU in 2020 — replaced by the Data Privacy Framework.
The right to have your personal data deleted — also known as the "right to be forgotten."
The right to obtain a copy of your personal data and information about how it is processed.
A written record of all processing activities carried out by a data controller or processor — required under GDPR Article 30.
Personal data should be kept only for as long as necessary for its stated purpose.
Pre-approved contract terms for transferring personal data from the EU to countries without an adequacy decision.
An independent public authority responsible for monitoring the application of data protection law in its jurisdiction.
A temporary cookie that is deleted automatically when you close your browser.
An analytics approach where data is collected on the server rather than in the user's browser, offering more control over what data is shared.
A compliance framework for service organisations based on five trust service criteria: security, availability, processing integrity, confidentiality, and privacy.
A third party engaged by a data processor to process personal data on behalf of the data controller.
A cookie set by a domain other than the website you are visiting — commonly used for cross-site tracking and advertising.
A tiny, invisible image embedded in a web page or email to track user behaviour such as page views and email opens.
Transport Layer Security — the protocol that encrypts data in transit between your browser and a website (the "S" in HTTPS).
Replacing sensitive data with a non-sensitive placeholder (token) that has no exploitable value on its own.
A legal agreement between a service provider and its users, defining the rules and conditions for using the service.
Another name for a tracking pixel — a small object embedded in content that enables tracking of user activity.
An automated HTTP callback that sends real-time data to another system when a specific event occurs.