Glossary

Accountability is a key principle of the GDPR that requires companies to actively ensure and demonstrate compliance with personal data protection regulations through proactive, documented, and verifiable measures. This approach aims to make companies accountable for transparent and secure personal data processing.

Authorization for processing personal data marks the beginning of data processing for a purpose based on legal grounds other than consent, such as legitimate interest or contractual obligations. It is a key element in ensuring that all data processing activities are compliant with regulations and that data management is properly documented, not just limited to actual “consents”.

Consent is one of the six legal bases under the GDPR that legitimizes the processing of personal data. It is an explicit authorization provided by the data subject, which must be freely given, specific, informed, and unambiguous, with the burden of proof lying on the data controller.

The consent point of truth is a key concept in privacy management, referring to Trust Guardian’s centralized and reliable repository that gathers and stores all consents provided by data subjects and the related privacy events.

Data retention management consists of the practical management of personal data retention periods, respecting the policies set out in privacy notices for each purpose. Trust Guardian automates this process, notifying the various business systems (CRM, e-commerce platforms, marketing automation systems, etc.) when a data retention period has expired for each data subject, ensuring GDPR compliance.

The data subject is the identified or identifiable natural person to whom the processed personal data relates. A person is considered identifiable if they can be identified, directly or indirectly, through identifiers such as name, identification number, location data, an online identifier, or other characteristics of their identity.

Data subject rights are the rights granted by the GDPR to individuals whose personal data is processed, such as the right to access, rectification, erasure, restriction of processing, data portability, and objection. These rights give individuals control over their data and help protect their privacy, while placing the burden on companies to ensure these rights can be exercised easily and promptly.

Data retention management consists of the practical management of personal data retention periods, respecting the policies set out in privacy notices for each purpose. Trust Guardian automates this process, notifying the various business systems (CRM, e-commerce platforms, marketing automation systems, etc.) when a data retention period has expired for each data subject, ensuring GDPR compliance.

GDPR compliance refers to a company’s adherence to the rules of the General Data Protection Regulation (GDPR), which governs the processing of personal data within the European Union. Being compliant means meeting all the requirements imposed by the regulation to ensure data protection and safeguard the rights of data subjects.

The legal basis for processing refers to the legal reason that makes the processing of personal data lawful under the GDPR. Every data processing activity must be based on one of the six legal bases provided by the Regulation, such as the consent of the data subject, the execution of a contract, or a legal obligation.

Legitimate interest is one of the six legal bases for processing personal data that allows a company to process data without the explicit consent of the data subject, provided that the processing is necessary, and the interests or fundamental rights and freedoms of the data subject do not override it.

Privacy by Default is a principle of the GDPR that requires data controllers to ensure that, by default, only the personal data strictly necessary for each specific purpose is processed. This approach minimizes the collection and processing of unnecessary personal data, with the goal of protecting the rights of data subjects.

Privacy by Design is a principle defined in Article 25 of the GDPR that involves integrating personal data protection into the design of processes, products, and services. This approach aims to ensure that privacy and data protection are considered from the earliest stages of development, reducing risks and ensuring compliance.

Privacy events encompass all actions and interactions related to the processing of a data subject’s personal information, such as data collection, updates, consent withdrawal, acknowledging a privacy notice, or exercising data subject’s rights.

A privacy notice is a document that data controllers must provide to data subjects to inform them clearly and transparently about how their personal data will be processed. It includes information about the purposes of processing, the rights of data subjects, and the ways they can exercise these rights.

Processing of personal data refers to everything that can be done with a piece of data. For example, processing includes simply storing or viewing data. GDPR identifies 16 types of personal data processing.

Profiling, according to Article 4 of the GDPR, is any form of automated processing of personal data used to evaluate personal aspects relating to an individual, such as work performance, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements. This processing typically relies on the data subject’s consent.

The right not to be subject to a decision based solely on automated processing is guaranteed by Article 22 of the GDPR. It allows individuals to avoid decisions that significantly affect them without human intervention, such as automated credit assessments or algorithm-based selections.

The right of access is one of the fundamental rights guaranteed to data subjects by Article 15 of the GDPR, which grants them the ability to obtain information on which personal data is being processed, the purposes of the processing, the recipients of the data, and other relevant information to ensure transparency.

Article 20 of the GDPR establishes the right to data portability, allowing data subjects to receive their personal data in a structured, commonly used, and machine-readable format, and to transmit those data to another controller without hindrance.

The right to erasure, also known as the “right to be forgotten,” is guaranteed by Article 17 of the GDPR and allows data subjects to request the deletion of their personal data when at least one of the six situations provided for by the Regulation applies.

The right to lodge a complaint with the supervisory authority is established by the GDPR (Article 77) and allows data subjects to contact the competent authority (e.g., the Italian Data Protection Authority) in case of violations of data protection rules regarding their data processing.

The right to object is established by Article 21 of the GDPR, allowing data subjects to object to the processing of their personal data when it is related to purposes based on the legal grounds of Legitimate Interest or Public Interest, or for Direct Marketing purposes.

The right to rectification is the right provided by Article 16 of the GDPR, which allows data subjects to request the data controller to correct or update their personal data if it is inaccurate or incomplete. This right upholds the principle of accuracy as stipulated in Article 5(1)(d) of the GDPR.

The right to restriction of processing is a right guaranteed by the GDPR (Article 18) that allows data subjects to request that the data controller to limit the processing of their personal data in certain circumstances, such as when its accuracy is contested, or the processing is unlawful.

Among the data subject rights provided by the European General Data Protection Regulation (GDPR), the one that particularly protects users’ freedom of choice is the right to withdraw consent.
According to Article 7 of the GDPR, “The data subject shall have the right to withdraw his or her consent at any time,” and the withdrawal of consent must be “as easy as giving it.“

Soft spam refers to promotional communications sent without explicit consent but legitimized by a pre-existing contractual relationship with the customer. Privacy regulations permit this type of messaging under specific conditions, provided that the customer has the opportunity to opt out at any time, as outlined in Article 130, paragraph 4 of the Italian Privacy Code.

Special category data refers to types of personal data that require greater protection than other data. These include sensitive information such as data related to health, racial or ethnic origin, religious beliefs, sexual orientation, and other data whose disclosure could significantly impact the data subject’s privacy.

A supervisory authority is the public body responsible for monitoring the application of personal data protection regulations, ensuring compliance with the GDPR. In Italy, the supervisory authority is the Italian Data Protection Authority, which, among its activities, can also initiate inspections at companies to verify privacy compliance.

A touchpoint is any point of contact between the company and your customers, both online and offline, where personal data is collected or an interaction with the customer occurs, generating privacy events. It is crucial to map, analyze, and secure every single point of contact between you and your customer, to rapidly minimize privacy risks, enhance your company’s accountability, and increase resilience to complaints and inspections.