<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=5678177&amp;fmt=gif">

Data Privacy Glossary

Knowing the key terms from the data privacy jargon is the starting point for becoming compliant. Scroll through the terms, and learn the new language.


Aggregate consumer information

Means information that relates to a group or category of consumers, from which individual consumer identities have been removed, that is not linked or reasonably linkable to any consumer or household, including via a device. “Aggregate consumer information” does not mean one or more individual consumer records that have been de-identified.

Anonymization (anonymisation)

The process of rendering personal data anonymous.

Anonymized (anonymised) data

Information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.


Biometric data

An individual’s physiological, biological or behavioral characteristics that can be used or are intended to be used, singly or in combination with each other or with other identifying data, to establish individual identity. Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.


A sole or joint ownership, partnership, corporation, association, or any other legal entity whose operations are for profit or financial gain and which, either alone or in combination with others, collects and/or processes personal data of individuals.

The informed, unambiguous and freely given permission of data subjects to have data relating to them processed.


A natural person who is a resident of one of the U.S. States.


A person to whom a business makes available the personal information of consumers for business purposes, based on a written contract between the two parties.

Data breach

A breach of security that causes accidental or intentional loss, destruction, disclosure or access to processed or transmitted personal data. Also called “Security incident” in some legislations.

Data breach notification

A communication sent by the data controller to the Data Protection Authority, and in specific cases to the data subject, in clear and plain language, about the nature of a data breach that has occurred, and of the security measures employed to prevent any harm towards the data subject.

Data controller

The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Data processor

The natural or legal person, public authority or other body which processes data on behalf of the controller.

Data protection authority

An independent public authority, in charge of monitoring the application of a country’s data protection law and its regulations, of issuing guidelines on said application, of handling complaints lodged for violations of the law, and in some cases issuing corrective measures and applying sanctions for violations. Also called “National Authority” or “Supervisory Authority”.

Data protection impact assessment

The process through which risks posed against the security of personal data processing are analyzed, identified and minimized, before the actual processing starts.

Data protection officer

An independent data protection expert, appointed by each organization to monitor its compliance with the data protection laws under which its activities fall, who acts as a point of contact for data subjects as well as for the relevant authorities.

Data subject

Any living individual whose personal data is collected, held or processed by an organization.

Data subject request

A request made by a data subject for the exercising of one or more of their rights, granted to them by the relevant data protection law.

Data subject rights

A series of rights granted to data subjects with regards to their personal information which organizations have to take into account when collecting and/or processing personal data.


An organized set of personal data that are subject to processing or processing, electronic or not, regardless of the modality of their formation, storage, organization or access.

International data transfer

Transfer of personal data to a foreign country or to an international entity of which the country is a member. In the European Union, for example, international data transfer would take place when data is transferred or accessed from a third country, which is not a member of the European Union. Under some legislations, data transfers are subject to restrictions and specific security measures.

International organization

An organization and its subordinate bodies regulated by the public international law, or a body established based on an agreement between at least two countries.

Main establishment

For controllers with establishments in more than one Member State, it is the central administration place in the Union, unless the processing decisions are taken in another establishment which in this case will be considered the main establishment. For processors with establishments in more than one Member State, it is the central administration place in the Union, unless the processor doesn’t have a central administration, in which case the main establishment will be the place where the main processing activities are performed.

Opt in

The indication of a data subject’s consent towards the processing of their personal data, which can mean any type of provision of their personal data, for example, subscribing to newsletters/emails, or accepting cookies.

Opt out

The indication of a data subject’s refusal or withdrawal of consent as regards the processing of their personal data.


A business, enterprise, or any other entity that collects and/or processes personal data of individuals.


The number of times a webpage has been loaded or viewed by visitors. They help measure a page’s popularity and user engagement. Distinct from website visitors, pageviews indicate the total views of a specific page, while visitors represent the number of unique individuals who access the website.

Personal data

Any information related to an identified or identifiable data subject (natural person).

Precise geolocation data

Information that is derived from technology, including but not limited to global positioning system level latitude and longitude coordinates or other mechanisms, that directly identifies the specific location of a natural person with precision and accuracy within a set radius.

Privacy policy or privacy notice

A type of public document that discloses and explains how and why an organization collects and processes personal data, informs data subjects about their rights with respect to their personal data, as well as how to exercise those rights.


Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.


Any form of automated processing of personal data that consists of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.

Pseudonymization (pseudonymisation)

A technique of processing data or storing data in such a way that this data can no longer be linked to a specific individual, without the use of additional information. Usually achieved by replacing specific attributes or generalizing the data.


A recipient is a natural or legal person, public authority or other body to which personal data is disclosed.


A natural or legal person established in the country, appointed by the data processor or controller, who is not based locally, to represent him with respect to the obligations under the regulation applicable in said country.


“Sell,” “selling,” “sale,” or “sold,” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.

Sensitive personal information

Personal information that reveals: (a) consumer’s social security, driver’s license, state identification card, or passport number; (b) A consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; (c) A consumer’s precise geolocation; (d) A consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership; (e) he contents of a consumer’s mail, email, and text messages unless the business is the intended recipient of the communication; (f) A consumer’s genetic data; (g) health related data.

Service provider

Means a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that processes information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract, provided that the contract prohibits the entity receiving the information from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business, or as otherwise permitted by this title, including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract with the business.


The action of sharing, disclosing, disseminating, making available, transferring or communicating a data subject’s personal information, by an organization to a third party.

Special category data

Special category data is personal data that needs more protection because of its sensitivity. Such data is also subject to specific restrictions under some data protection legislation, including, but not limited to the GDPR. Special category data is also referred to as sensitive data sometimes and includes: data revealing racial or ethnic origin, political opinions, religious and philosophical beliefs, data revealing trade union membership, genetic data, biometrica data, data concerning health, as well as data concerning sex life and sexual orientation.

Third party

A natural or legal person that is not the controller or the processor, but who is authorized by them to process personal data.


The transmission of personal data of a data subject from one organization to another, or from one country to another, whether directly by the data controller or indirectly by the data subject who receives their data in an easily accessible format, which they can then take to another organization.

Unique identifier

A persistent identifier that can be used to recognise a consumer, a family, or a device that is linked to a consumer or family, over time and across different services, including, but not limited to, a device identifier; an Internet Protocol address; cookies, beacons, pixel tags, mobile ad identifiers, or similar technology; customer number, unique pseudonym, or user alias; telephone numbers, or other forms of persistent or probabilistic identifiers that can be used to identify a particular consumer or device.

Verifiable consumer request

A request that is made by a consumer, by a consumer on behalf of the consumer’s minor child, or by a natural person or a person registered with the Secretary of State, authorized by the consumer to act on the consumer’s behalf, and that the business can reasonably verify, pursuant to regulations adopted by the Attorney General pursuant to paragraph (7) of subdivision (a) of Section 1798.185 to be the consumer about whom the business has collected personal information.
illustration of means of contact

See Clym in Action

Speak with one of our experts and see how Clym can be a difference maker for your compliance strategy.

Book a Demo