A controller is an individual or organization that determines the purposes and means of the processing of personal data. Controllers have primary responsibility for compliance with data protection laws and regulations and are responsible for ensuring that data subjects’ rights are respected.
A processor is an individual or organization that processes personal data on behalf of a controller. They are responsible for carrying out data processing activities according to the instructions provided by the controller and must comply with data protection laws and regulations in the performance of their tasks.
A Data Protection Officer is a designated person within an organization who is responsible for overseeing the organization’s data protection strategy and ensuring compliance with data protection laws and regulations. The DPO acts as a point of contact between the organization, data subjects, and regulatory authorities, providing guidance and advice on data protection matters.
A data subject is an identifiable natural person to whom personal data relates. Data subjects are the individuals whose personal information is being collected, processed, stored, or otherwise used by a controller or processor. Data subjects have specific rights under data protection laws and regulations, including the right to access, correct, delete, or restrict the processing of their personal data.
Personal data refers to any information relating to an identified or identifiable natural person, also known as a data subject. This can include direct identifiers such as names, identification numbers, or addresses, as well as indirect identifiers like IP addresses, location data, or other factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.
Cookies are small text files that are stored on a user’s device (e.g., computer, smartphone, or tablet) when they visit a website. Cookies are used to remember user preferences, manage online sessions, and gather information about user behavior to improve the user experience and provide personalized content. They can be categorized as first-party cookies, which are set by the website being visited, and third-party cookies, which are set by a different domain than the one being visited.
In the context of data protection, an affiliated company refers to an organization that is connected to or under common ownership or control with another organization, typically through a parent company or a subsidiary relationship. Affiliated companies often share data protection responsibilities, policies, and procedures to ensure consistent and compliant handling of personal data across their corporate group.
The European Union General Data Protection Regulation (EU GDPR) is a comprehensive data privacy legislation implemented in 2018, which aims to protect the personal data and privacy of individuals within the EU and EEA. It sets forth principles and requirements for organizations collecting, processing, and storing personal data, including obtaining user consent, enabling data portability, and ensuring data security.
The United Kingdom General Data Protection Regulation (UK GDPR) is the UK’s version of the EU GDPR, which came into effect following the UK’s departure from the EU. It shares many similarities with the EU GDPR, aiming to protect the personal data and privacy of individuals in the UK, and imposing requirements on organizations that collect, process, and store personal data.
The California Privacy Rights Act (CPRA) is a privacy law enacted in California, United States, in 2020. It amends and expands the California Consumer Privacy Act (CCPA) to further protect the privacy rights of California residents by introducing new rights, strengthening existing rights, and establishing the California Privacy Protection Agency (CPPA) to enforce compliance.
The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian federal privacy law that governs the collection, use, and disclosure of personal information in the course of commercial activities. It establishes rules for organizations to follow when handling personal data, including obtaining consent, providing access to personal information, and ensuring data security.
These are small text files or other technologies, such as web beacons, pixel tags, and local storage, that are stored on a user’s device when they visit a website or use an online service. They enable websites to recognize users, remember their preferences, track their activity, and deliver personalized content and advertisements.
This term refers to the ways in which organizations collect, process, and utilize personal data for various purposes, such as providing services, improving user experiences, communicating with users, and complying with legal obligations. Organizations must disclose their data usage practices in their privacy policies to inform users about how their personal information is being used.
This concept, found in data protection regulations such as the EU GDPR and UK GDPR, requires organizations to have a valid legal justification for collecting, processing, and storing personal data. Examples of lawful bases include user consent, contractual necessity, legal obligations, vital interests, public interest, and legitimate interests. Organizations must determine and document the lawful basis for each processing activity.