You should respond without undue delay and at the latest within one month after receipt of the request. This deadline can be extended by another two months if the request is too complex and more time is needed to answer, provided that the individual is informed of this within one month after receiving the request.

You must do this free of charge.

More information:

• Respect individuals’ rights

Compliance with the GDPR is monitored by the national data protection authorities (DPAs). DPAs can conduct investigations and impose sanctions where necessary. DPAs have a number of tools at their disposal, including fines up to 20 M€ or 4% of the worldwide annual turnover whichever is higher, reprimands, and temporary or permanent processing bans.

You can find the contact details for all EEA DPAs on the EDPB website: Members

More information:

• Data Protection Authority & you

Some types of personal data belong to special categories of personal data, meaning they deserve more protection, so-called sensitive data. Sensitive data includes data that reveals information about:

• an individual’s health;
• an individual’s sexual orientation;
• an individual’s racial or ethnic origin;
• an individual’s political opinions, religious or philosophical beliefs; an individual’s trade union membership;
• an individual’s biometric and genetic data.

The processing of an individual’s sensitive data is generally prohibited, except under specific circumstances that justify its processing.

More information:

• Data protection basics

The first step to installing CCTV is to identify the purpose or purposes for doing so. The purposes for installing CCTV can be varied, such as ensuring the security of premises, aiding in the prevention and detection of theft and other crimes, or protection of the lives and health of employees, due to the nature of work.

As with any processing of personal data, the recording of individuals  must have a legal basis under the GDPR. Consent can provide a legal basis for such data processing. However, this is unlikely to apply to the use of CCTV in most cases, as it will be difficult to obtain the freely given consent of everyone likely to be recorded. The most common legal ground for this kind of processing of personal data is legitimate interest. When processing is based on a legitimate interest, you will need to carry out a balancing test to determine whether your legitimate interests outweigh individual’s rights.

You will need to inform individuals that they are being recorded. This can be done by placing easy to read signs in prominent places. In addition, a sign indicating the purpose of the CCTV system and the identity and contact details of the data controller should be placed at all entrances.

Individuals whose images are being recorded by a CCTV system should be provided with, the following information:

• the identity and contact details of the data controller;
• the purposes of the processing;
• the legal basis of the processing (if legitimate interest, specific information about which legitimate interests relate to the specific processing, and about which  entity  pursues  each  legitimate  interest.);
• the contact details of the Data Protection Officer, DPO (if there is a DPO);
• the recipients or categories of recipients of the data;
• the security arrangements for the CCTV footage;
• the retention period for CCTV footage;
• the existence of individuals’ rights under the GDPR and the right to lodge a complaint with the national data protection authority.

More information:

• Process personal data lawfully
• Respect individuals’ rights

Processing personal data means any type of activity (processing operation) performed on or with individuals’ personal data. This includes the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, inquiry, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data.

The GDPR gives individuals control over the processing of their personal data. In order to do this, transparency is key. This means you have to inform individuals whose data you process about your processing operations and the purposes. In other words, you have to explain who processes their data, but also how and why. Only if the use of personal data is 'transparent' for those involved, can they assess possible risks and make decisions about their personal data.

Under the GDPR you are obliged to share the following information with individuals:

• the identity and contact details of the controller;
• the purposes of the processing;
• the legal basis of the processing (if legitimate interest, specific information about which legitimate interests relate to the specific processing, and about which  entity  pursues  each  legitimate  interest.)
• the contact details of the controller;
• the contact details of the DPO (if there is a DPO);
• the recipients or categories of recipients of the data;
• Information on whether the data will be transferred outside the European Economic Area (EEA) (where applicable: the existence or not of an adequacy decision or reference to the appropriate safeguards and how this information can be made available to data subjects);
• the categories of personal data processed, when the data is not obtained from the individual.

In addition, the GDPR requires your organisation to provide the following information to ensure fair and transparent processing:

• the retention period or, where this is not possible, the criteria used to determine this period;
• the right to request access, erasure, rectification, restriction, objection and portability of personal data;
• the right to lodge a complaint with a data protection authority;
• if the legal basis for the processing is consent: the right to withdraw consent at any time;
• in the case of automated decision-making, relevant information about the underlying logic and the intended consequences of the processing for the data subject;
• the source of the personal data (if you did not directly receive it from the individual concerned;
• whether the individual is required to provide the personal data (by law or by contract or to enter into a contract) and what the consequences of refusing to provide the data are.

More information:

• Respect individuals’ rights

The DPO can be an existing employee with sufficient knowledge of GDPR (if the professional tasks of the employee are compatible with those of the DPO and this does not lead to conflicts of interest) or an external person. The DPO should be able to carry out tasks independently and should be able to report directly to the highest management.

More information:

• Data Protection Officer

Under the GDPR, there are, in principle, two main ways to transfer personal data to a non-EEA country or international organisation. Transfers may take place on the basis of an adequacy decision, or, in the absence of such a decision, on the basis of appropriate safeguards, including enforceable rights and legal remedies for individuals.

More information:

• International transfers

Yes, data processors (i.e. individuals or bodies that process data on behalf of a data controller), have obligations under the GDPR. There are, however, some differences between the responsibilities for data controllers and processors.

Data processors have to adhere to the responsibilities set out in the controller-processor contract, which details the processing operations and means to process personal data. For example, the processor will have to carry out the processing operations with the appropriate technical and organisational measures as instructed by the controller. In doing so, the processor assists the controller in complying with the GDPR.

More information:

• Data controller or data processor

No, you do not need to be certified to become a DPO.

DPOs must, however, be able to demonstrate that they have the necessary qualifications required by the GDPR, such as expert knowledge of data protection law and practices.

More information:

• Data Protection Officer