Skip to content

Glossary — Privacy Policies and Laws

Updated May 26, 2025

Data controller

An entity or organization that is responsible for deciding why and how personal data is processed. The data controller determines the purposes for which personal data is collected and the methods and processes used for its processing. Data controllers are primarily responsible for complying with data protection laws and ensuring that individuals' privacy rights are respected.

Data processor

An entity or organization that processes personal data as directed and authorized by a data controller, typically under a contract or legal agreement. Data processors are responsible for carrying out specific data processing activities while following the instructions and requirements set forth by the data controller.

Data sub-contractor

Often referred to as a sub-processor, is a third-party entity that a data processor may engage to assist in performing specific data processing activities. In other words, a data subcontractor is a subcontractor to a data processor. The data subcontractor operates under the direction and control of the data processor, which, in turn, is operating under the direction and control of the data controller.

Personal information/data (PI)

Any two or more of the following that can identify someone (list not exhaustive):

  • First name
  • Middle name
  • Last name
  • Email address
  • IP Address
  • Addresses, PO Boxes
  • Date of birth
  • Gender markers
  • Image and voice
  • Languages spoken

Sensitive personal information/data (SPI)

Any of the following that can bring a risk to an individual or that could lead to discrimination (list not exhaustive):

  • Social security number
  • Credit card information
  • Bank account details
  • Ethnicity
  • Religion
  • Sexual orientation
  • Gender identity
  • Political affiliations
  • Trade unions or association memberships
  • Biometric data
  • Genetic information
  • Medical history
A clear and unequivocal agreement or permission provided by an individual, usually in matters involving their personal information, bodily autonomy, or participation in specific activities.
Is assumed or inferred based on a person's actions, behaviours, or the circumstances surrounding a situation, rather than being explicitly stated or confirmed. However, the applicability and validity of implicit consent can vary significantly depending on the specific legal context and jurisdiction.

Privacy policy

A legal document that outlines how an entity collects, uses, shares, and protects personal data.

Terms of service

A legal document that outlines the rules, guidelines, and conditions that users must agree to and abide by when using a website, online service, or software application. These terms govern the relationship between the service provider (such as a website owner or app developer) and the users of their platform.

Data management plan

A structured document outlining how data will be collected, stored, shared, and preserved throughout a project's lifecycle. It addresses data handling, organization, security, and dissemination strategies, ensuring compliance with ethical standards and legal requirements. DMPs promote transparency and efficiency in data management, benefiting research, organizations, and compliance with data protection regulations.

Legitimate interest

One of the lawful bases for processing personal data, as outlined in Article 6(1)(f) of the regulation. Under the GDPR, legitimate interest means that a data controller (the organization or individual determining the purposes and means of processing personal data) can process personal data without obtaining explicit consent from the data subject (the individual to whom the data belongs) if they have a valid and lawful reason for doing so, provided that this interest is not overridden by the individual's rights and interests.

Note

This is a concept of the GDPR. Law 25 is based on consent.

GDPR

The General Data Protection Regulation (GDPR) is a law from the European Union that protects people’s personal data. It gives individuals more control over how their data is collected, used, and stored by companies and organizations.

CPRA

California Privacy Rights Act. The CPRA is a privacy law in the state of California, United States, that was passed in November 2020 through a ballot initiative known as Proposition 24. The CPRA amends and expands upon the California Consumer Privacy Act (CCPA), which was the first comprehensive data privacy law in the United States.

Note

We do not need to comply with this law, compliance to Law 25 and GDPR is enough to cover the majority of CPRA, whatever minor requirements remain can be dealt with if a complaint ever occurs.

CCPA

California Consumer Privacy Act. A data privacy law that was enacted in the state of California, United States. It became effective on January 1, 2020. The CCPA is one of the most significant and comprehensive privacy laws in the United States and grants California residents certain rights and protections regarding their personal information.

Note

Does not apply to MobilityData, as the organization is well under the minimum requirements used to identify which business the law applies to.