Frequently Asked Questions

The GDPR puts in place clear procedures in case of a data breach. If a data breach poses a risk, companies and organisations holding your data have to inform the relevant data protection authority within 72 hours or without undue further delay. If the leak poses a high risk to you, then you must also be informed personally.

For more information on data breaches, please consult the EDPB Data Protection Guide for small business.

Der EDSA veröffentlicht regelmäßig Pressemitteilungen, Nachrichten, Blogs und andere Inhalte auf der EDSA-Website und seinen Social-Media-Kanälen (Twitter: @EU_EDPB; LinkedIn: Europäischer Datenschutzausschuss), um die Datenschutzgemeinschaft und die Öffentlichkeit über ihre Arbeit auf dem neuesten Stand zu halten.

Die EDPB-Website verfügt außerdem über zwei RSS-Feeds, die Sie für automatische Updates zu EDPB- Nachrichten und den neuesten Veröffentlichungen des EDSA abonnieren können.

Every organisation, regardless of the their size or sector, established in the European Economic Area (EEA) or offering products or services to individuals in the EEA, processing personal data whether or not by automated means needs to comply with the GDPR. The GDPR applies to the automated processing of personal data and to processing operations carried out manually from the moment the paper files are organised in a systematic manner, e.g. ordered alphabetically in a filing cabinet.

Examples of processing operations include collecting, recording, organising, using, modifying, storing, disclosing, altering and erasing individuals’ personal data.

Nevertheless, the application of the GDPR is modulated according to the nature, context, purposes and risks of the processing operations carried out. For SMEs whose core business is not the processing of personal data, the obligations can be less strict than for a large company.

Unfortunately, the EDPB cannot consider late contributions as part of the public consultation.

We are constantly working on the translation of our documents into the official EU languages.
All static content, as well as press releases and documents officially adopted by the Board, such as Guidelines, will be made available in these languages.

This process takes time and various steps need to be completed in order to provide translations of the best quality.

Please note that documents undergoing public consultation are usually not translated. It is only after the public consultation has been concluded and a final version of the document has been adopted by the Board that these documents will be translated.

No. The EDPB does not handle complaints or conduct investigations. If you believe your data protection rights have been violated you can contact the organisation holding your data, contact your national data protection authority (DPA), or go to a national court.

DPAs can conduct investigations and impose sanctions where necessary. Find the contact details for all EEA DPAs 

Under the GDPR, certification is conducted by national certification bodies or by the competent national data protection authorities (Art. 42(5) GDPR).

For further information, we recommend contacting the relevant national DPA for your organisation. You can find a overview of all EEA DPAs here.

You can find further information regarding certification in the EDPB guidelines on the topic: Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation - version adopted after public consultation

Mit der DSGVO oder der Datenschutz-Grundverordnung wird ein harmonisiertes Regelwerk geschaffen, das für die Verarbeitung personenbezogener Daten durch im Europäischen Wirtschaftsraum (EWR) ansässige Organisationen (öffentlich oder privat, unabhängig von ihrer Größe) oder für Einzelpersonen in der EU gilt. Das Hauptziel der DSGVO besteht darin, sicherzustellen, dass personenbezogene Daten überall im EWR denselben hohen Schutzstandard genießen, die Rechtssicherheit sowohl für Einzelpersonen als auch für Organisationen, die Daten verarbeiten, erhöhen und ein hohes Maß an Schutz für Einzelpersonen bieten.

Die Verordnung trat am 24. Mai 2016 in Kraft und gilt seit dem 25. Mai 2018.

The European Data Protection Supervisor (EDPS) is a Member of the European Data Protection Board. In addition, the EDPS provides the EDPB Secretariat. The Secretariat offers administrative and logistic support to the EDPB, performs analytical work and contributes to the EDPB’s tasks.

Although staff at the Secretariat is employed by the EDPS, staff members only work under the instructions of the Chair of the EDPB.

The terms of cooperation between the EDPB and the EDPS are established by the Memorandum of Understanding.

The EDPB endorsed WP29 documents are available here.

As regards the other existing WP29 documents, they may remain relevant and helpful insofar as the EDPB has not adopted new documents on the topic and/or they are compatible with the GDPR. This amounts to a case-by-case assessment.