This glossary is a quick reference for key data protection and PECR terms and abbreviations used in this guidance. It includes links to further reading and other resources that may give you useful context and more detail.
Please note, this glossary is not a substitute for reading this direct marketing guidance, the ICO’s other guidance, and associated legislation.
Automated call | A telephone call made by an automated dialling system that plays a recorded message. |
Consent | Defined in UK GDPR Article 4(11) as “any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”. PECR also uses this definition. Consent is also one of the UK GDPR lawful bases for processing. For more information, see our guidance on consent. |
Controller | Defined in UK GDPR Article 6(7) as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”. For more information, see our guidance on controllers and processors. |
Corporate subscriber | Defined in Regulation 2(1) of PECR as “a subscriber who is (a) a company within the meaning of section 735(1) of the Companies Act 1985; (b) a company incorporated in pursuance of a royal charter or letters patent; (c) a partnership in Scotland; (d) a corporation sole; or (e) any other body corporate or entity which is a legal person distinct from its members”. |
CTPS | Corporate Telephone Preference Service. This is the statutory list of corporate subscribers who have registered a general objection to receiving live direct marketing calls. See the CTPS website for more details. |
Data subject | The identified or identifiable living person the personal information relates to. |
Direct marketing | Defined in section 122(5) of the DPA 2018 as “the communication (by whatever means) of advertising or marketing material which is directed to particular individuals”. |
DPA 2018 | Data Protection Act 2018. This sits alongside the UK GDPR and sets out the framework for data protection in the UK. See our guidance about the DPA 2018 for more information. |
Electronic mail | Defined in Regulation 2(1) of PECR as “any text, voice, sound or image message sent over a public electronic communications network which can be stored in the network or in the recipient’s terminal equipment until it is collected by the recipient and includes messages sent using a short message service”. |
Individual subscriber | Regulation 2(1) of PECR defines an individual as “a living individual and includes an unincorporated body of such individuals”. This means that it includes sole traders and other organisations (eg certain types of partnership). |
Joint controller | Where two or more controllers jointly determine the purposes and means of processing. See our guidance on controllers and processors for more information. |
Legitimate interests | Legitimate interests is one of the UK GDPR lawful bases for processing personal information. It provides a lawful basis for processing where the processing is necessary for your legitimate interests or those of a third party, but only where these legitimate interests outweigh individuals’ interests, rights and freedoms. For more information see our guidance on legitimate interests. |
Live call | A telephone call where there is a live person who is speaking to the person they have called. |
MPS | Mailing Preference Service. This is a non-statutory list of those who have registered a general objection to receiving direct marketing by post. See the MPS website for more details. |
PECR | Privacy and Electronic Communications Regulations 2003 (as amended). These Regulations sit alongside the DPA 2018 and the UK GDPR. PECR gives specific privacy rights in relation to electronic communications. |
Personal data (or personal information) | Defined in UK GDPR Article 4(1) as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”. For more information, see our guidance on what is personal data?. |
Privacy information | The information that controllers must provide to data subjects about the collection and use of their personal information. This information is specified in UK GDPR Articles 13 and 14. For more details, see our guidance on the right to be informed. |
Processing | Defined in UK GDPR Article 4(2) as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”. |
Processor | Defined in UK GDPR Article 4(8) as “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”. For more information, see our guidance on controllers and processors. |
Profiling | Defined in UK GDPR Article 4(4) as “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements”. |
Soft opt-in | The commonly used term to describe the exception in Regulation 22(3) of PECR, which, if met, means consent is not required to send direct marketing by electronic mail. |
Special category data | Defined in UK GDPR Article 9(1) as “personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation”. For more information, see our guidance on special category data. |
Subscriber | Defined in Regulation 2(1) of PECR as “a person who is party to a contract with a provider of public electronic communications services for the supply of such services”. |
Suppression list | A list of people who have told you that they do not want to receive direct marketing from you (eg by issuing an objection or unsubscribing). |
Third party | Defined in UK GDPR Article 4(10) as “a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data”. |
TPS | Telephone Preference Service. This is the statutory list of individual subscribers who have registered a general objection to receiving live direct marketing calls. See the TPS website for further information. |
UK GDPR | The United Kingdom General Data Protection Regulation. This sets out the framework for data protection in the UK along with the DPA 2018. |
User | Defined in Regulation 2(1) of PECR as “any individual using a public electronic communications service”. See the Canllaw i’r PECR for more information on a ‘public electronic communications service’. |