← Glossary
Category · 7 terms
Privacy & GDPR
GDPR, Article 28, sub-processors, cross-border transfers, and the operational artifacts behind a defensible privacy program.
Article 28
The GDPR provision that turns the DPA from a one-time negotiation into an ongoing program obligation between a controller and its processors.
Also: GDPR Article 28 · Art. 28
Data Processing Agreement (DPA)
The contract between a controller and a processor that satisfies GDPR Article 28 and locks in how personal data is handled, transferred, and protected.
Also: DPA · Data Processing Addendum
Records of Processing (Article 30)
GDPR's requirement that controllers and processors maintain a written inventory of every processing activity they perform on personal data.
Also: Article 30 · ROPA · Record of Processing Activities
Schrems II
The 2020 EU Court of Justice decision that invalidated the EU-US Privacy Shield and requires data exporters to assess third-country surveillance law before transferring personal data.
Also: Schrems II · Schrems II decision · Case C-311/18
Standard Contractual Clauses (SCCs)
EU-approved contractual terms that establish a legal basis for transferring personal data out of the EEA when no adequacy decision applies.
Also: SCCs · Standard Contractual Clauses · Module SCCs
Sub-processor
A third-party vendor that a processor engages to handle some part of personal-data processing on the controller's behalf.
Also: sub-processors · downstream processor
Transfer Impact Assessment (TIA)
The documented assessment, required after Schrems II, of whether a third country's surveillance law provides essentially equivalent protection for personal data being transferred.
Also: TIA · Transfer Impact Assessment · Data Transfer Assessment
Train this into your team’s playbook.
The corporate training program turns these terms into the operational discipline your in-house team negotiates with every week.