Frequently Asked Questions
How long do I have to respond to an access request?
You should respond without undue delay and at the latest within one month after receipt of the request. This deadline can be extended by another two months if the request is too complex and more time is needed to answer, provided that the individual is informed of this within one month after receiving the request.
You must do this free of charge.
More information:
What are cookies?
Cookies are small files stored on a device, such as a computer, a mobile device or any other device that can store information. Cookies serve a number of important functions, including remembering users and their previous interactions with a website. They can be used to keep track of items in an online shopping cart or to keep track of information when details are inserted into an online application form.
Authentication cookies are also important to identify users when they log into banking services and other online services. The information stored in cookies can include personal data, such as an IP address, a username, a unique identifier, or an email address.
What are the sanctions if my organisation does not comply with the GDPR or if my processing violates the GDPR?
Compliance with the GDPR is monitored by the national data protection authorities (DPAs). DPAs can conduct investigations and impose sanctions where necessary. DPAs have a number of tools at their disposal, including fines up to 20 M€ or 4% of the worldwide annual turnover whichever is higher, reprimands, and temporary or permanent processing bans.
You can find the contact details for all EEA DPAs on the EDPB website: Members
More information:
As a data controller I have collected individuals’ personal data from a third party, what do I need to do to be compliant?
- Make sure that the data that you received was collected legitimately and that the individuals concerned have been informed about the processing of their personal data.
- In case a third party is processing personal data on your behalf, make sure you have a controller-processor contract, which details the processing operations and means to process personal data.
And of course, comply with all the obligations of controllers.
More information:
Can I only process personal data when I have the individual’s consent?
Processing personal data is allowed if there is a legal basis for it. In addition to free, specific , informed and unambiguous consent, other legal bases for processing can be used.
In other words, consent is necessary when none of the other legal bases applies.
More information:
Can I publish the names of the winners of a competition on my organisation’s website?
Publishing the names of the winners of a competition on your website could be considered as a legitimate interest, if you can prove this by carrying out a balancing test to determine whether your legitimate interests outweigh individuals’ right.
A good practice would be to set up an internal procedure in which the rules on publishing personal data of winners are explained.
In addition, the processing of personal data for these purposes should be part of the competition’s privacy policy, so that participants are informed in advance about how their data is going to be processed.
More information:
Can I transfer personal data outside the European Economic Area (EEA)?
Under the GDPR, there are, in principle, two main ways to transfer personal data to a non-EEA country or international organisation. Transfers may take place on the basis of an adequacy decision, or, in the absence of such a decision, on the basis of appropriate safeguards, including enforceable rights and legal remedies for individuals.
More information:
Do data processors also have to respect the GDPR?
Yes, data processors (i.e. individuals or bodies that process data on behalf of a data controller), have obligations under the GDPR. There are, however, some differences between the responsibilities for data controllers and processors.
Data processors have to adhere to the responsibilities set out in the controller-processor contract, which details the processing operations and means to process personal data. For example, the processor will have to carry out the processing operations with the appropriate technical and organisational measures as instructed by the controller. In doing so, the processor assists the controller in complying with the GDPR.
More information:
Do I need to be certified to become a Data Protection Officer (DPO)?
No, you do not need to be certified to become a DPO.
DPOs must, however, be able to demonstrate that they have the necessary qualifications required by the GDPR, such as expert knowledge of data protection law and practices.
More information:
Does my organisation have to comply with the GDPR?
Every organisation, regardless of the their size or sector, established in the European Economic Area (EEA) or offering products or services to individuals in the EEA, processing personal data whether or not by automated means needs to comply with the GDPR. Even if the GDPR mainly relates to automated processing of personal data, processing operations carried out manually will also be subject to the GDPR from the moment the paper files are organised in a systematic manner, e.g. ordered alphabetically in a filing cabinet.
Examples of processing operations include collecting, recording, organising, using, modifying, storing, disclosing, altering and erasing individuals’ personal data.
Nevertheless, the application of the GDPR is modulated according to the nature, context, purposes and risks of the processing operations carried out. For SMEs whose core business is not the processing of personal data, the obligations can be less strict than for a large company.
More information: