GDPR Glossary
Your comprehensive guide to understanding GDPR and data protection terminology
Welcome to the Marketing Titan GDPR Glossary. The General Data Protection Regulation (GDPR) introduced many technical terms that can be confusing. This glossary explains key concepts in plain language to help you understand your data protection rights and our compliance practices.
Use the alphabetical navigation below to quickly find specific terms, or scroll through to explore all definitions.
A
A
Anonymization
The process of removing or altering personal data so that individuals can no longer be identified, either directly or indirectly. Once data is properly anonymized, it is no longer considered personal data under GDPR and can be used without restriction.
Example Converting individual customer purchase records into aggregate statistics (e.g., "500 customers bought Product X") where no individual can be identified.
A
Article 6 (Lawful Basis)
Article 6 of GDPR defines six legal grounds that make data processing lawful: consent, contract performance, legal obligation, vital interests, public task, and legitimate interests. Organizations must have at least one of these bases to process personal data legally.
Example Marketing Titan processes your payment information under "contract performance" (to fulfill our service agreement) and may send marketing emails based on "consent" or "legitimate interests."
B
B
Binding Corporate Rules (BCRs)
Internal policies adopted by multinational companies to allow the transfer of personal data from the EU to their affiliates in countries without adequate data protection laws. BCRs must be approved by relevant data protection authorities.
Example A global corporation with offices in the EU, US, and Asia uses BCRs to legally transfer employee data between its international offices.
B
Breach Notification
The legal requirement to notify supervisory authorities (within 72 hours) and affected individuals about personal data breaches that pose a risk to people's rights and freedoms. Notifications must include the nature of the breach, likely consequences, and measures taken.
Example If a hacker gains access to customer email addresses and passwords, we must notify the relevant data protection authority within 72 hours and inform affected customers.
C
C
Consent
A freely given, specific, informed, and unambiguous indication of an individual's agreement to the processing of their personal data. Consent must be obtained through a clear affirmative action (not pre-ticked boxes) and can be withdrawn at any time.
Example When you check a box that says "I agree to receive marketing emails from Marketing Titan," you're giving explicit consent. You can withdraw this consent anytime by clicking "unsubscribe."
C
Controller (Data Controller)
The organization or person that determines the purposes and means of processing personal data. The controller makes decisions about why and how personal data is processed and is primarily responsible for GDPR compliance.
Example When you use Marketing Titan to send marketing campaigns, you are the data controller (deciding what data to collect and how to use it), and we are the data processor (processing data on your behalf).
D
D
Data Breach
A security incident that leads to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data. Breaches can result from hacking, human error, lost devices, or system failures.
Example An employee accidentally emails a customer list to the wrong recipient, a hacker gains access to your database, or a laptop containing customer data is stolen.
D
Data Minimization
A GDPR principle requiring that only personal data that is adequate, relevant, and limited to what is necessary for the specified purpose should be collected and processed. Organizations should not collect "just in case" data.
Example If you only need a customer's email address to send newsletters, you shouldn't require their phone number, date of birth, and home address during signup.
D
Data Processing Agreement (DPA)
A legally binding contract between a data controller and data processor that defines the terms, scope, and obligations for processing personal data. Required under GDPR Article 28 whenever a processor handles personal data on behalf of a controller.
Example Marketing Titan's DPA with customers outlines how we process customer data, security measures we implement, and our obligations regarding data subject rights.
D
Data Protection Authority (DPA)
An independent public authority responsible for monitoring and enforcing GDPR compliance within a specific EU member state. Also called supervisory authorities, they investigate complaints, conduct audits, and can impose fines for violations.
Example The CNIL in France, ICO in the UK, and BfDI in Germany are all data protection authorities. If you have a complaint about how we handle your data, you can contact your local DPA.
D
Data Protection Impact Assessment (DPIA)
A process to identify and minimize data protection risks of a project or processing activity, especially when using new technologies or processing that is likely to result in high risk to individuals' rights and freedoms. Required for high-risk processing under GDPR Article 35.
Example Before launching a new AI-powered customer profiling feature, we would conduct a DPIA to assess privacy risks and implement appropriate safeguards.
D
Data Protection Officer (DPO)
An expert on data protection who monitors GDPR compliance within an organization. Required for public authorities and organizations that engage in large-scale systematic monitoring or process special categories of data. The DPO acts as a point of contact for data subjects and supervisory authorities.
Example Marketing Titan's DPO oversees our data protection practices, conducts training, and is available to answer your privacy questions at
dpo@marketingtitan.ai.
D
Data Subject
Any identified or identifiable natural person whose personal data is being processed. In simple terms, the individual person that the data is about. Data subjects have specific rights under GDPR.
Example If you're a Marketing Titan customer, you are a data subject regarding your account information. Your customers whose data you process through our platform are also data subjects.
D
Data Subject Access Request (DSAR)
A formal request from an individual to access their personal data held by an organization. Under GDPR Article 15, organizations must respond within one month, providing a copy of the data and information about how it's being processed.
Example You can submit a DSAR to Marketing Titan to receive a copy of all personal data we hold about you, including account information, usage logs, and support communications.
E
E
Encryption
A security measure that converts data into a coded format that can only be read by someone with the decryption key. GDPR considers encryption an appropriate technical measure to protect personal data.
Example Marketing Titan encrypts all customer data in transit using TLS 1.3 and at rest using AES-256 encryption, ensuring data remains secure even if intercepted or accessed without authorization.
F
F
Filing System
Any structured set of personal data accessible according to specific criteria, whether centralized, decentralized, or dispersed. GDPR applies to both automated (digital) and manual (paper) filing systems.
Example A digital customer database, a spreadsheet of email addresses, or even a physical filing cabinet with customer records organized alphabetically all qualify as filing systems under GDPR.
G
G
GDPR (General Data Protection Regulation)
A comprehensive data protection law that came into effect on May 25, 2018, across the European Union. It regulates how organizations collect, use, store, and protect personal data of EU residents, with strict requirements and significant penalties for non-compliance.
Example GDPR gives you rights like accessing your data, requesting deletion, and objecting to processing. Organizations can be fined up to €20 million or 4% of annual global turnover for serious violations.
I
I
International Data Transfer
The transfer of personal data from the EU/EEA to countries outside the region. GDPR restricts such transfers unless the destination country has adequate data protection laws or appropriate safeguards (like Standard Contractual Clauses) are in place.
Example Marketing Titan, based in the US, uses EU-approved Standard Contractual Clauses to legally transfer and process personal data of EU customers on our US servers.
L
L
Legal Basis
The lawful justification for processing personal data under GDPR Article 6. Every processing activity must have at least one of six legal bases: consent, contract, legal obligation, vital interests, public task, or legitimate interests.
Example Marketing Titan processes your payment information based on "contract" (to provide services), your email for support based on "legitimate interests," and marketing emails based on "consent."
L
Legitimate Interests
One of the six legal bases for processing personal data under GDPR. Organizations can process data when they have a legitimate reason that doesn't override the individual's rights and interests. Requires a balancing test to ensure fairness.
Example We may process your email address to send service updates and security alerts based on legitimate interests (keeping you informed about your account), even without explicit consent.
P
P
Personal Data
Any information relating to an identified or identifiable natural person. This includes obvious identifiers like names and email addresses, but also IP addresses, cookie identifiers, location data, and even pseudonymized data if the person can be re-identified.
Example Your name, email address, phone number, IP address, account preferences, usage patterns, and even your customer ID are all personal data under GDPR.
P
Privacy by Design
A GDPR principle requiring that data protection measures be integrated into systems and processes from the outset, rather than added as an afterthought. Organizations must consider privacy implications during the design phase of any project.
Example When developing new features, Marketing Titan conducts privacy assessments, implements data minimization, and builds in user controls before launch rather than retrofitting privacy measures later.
P
Processing
Any operation performed on personal data, whether automated or manual. This includes collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, erasure, and destruction. Essentially, anything you do with personal data is "processing."
Example When you upload a customer list to Marketing Titan, send an email campaign, view analytics, or delete contacts, you're processing personal data.
P
Processor (Data Processor)
An organization or person that processes personal data on behalf of a data controller. Processors must follow the controller's instructions and implement appropriate security measures. They have direct obligations under GDPR.
Example Marketing Titan acts as a data processor when we process your customers' data according to your instructions. Our cloud hosting provider is a sub-processor that processes data on our behalf.
P
Pseudonymization
Processing personal data in a way that it can no longer be attributed to a specific person without additional information, which is kept separately and subject to security measures. Unlike anonymization, pseudonymized data is still considered personal data under GDPR.
Example Replacing customer names with unique IDs (Customer_12345) in analytics reports, where the mapping between IDs and names is stored securely in a separate database.
P
Purpose Limitation
A GDPR principle requiring that personal data be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes. Organizations must be clear about why they're collecting data.
