Frequently Asked Questions

The GDPR distinguishes between two main roles: those of data controller and data processor. This distinction is crucial as the data controller bears more responsibility and has to fulfil more obligations than the processor.

Data controllers and processors can be natural or legal persons, for example: an SME, a public authority, a company, an organisation, a state body, an association etc.

A data controller determines the purposes and means of a processing operation. In other words, the controller decides the how and why of a processing operation. Whereas processors process personal data on behalf of the controller. The processing carried out by processors needs to be regulated by a contract with the data controller or other legal act.

Examples of data controllers:

  • companies that process the personal data of their customers to complete a sale;
  • financial institutions that process personal data of their clients;
  • associations that process the data of their members;
  • schools or universities that process personal data of students and teachers;
  • hospitals that process personal data of their patients;
  • government agencies that process personal data of citizens.
     

Examples of data processors:

  • an SME hires a bookkeeping service to keep its books and records, the SME is a data controller and the bookkeeping service a data processor;
  • a payroll company processes personal data for an SME. The payroll company will act as a processor if it solely processes the personal data on behalf of the SME. The SME determines the purposes and means of the data processing, and is therefore data controller.
  • an SME commissions a marketing company to collect email addresses via third-party websites.  The marketing company does this according to the explicit instructions of the SME and for the SME’s exclusive purposes. The marketing Company acts as processor for this collection.

 

More information:

No, it is not necessary to make your record of processing public. You must, however, be able to make the record available to the data protection authority upon request.

 

More information:

 

The EDPB regularly publishes press releases, news items, blogs and other content on the EDPB website and its social media channels (Twitter: @EU_EDPB; Linkedin: European Data Protection Board) to keep the data protection community and the general public up-to-date with its work.

The EDPB website also has two RSS feeds, which you can subscribe to for automatic updates on EDPB news and the EDPB’s latest publications.

Generally speaking, every organisation should keep a record of their processing activities. This is an inventory of all processing operations and can help you make correct assumptions of your responsibilities under the GDPR and possible risks.

Each of these processing operations must be described in the record with the following information:

  • the purpose of the processing (e.g. customer loyalty);
  • the categories of data processed (e.g. for payroll: name, first name, date of birth, salary, etc.);
  • who has access to the data (the recipients – e.g.: the department in charge of recruitment, the IT service, management, service providers, partners...);
  • where applicable, information related to transfers of personal data outside the European Economic Area (EEA),
  • where possible, the storage period (the period for which the data are useful from an operational point of view, and from an archiving perspective).
  • where possible, a general description of the security measures.

The record of processing activities falls under the responsibility of your organisation’s manager.

This record must be available to the data protection authority of the EEA country where you operate, if requested.

It is not required for organisations employing fewer than 250 persons to mention purely occasional activities in their record (e.g. data processed for one-off events such as the opening of a shop).

 

More information:

 

Yes, you can, but the GDPR places certain obligations on businesses which share personal data. Your organisation must inform individuals that you will share their data with a third party. You must also inform them of your purposes, security, access and the retention measures that will apply.

Personal data means any information relating to an identified or identifiable individual. An identifiable individual is anyone who can be identified, either directly or indirectly. Different pieces of information that added together could lead to the identification of a particular person also constitute personal data.

Examples of personal data include:

  • name and surname;
  • a home address;
  • an email address;
  • an ID card number;
  • location data;
  • an Internet Protocol (IP) address;
  • a cookie ID;
  • bank accounts;
  • tax reports;
  • biometric data (like fingerprint);
  • a social security number;
  • passport number;
  • test results;
  • grades in school;
  • browsing history;
  • photograph of individual;
  • vehicle registration number etc.

 

More information:

 

The GDPR applies to the use of cookies when these are used to process personal data, but there are also more specific rules for cookies included the ePrivacy Directive.

The storing of a cookie, or the gaining of access to a cookie already stored, in the terminal equipment of a user is only allowed on condition that the subscriber or user concerned has been adequately informed (in particular about the purposes of the processing) and has given their consent.

The only exception are technically necessary cookies. Organisations do not need to ask for consent when using technically necessary cookies on their websites.

 

More information:

 

The GDPR imposes obligations on all organisations that process personal data, regardless of whether they are data controllers or data processors.

In particular, you should:

  • Ask yourself if the purpose for which personal data may be collected is justified, and collect only personal data that is necessary for the specific purpose(s) envisaged;
  • Keep individuals’ personal data accurate and up to date, and delete the data when it is no longer necessary;
  • Respect individuals’ rights by informing them about how and why their data are processed, and allowing them to exercise their rights;
  • Check if you have an appropriate legal basis for the processing of personal data. In case you intend to rely on the consent of individuals, ask for their consent before processing their personal data;
  • Make sure that individuals’ personal data is handled in a secure way;
  • Maintain a record of processing operations.

Data processors will have to adhere to the responsibilities set out in the controller-processor contract, and they must not process the data otherwise than according to the controller’s instructions.

 

More information:

Processing personal data means any type of activity (processing operation) performed on or with individuals’ personal data. This includes the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, inquiry, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data.

Some types of personal data belong to special categories of personal data, meaning they deserve more protection, so-called sensitive data. Sensitive data includes data that reveals information about:

  • an individual’s health;
  • an individual’s sexual orientation;
  • an individual’s racial or ethnic origin;
  • an individual’s political opinions, religious or philosophical beliefs; an individual’s trade union membership;
  • an individual’s biometric and genetic data.

The processing of an individual’s sensitive data is generally prohibited, except under specific circumstances that justify its processing.

 

More information: