Key Definitions & Concepts¶
Essential privacy terminology for understanding data protection laws.
Who Is Involved¶
Data Subject¶
The individual whose personal data is being processed. This is your customer, user, or employee whose data you handle.
Data Controller¶
The organization that decides why and how personal data is processed. If you determine what data to collect and what to do with it, you are the controller.
Data Processor¶
A third party that processes personal data on behalf of the controller. Cloud providers, payment processors, and email services are common examples.
Sub-processor¶
A processor used by your processor. For example, if your email service provider uses a cloud hosting company, that hosting company is a sub-processor.
Types of Data¶
Personal Data¶
Any information that can identify a person directly or indirectly.
Direct identifiers:
- Name, email address, phone number
- Government IDs (SSN, passport)
- Photos showing faces
Indirect identifiers:
- IP addresses, device IDs, cookies
- Location data, behavioral patterns
- Employment information combined with other data
Special Category Data (Sensitive Data)¶
Personal data requiring extra protection under GDPR:
- Racial or ethnic origin
- Political opinions, religious beliefs
- Trade union membership
- Genetic and biometric data
- Health information
- Sexual orientation
Note: Processing special category data requires explicit consent or another specific legal basis.
Pseudonymized Data¶
Personal data processed so it cannot identify someone without additional information kept separately. Still counts as personal data under GDPR.
Anonymous Data¶
Data that cannot identify anyone, even with additional information. Not subject to GDPR requirements. True anonymization is difficult to achieve.
Legal Bases for Processing¶
Under GDPR, every processing activity needs a valid legal basis. Choose the most appropriate basis before you start processing.
| Legal Basis | When to Use | Example |
|---|---|---|
| Consent | Individual agrees to specific processing | Email marketing opt-in |
| Contract | Processing needed to fulfill a contract | Shipping address for order delivery |
| Legal Obligation | Required by law | Tax record retention |
| Vital Interests | Protecting life or safety | Emergency medical disclosure |
| Public Task | Official authority functions | Government agencies |
| Legitimate Interests | Business need that does not override individual rights | Fraud prevention, network security |
Consent requirements:
- Freely given (no bundling or coercion)
- Specific (separate consent for separate purposes)
- Informed (clear explanation of what you will do)
- Revocable (as easy to withdraw as to give)
Next: Privacy Principles