Example If you collect email addresses "to send newsletters," you cannot later use those same addresses for telemarketing without obtaining new consent for that different purpose.
R
R
Right to Access
The right of data subjects to obtain confirmation of whether their personal data is being processed and, if so, to access that data along with information about the processing. Organizations must respond within one month.
Example You can request a copy of all personal data Marketing Titan holds about you, including account details, usage logs, and support communications.
R
Right to Data Portability
The right to receive personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller. Applies only to data processed based on consent or contract and by automated means.
Example You can export your customer lists, campaign data, and analytics from Marketing Titan in CSV or JSON format to transfer to another marketing platform.
R
Right to Erasure (Right to be Forgotten)
The right to have personal data deleted in certain circumstances, such as when data is no longer necessary for its original purpose, consent is withdrawn, or data was unlawfully processed. Organizations must comply unless they have legitimate grounds to retain the data.
Example You can request deletion of your Marketing Titan account and all associated personal data. We will delete it within 30 days unless we're legally required to retain certain records (e.g., financial data for tax purposes).
R
Right to Object
The right to object to processing of personal data based on legitimate interests, direct marketing, or processing for research/statistical purposes. Organizations must stop processing unless they can demonstrate compelling legitimate grounds that override the individual's interests.
Example You can object to receiving marketing emails from Marketing Titan at any time by clicking "unsubscribe," and we must stop sending them immediately.
R
Right to Rectification
The right to have inaccurate personal data corrected and incomplete data completed. Organizations must respond to rectification requests within one month and notify any third parties to whom the data was disclosed.
Example If your name or email address is incorrect in your Marketing Titan account, you can update it directly in your account settings or request that we correct it.
R
Right to Restriction
The right to limit the processing of personal data in certain circumstances, such as when accuracy is contested, processing is unlawful but deletion is not wanted, or data is needed for legal claims. Restricted data can only be stored, not actively processed.
Example If you dispute the accuracy of your account information, you can request that we restrict processing of that data while we verify its accuracy.
R
Right to Withdraw Consent
When processing is based on consent, individuals have the right to withdraw that consent at any time. Withdrawal must be as easy as giving consent, and organizations must stop processing once consent is withdrawn (though prior processing remains lawful).
Example If you consented to marketing emails, you can withdraw consent by clicking "unsubscribe" in any email or updating your preferences in your account settings.
S
S
Special Categories of Personal Data
Sensitive personal data that reveals racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation. Processing this data is generally prohibited unless specific conditions are met.
Example Health information, biometric data for authentication, or genetic test results are special categories requiring extra protection and explicit consent or other specific legal basis.
S
Standard Contractual Clauses (SCCs)
Pre-approved contract templates issued by the European Commission that provide adequate safeguards for international data transfers from the EU to countries without adequate data protection laws. Also called Model Clauses.
Example Marketing Titan uses EU-approved Standard Contractual Clauses to legally transfer personal data from our EU customers to our US servers, ensuring GDPR-level protection.
S
Sub-processor
A third-party processor engaged by a data processor (not the controller) to carry out specific processing activities. The original processor remains liable for the sub-processor's compliance and must obtain controller authorization.
Example Marketing Titan (as processor) uses AWS as a sub-processor for cloud hosting. We maintain a list of sub-processors and notify customers of any changes.
S
Supervisory Authority
An independent public body established by an EU member state to monitor and enforce GDPR compliance. Also called Data Protection Authorities (DPAs), they handle complaints, conduct investigations, and can impose fines.
Example If you believe Marketing Titan is violating GDPR, you can file a complaint with your local supervisory authority, such as the ICO (UK), CNIL (France), or BfDI (Germany).
T
T
Third Country
Any country outside the European Economic Area (EEA). Transferring personal data to third countries requires additional safeguards unless the country has been deemed to have adequate data protection laws by the European Commission.
Example The United States is a third country. Marketing Titan uses Standard Contractual Clauses to ensure GDPR-compliant transfers of EU customer data to our US infrastructure.
T
Transparency
A core GDPR principle requiring that information about data processing be provided in a clear, concise, and easily accessible manner using plain language. Organizations must be open and honest about how they collect and use personal data.
Example Marketing Titan's
Privacy Policy clearly explains what data we collect, why we collect it, how we use it, and your rights—written in plain language rather than complex legal jargon.
Need More Information? This glossary covers the most common GDPR terms, but data protection law is complex and constantly evolving. For specific questions about your rights or our data practices, please contact our Data Protection Officer at
dpo@marketingtitan.ai or review our comprehensive
Privacy Policy.
