Compliance Glossary

Standardized definitions used throughout ComplySafe compliance articles and implementation guides.

Data Controller: The entity that determines why and how personal data is processed.
Data Processor: A party that processes personal data on behalf of a controller.
Joint Controller: Two or more entities that jointly determine the purposes and means of processing.
Subprocessor: A processor engaged by another processor to perform specific processing activities.
DPIA: A Data Protection Impact Assessment used to evaluate high-risk processing operations.
TIA: A Transfer Impact Assessment evaluating risks when transferring personal data internationally.
Lawful Basis: The legal ground under GDPR that allows personal data processing.
Legitimate Interest Assessment: A documented balancing test used when relying on legitimate interests.
Data Retention Schedule: A policy defining how long each type of data is kept and when it is deleted.
Data Minimization: Collecting and processing only the minimum personal data needed for a specific purpose.
Pseudonymization: Processing data so it cannot be attributed to a person without additional information.
Anonymization: Irreversibly removing identifying elements so data can no longer identify an individual.
DSAR: A Data Subject Access Request through which users request access to their personal data.
CMP: A Consent Management Platform used to collect, store, and manage user consent choices.
High-Risk AI System: An AI system subject to stricter obligations under the EU AI Act.
Conformity Assessment: A formal process to verify that an AI system meets regulatory requirements.
Post-Market Monitoring: Ongoing monitoring of an AI system after deployment to detect issues and risks.
Model Card: Documentation that explains an AI model’s purpose, limitations, and performance context.
Human Oversight: Controls ensuring meaningful human review of AI outputs and decisions.
Risk Register: A maintained log of identified risks, impact levels, owners, and mitigation actions.
Incident Response Plan: A documented process for detecting, containing, and reporting compliance incidents.
ROPA: A Record of Processing Activities required under GDPR Article 30 in many cases.
DPO: A Data Protection Officer responsible for advising and monitoring GDPR compliance where required.
SCCs: Standard Contractual Clauses used for lawful personal-data transfers outside the EEA.
Data Portability: A right allowing users to receive and transfer their personal data in a machine-readable format.
CASP: Crypto-Asset Service Provider status under MiCA for regulated crypto activities.

For deeper coverage, visit the GDPR hub, AI Act hub, Data Act hub, and MiCA hub.

Compliance Glossary

Standardized definitions used throughout ComplySafe compliance articles and implementation guides.

Data Controller

The entity that determines why and how personal data is processed.

Data Processor

A party that processes personal data on behalf of a controller.

Joint Controller

Two or more entities that jointly determine the purposes and means of processing.

Subprocessor

A processor engaged by another processor to perform specific processing activities.

DPIA

A Data Protection Impact Assessment used to evaluate high-risk processing operations.

TIA

A Transfer Impact Assessment evaluating risks when transferring personal data internationally.

Lawful Basis

The legal ground under GDPR that allows personal data processing.

Legitimate Interest Assessment

A documented balancing test used when relying on legitimate interests.

Data Retention Schedule

A policy defining how long each type of data is kept and when it is deleted.

Data Minimization

Collecting and processing only the minimum personal data needed for a specific purpose.

Pseudonymization

Processing data so it cannot be attributed to a person without additional information.

Anonymization

Irreversibly removing identifying elements so data can no longer identify an individual.

DSAR

A Data Subject Access Request through which users request access to their personal data.

CMP

A Consent Management Platform used to collect, store, and manage user consent choices.

High-Risk AI System

An AI system subject to stricter obligations under the EU AI Act.

Conformity Assessment

A formal process to verify that an AI system meets regulatory requirements.

Post-Market Monitoring

Ongoing monitoring of an AI system after deployment to detect issues and risks.

Model Card

Documentation that explains an AI model’s purpose, limitations, and performance context.

Human Oversight

Controls ensuring meaningful human review of AI outputs and decisions.

Risk Register

A maintained log of identified risks, impact levels, owners, and mitigation actions.

Incident Response Plan

A documented process for detecting, containing, and reporting compliance incidents.

ROPA

A Record of Processing Activities required under GDPR Article 30 in many cases.

DPO

A Data Protection Officer responsible for advising and monitoring GDPR compliance where required.

SCCs

Standard Contractual Clauses used for lawful personal-data transfers outside the EEA.

Data Portability

A right allowing users to receive and transfer their personal data in a machine-readable format.

CASP

Crypto-Asset Service Provider status under MiCA for regulated crypto activities.