The GDPR Compliance Glossary

GDPR Glossary

The GDPR was written by lawyers, so it should come as no surprise that it’s got a good bit of legal jargon sprinkled in there. Here are some of the most important ones to master.

Data Subject

A person who lives in the EU

Personal Data

Any information related to an identified/identifiable data subject (e.g., name, national ID number, address, IP address, health info)


A company/organisation that collects people’s personal data and makes decisions about what to do with it. So if you’re collecting personal data and are determining how it will be processed (for example using the HubSpot services to market to prospects and customers), you’re the Controller of that data and must comply with applicable data privacy legislation accordingly.


A company/organisation that helps a controller by “processing” data based on its instructions, but doesn’t decide what to do with data. So for example, HubSpot is the processor of the data you collect in your HubSpot portal. We don’t control how you collect or use the data; we merely process it on your behalf and on your instruction.


Any operation or set of operations which is performed on personal data or on sets of personal data, by automated means or otherwise, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Data Protection Officer (DPO)

A representative for a controller/processor who oversees GDPR compliance and is a data-privacy expert

Data Privacy Impact Assessment (DPIA)

A documented assessment of the usefulness, risks, and risk-mitigation options for a certain type of processing

Supervisory Authority

Formerly called “data protection authorities”; one or more governmental agencies in a member state who oversee that country’s data privacy enforcement (e.g., Ireland’s Office of the Data Protection Commissioner, Germany’s 18 national/regional authorities)

Third Countries

Countries outside the EU

Standard Contractual Clauses

The SCCs, a/k/a “model clauses” are standardized contract language (approved by the European Commission) that is one method of permission for controllers/processors to send personal data to third countries. The SCCs are included in Exhibit 1 of our Data Processing Agreement)