Built for lead generators Intake Verification Routing Payouts White-label API & webhooks
Compliance knowledge base
Compliance knowledge base, without the jargon
A whole vocabulary of abbreviations and technical terms circles around privacy and lead generation: GDPR, supervisory authority, legal basis, data processing agreement, purpose limitation. Each one has a precise meaning, but that meaning is rarely clear the first time you run into it. This knowledge base translates that jargon into plain language, from the perspective of the lead generator who has to apply it.
For each term you will find a short, accurate explanation and, where it helps, a pointer to the place on the site where we show how OXIAE has built that topic into the platform, from legal basis and consent to provenance and the audit trail. No legalistic prose, just the core of what a term means and why it matters when you run intake, matching, delivery and billing from one platform.
The General Data Protection Regulation (GDPR) is the European privacy law that governs how organisations handle personal data. The law gives people rights over their own data and places an accountability obligation on organisations: you must not only act carefully, you must also be able to demonstrate it. As a lead generator that means no loose promise, but a verifiable practice across your entire operation.
The supervisory authority (in the Netherlands the Autoriteit Persoonsgegevens) is the regulator that checks whether organisations comply with the GDPR. It can investigate, issue directions and impose fines, and publishes guidance on how the law should be interpreted in practice. In the event of a notifiable data breach, the supervisory authority is typically the body you must inform within 72 hours. A lead generator that builds its platform around those principles rarely runs into surprises.
Consent is one of the six GDPR legal bases and the most commonly used one for sharing a lead with a buyer. Valid consent is freely given, specific, informed and unambiguous: the data subject actively says yes to a concrete purpose and can withdraw that choice later. Pre-ticked boxes or silence therefore do not count. OXIAE records consent for you the moment a request comes in, with timestamp, the text shown and the source, so you as the operator can later demonstrate that the choice was genuinely informed.
A legal basis is the lawful justification on which you base a processing activity. Without a legal basis, processing personal data is simply not permitted. The GDPR recognises six legal bases, including consent, legitimate interest and the performance of a contract, and for lead generators those three are the most relevant. Which basis applies determines what you may do and what you must be able to substantiate; in OXIAE you record which basis applies to each request.
Provenance describes exactly where a lead comes from: through which form, which landing page, which campaign or which publisher a request arrived. That information is indispensable for demonstrating that a lead was obtained lawfully and that the associated consent belongs to the right source. Without recorded provenance, a lead remains a loose data point without context. OXIAE ties provenance inseparably to every request that runs through your platform, so source and consent always travel together.
An audit trail is a chronological, non-editable log of everything that has happened to a piece of data: when it arrived, how it was verified, who it was routed to and when it expired. It is the evidence behind your accountability obligation: you do not have to reconstruct anything after the fact, because the history is already there. When a data subject makes a request or a regulator asks a question, you can show exactly what happened in your platform. In OXIAE every processing step is recorded automatically and is exportable.
The controller is the party that determines why and how personal data is processed: the one who sets the purpose and the means. As a lead generator that is usually you: you run the brand, you decide which leads are acquired and to whom they are delivered. The controller bears ultimate responsibility towards data subjects and the regulator, and is the one who reports a data breach to the supervisory authority. Clear division of roles starts with the question of who fulfils this role.
A processor processes personal data solely on behalf of, and according to the instructions of, the controller. The processor therefore does not determine the purpose itself, but provides the infrastructure or service through which the processing takes place. As a platform, OXIAE acts as a processor in many cases: it processes requests on your behalf, within the limits you as the operator have set. The arrangements around this are recorded in a data processing agreement.
A sub-processor is a party that a processor engages to carry out part of the processing: think of a hosting provider or an email-delivery service. The processor remains liable to the controller for what the sub-processor does, and may only engage a sub-processor if it is bound by the same obligations. That is why every sub-processor should fall under its own data processing agreement, and you as the operator should have visibility into which parties are involved.
A Data Processing Agreement (DPA) is the contract that the controller and the processor are required to conclude. It sets out, among other things, which data is processed for which purpose, which security measures apply, how sub-processors and data breaches are handled, and what happens to the data afterwards. The GDPR mandates this agreement; without a DPA, a processor may not process data on your behalf.
Data minimisation is the principle that you do not collect more personal data than is strictly necessary for the purpose. An intake form therefore only asks for what the purpose genuinely requires; fields that do not contribute are not requested and not stored. Less data means less risk in the event of a breach, and less for you as a lead generator to protect and account for. It is a design choice best made upfront, not a clean-up exercise afterwards.
Purpose limitation means you only process personal data for the concrete, predetermined purpose for which it was collected. Simply using data obtained for one purpose for a different purpose is not permitted without a new legal basis. For lead processing this means routing, matching and delivery stay within the agreed limits and not beyond them. The purpose the data subject had in mind when giving consent is decisive, even when a lead moves through multiple buyers in your platform.
A retention period is the length of time you may keep personal data; after that it must be deleted or anonymised. The GDPR prohibits indefinite retention: you do not keep data longer than is necessary for the purpose, or than a legal obligation requires. In practice you tie a period to the status of a lead: a rejected request should not be kept as long as a delivered lead with a running guarantee period. OXIAE automatically lets data in your platform expire once the period is reached.
A data breach is a security incident in which personal data is unintentionally accessed, altered, leaked or destroyed. Not every breach needs to be reported, but a notifiable breach must, as a rule, be reported by the controller to the supervisory authority within 72 hours of discovery, and where there is high risk the data subjects must be informed too. Speed and clarity determine everything at that point, so the route should be set out in advance in your operation rather than improvised in the moment.
The data subject is the natural person the personal data relates to: behind every lead that runs through your platform is a person with rights. The GDPR grants that person, among other things, the right of access, rectification, erasure, restriction, data portability and objection. Those rights are only valuable if you as a lead generator can act on them quickly, completely and demonstrably. Because OXIAE links all data around a single person, a request becomes a matter of minutes rather than a search through separate systems.
Privacy by design is the principle that privacy protection is built into a system from the design stage, rather than bolted on afterwards. In practice it means data minimisation, legal-basis recording, retention periods and an audit trail come as standard, not as an option you have to build or switch on yourself. The GDPR names this, together with privacy by default, as an explicit obligation. OXIAE is built around this principle: the compliance building blocks are already in the foundation of the platform you license.
This knowledge base explains terms in plain language and is intended as an aid to understanding the subject matter, not as legal advice. The explanations have been prepared with care, but every processing activity is different and legislation and guidance change over time. For the assessment of your own processing activities, responsibilities and specific situation, we recommend consulting a lawyer or privacy specialist.
Necessary cookies keep the site working. We place analytics and marketing cookies only with your consent. You choose per category, and we record your choice with a timestamp.