GDPR glossary

Controller

The organisation that decides why and how personal data is processed. The controller carries the primary responsibility for GDPR compliance.

Processor

An organisation that processes personal data on behalf of a controller — for example a hosting provider or analytics tool.

Data subject

The living individual whom the personal data is about. Data subjects in the EU hold the rights the GDPR grants.

Personal data

Any information relating to an identified or identifiable person — names, emails, IP addresses, device IDs and more.

Special category data

Sensitive data such as health, biometric, genetic, racial or ethnic origin, political, religious or sexual-orientation data, which receives extra protection under Article 9.

EU representative

A person or organisation established in the EU, designated under Article 27 by a non-EU controller or processor as the contact point for authorities and data subjects.

Data Protection Officer (DPO)

An independent role under Articles 37–39 that advises on and monitors GDPR compliance. Distinct from an EU representative.

Supervisory authority

A national data protection authority (DPA) that enforces the GDPR — for example Germany’s state DPAs, France’s CNIL or Ireland’s DPC.

DSAR (Data Subject Access Request)

A request from an individual to exercise a GDPR right, such as access to or erasure of their data. Often used as shorthand for any data subject request.

ROPA (Record of Processing Activities)

The Article 30 record documenting an organisation’s processing activities, which an EU representative helps keep available.

DPIA (Data Protection Impact Assessment)

An Article 35 assessment required before processing that is likely to result in a high risk to individuals’ rights.

Lawful basis

One of the six Article 6 grounds that make processing lawful — such as consent, contract, legal obligation or legitimate interests.

Consent

A freely given, specific, informed and unambiguous indication of agreement to processing — one of the lawful bases.

Personal data breach

A security incident leading to accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of or access to personal data.

Adequacy decision

A European Commission decision that a non-EU country offers adequate data protection, allowing data transfers there without extra safeguards.

Standard Contractual Clauses (SCCs)

Pre-approved contract clauses used to legitimise personal data transfers to countries without an adequacy decision.

Article 3(2)

The GDPR’s extraterritorial scope: it applies to non-EU organisations that offer goods or services to, or monitor the behaviour of, people in the EU.

Article 27

The provision requiring in-scope non-EU controllers and processors to designate an EU representative in writing.

General information, not legal advice. Last updated 2026-05-23.