Skip to main content
Metasoul Docs
Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
  1. Metasoul Docs
  2. /
  3. Glossary

Glossary

Personal Data

“Personal Data” means any information relating to an identified or identifiable natural person (“data subject”). This includes names, addresses, email addresses, identifiers, eye color, or other data that can be allocated to a natural person.

It includes any data about an identifiable person, which means it can cover not only PII (a subset of personal data) but also other information that may not directly identify someone but can still be linked to them.

PII (Personally Identifiable Information)

PII refers to a specific set of data that can be used to directly identify an individual. This includes information such as names, addresses, Social Security numbers, and financial details, such as credit card numbers. PII is primarily a term used in North America in a regulatory context, referring to data that can directly identify a person.

In Europe, the term “Personal Data” refers to data or information related to privacy and privacy regulations. PII is a subset of personal data relevant to GDPR.

Processing of personal data

“Processing of personal data” means the handling/usage of personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, use, disclosure by transmission, dissemination or otherwise making available, erasure, or destruction.

Special categories of personal data

In the context of the GDPR, “Special categories of personal data,” often referred to as “sensitive data,” are particularly sensitive and require special protection, as they may have a greater impact on the rights of natural persons. In the GDPR, the following categories are considered under this category:

  • racial or ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • trade union membership
  • genetic data
  • biometric data used to uniquely identify a natural person
  • data concerning health
  • data concerning a natural person’s sex life or sexual orientation.

If special categories are processed, enhanced protection measures (technical and organisational measures) must be applied, and a Data Privacy Impact Assessment (DPIA) must be conducted.

Controller

“Controller” means the natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data. Under the GDPR, the controller is accountable for fulfilling data privacy obligations.

Processor

“Processor” means a natural or legal person, public authority, agency, or other body that processes personal data on behalf of and on the instructions of the controller. A processor must process personal data only on behalf of a controller, in accordance with the instructions set out in a Data Protection Agreement (DPA) between the controller and the processor.

Privacy by Design

“Privacy by Design” is an approach to systems engineering that emphasizes privacy throughout the design and development of systems, products, and services.

Privacy by Default

“Privacy by Default” is a principle that emphasizes the importance of ensuring that the default settings of any product or service are designed in a way to protect user data, without requiring users to change those settings to secure their data.

Personal data breach

A “personal data breach” refers to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data. This includes incidents that compromise the confidentiality, integrity, or availability of personal data.

Anonymization

Anonymization is the process of rendering data irreversibly anonymous so that individuals to whom the data relate can no longer be identified under any circumstances. This means that, after anonymization, the data cannot be linked to any individual. Anonymized data is not considered personal data and is not subject to the same restrictions on processing as personal data under the General Data Protection Regulation (GDPR). An example of anonymization can be a dataset of 1 million users and their ages. If age is aggregated into four clusters—0 to 20 years, 21 to 40 years, 41 to 60 years, and 61 and above years—from the raw number of users in each category, it is not possible to identify a single user’s age.

Be aware that anonymization is very difficult to achieve and should not be mentioned as part of any activity unless it has been properly implemented.

Pseudonymization

Pseudonymization involves processing personal data so that it can no longer be directly attributed to a specific data subject without the use of additional information. For example, a customer’s name can be removed from a dataset describing former bookings, making it no longer obvious who made the bookings. If other data or just the name is added to the dataset, it can be linked again to a natural person. Pseudonymized data is entirely in the scope of GDPR, and all obligations apply. Please be aware that pseudonymization is, where applicable, required by GDPR as good practice.

Data deletion

Data deletion means destroying/removing data in a way that cannot be recovered anymore by any means.