Frequently Asked Questions

The EDPB regularly publishes press releases, news items, blogs and other content on the EDPB website and its social media channels (Twitter: @EU_EDPB; Linkedin: European Data Protection Board) to keep the data protection community and the general public up-to-date with its work.

The EDPB website also has two RSS feeds, which you can subscribe to for automatic updates on EDPB news and the EDPB’s latest publications.

If you believe your data protection rights have been violated you can contact the organisation holding your data, contact your national data protection authority (DPA), or go to a national court.

DPAs can conduct investigations and impose sanctions where necessary. You can find the contact details for all EEA DPAs here.

The GDPR puts in place clear procedures in case of a data breach. If a data breach poses a risk, companies and organisations holding your data have to inform the relevant data protection authority within 72 hours or without undue further delay. If the leak poses a high risk to you, then you must also be informed personally.

For more information on data breaches, please consult the EDPB Data Protection Guide for small business.

We are constantly working on the translation of our documents into the official EU languages.
All static content, as well as press releases and documents officially adopted by the Board, such as Guidelines, will be made available in these languages.

This process takes time and various steps need to be completed in order to provide translations of the best quality.

Please note that documents undergoing public consultation are usually not translated. It is only after the public consultation has been concluded and a final version of the document has been adopted by the Board that these documents will be translated.

Every organisation, regardless of the their size or sector, established in the European Economic Area (EEA) or offering products or services to individuals in the EEA, processing personal data whether or not by automated means needs to comply with the GDPR. The GDPR applies to the automated processing of personal data and to processing operations carried out manually from the moment the paper files are organised in a systematic manner, e.g. ordered alphabetically in a filing cabinet.

Examples of processing operations include collecting, recording, organising, using, modifying, storing, disclosing, altering and erasing individuals’ personal data.

Nevertheless, the application of the GDPR is modulated according to the nature, context, purposes and risks of the processing operations carried out. For SMEs whose core business is not the processing of personal data, the obligations can be less strict than for a large company.

When a Lead Supervisory Authority (LSA) issues a draft decision, it consults the Concerned Supervisory Authorities (CSAs), which can express their disagreement with the draft decision by submitting relevant and reasoned objections (RRO) within a period of four weeks (Art. 60.4 GDPR).
When none of the CSAs objects, the LSA may proceed to adopt the decision.

In case at least one of the CSAs has expressed an RRO, and if the LSA intends to follow the objection, it shall submit a revised draft decision to all the CSAs. The CSAs then have a period of two weeks (Art. 60.5 GDPR) to express their RROs to the revised draft decision.

However, if the LSA does not intend to follow the objection(s), since no consensus can be reached, the consistency mechanism is triggered. This means that the LSA is obliged to refer the case to the European Data Protection Board (EDPB) and the dispute resolution role of the EDPB is activated (Art. 65.1(a) GDPR).

The dispute resolution mechanism can be triggered in two further cases:

• there is a disagreement as to which authority is the LSA (Art. 65.1(b) GDPR);
• an SA does not seek the opinion of the EDPB as obliged under Art. 64.1 GDPR or does not follow such an opinion (Art. 64.1 - 2 GDPR) (Art. 65.1(c) GDPR).

The dispute resolution mechanism triggered under Art.65.1 (a) and (b) GDPR contributes to the good functioning of the cooperation mechanism by addressing any disagreements Concerned Supervisory Authorities (CSAs) may have in a given case or if there are conflicting views as to which authority is the Lead Supervisory Authority (LSA).
The EDPB will act as a dispute resolution body. It must adopt a decision to address the conflict between the involved Data Protection Authorities (DPAs), which is binding on them (Art. 65 GDPR). The decision is adopted by a two-thirds majority of the members of the Board, and in case a decision cannot be adopted within 2 months, the decision is adopted within the next 2 weeks by a simple majority.

Once the Lead Supervisory Authority (LSA) or, in some cases the Concerned Supervisory Authority (CSA), with which the complaint was lodged has notified the EDPB of the date its final decision was communicated to the controller or processor and, where relevant, to the complainant, the EDPB will publish its own decision on its website.

The EDPB brings together the EU DPAs and the European Data Protection Supervisor (EDPS). The EEA EFTA countries (Iceland, Liechtenstein and Norway) are also members with regard to GDPR-related matters and without the rights to vote and to be elected as chair or deputy chair. The European Commission and - with regard to GDPR-related matters - the EFTA Surveillance Authority have the right to participate in the activities and meetings of the Board without voting rights.

You can find an overview of the EEA DPAs here.

As addressees of the EDPB decisions, the relevant Data Protection Authorities (DPAs) that wish to challenge these decisions can bring an action for annulment before the European Court of Justice (CJEU) within two months of being notified.