Frequently Asked Questions

The GDPR distinguishes between two main roles: those of data controller and data processor. This distinction is crucial as the data controller bears more responsibility and has to fulfil more obligations than the processor.

Data controllers and processors can be natural or legal persons, for example: an SME, a public authority, a company, an organisation, a state body, an association etc.

A data controller determines the purposes and means of a processing operation. In other words, the controller decides the how and why of a processing operation. Whereas processors process personal data on behalf of the controller. The processing carried out by processors needs to be regulated by a contract with the data controller or other legal act.

Examples of data controllers:

• companies that process the personal data of their customers to complete a sale;
• financial institutions that process personal data of their clients;
• associations that process the data of their members;
• schools or universities that process personal data of students and teachers;
• hospitals that process personal data of their patients;
• government agencies that process personal data of citizens.
   

Examples of data processors:

• an SME hires a bookkeeping service to keep its books and records, the SME is a data controller and the bookkeeping service a data processor;
• a payroll company processes personal data for an SME. The payroll company will act as a processor if it solely processes the personal data on behalf of the SME. The SME determines the purposes and means of the data processing, and is therefore data controller.
• an SME commissions a marketing company to collect email addresses via third-party websites.  The marketing company does this according to the explicit instructions of the SME and for the SME’s exclusive purposes. The marketing Company acts as processor for this collection.

More information:

• Data controller or data processor

Some types of personal data belong to special categories of personal data, meaning they deserve more protection, so-called sensitive data. Sensitive data includes data that reveals information about:

• an individual’s health;
• an individual’s sexual orientation;
• an individual’s racial or ethnic origin;
• an individual’s political opinions, religious or philosophical beliefs; an individual’s trade union membership;
• an individual’s biometric and genetic data.

The processing of an individual’s sensitive data is generally prohibited, except under specific circumstances that justify its processing.

More information:

• Data protection basics

The DPO can be an existing employee with sufficient knowledge of GDPR (if the professional tasks of the employee are compatible with those of the DPO and this does not lead to conflicts of interest) or an external person. The DPO should be able to carry out tasks independently and should be able to report directly to the highest management.

More information:

• Data Protection Officer

The archived documents adopted by the Article 29 Working Party (1997-2016) are available on the website of the European Commission here: WP29 archive.

Should you experience any difficulty accessing WP29 documents, we recommend contacting the European Commission's DG Justice. The European Commission provided the Secretariat for the Article 29 Working Party and was responsible for all its publications. 

You can contact them by filling out the following form

Every organisation, regardless of the their size or sector, established in the European Economic Area (EEA) or offering products or services to individuals in the EEA, processing personal data whether or not by automated means needs to comply with the GDPR. The GDPR applies to the automated processing of personal data and to processing operations carried out manually from the moment the paper files are organised in a systematic manner, e.g. ordered alphabetically in a filing cabinet.

Examples of processing operations include collecting, recording, organising, using, modifying, storing, disclosing, altering and erasing individuals’ personal data.

Nevertheless, the application of the GDPR is modulated according to the nature, context, purposes and risks of the processing operations carried out. For SMEs whose core business is not the processing of personal data, the obligations can be less strict than for a large company.

Once a public consultation is closed, all contributions to the public consultation are reviewed and, where necessary, the guidelines may be adapted. Once this process has been completed, the guidelines will be up for final adoption at a subsequent EDPB plenary.

Personal data means any information relating to an identified or identifiable individual. An identifiable individual is anyone who can be identified, either directly or indirectly. Different pieces of information that added together could lead to the identification of a particular person also constitute personal data.

Examples of personal data include:

• name and surname;
• a home address;
• an email address;
• an ID card number;
• location data;
• an Internet Protocol (IP) address;
• a cookie ID;
• bank accounts;
• tax reports;
• biometric data (like fingerprint);
• a social security number;
• passport number;
• test results;
• grades in school;
• browsing history;
• photograph of individual;
• vehicle registration number etc.

More information:

• Data protection basics

All comments submitted are screened and reviewed manually before being displayed on our website. There should have been a visual confirmation after submitting your comments on our website.

In any case, please allow for some time before your comments are published.

The GDPR puts in place clear procedures in case of a data breach. If a data breach poses a risk, companies and organisations holding your data have to inform the relevant data protection authority within 72 hours or without undue further delay. If the leak poses a high risk to you, then you must also be informed personally.

For more information on data breaches, please consult the EDPB Data Protection Guide for small business.

We are constantly working on the translation of our documents into the official EU languages.
All static content, as well as press releases and documents officially adopted by the Board, such as Guidelines, will be made available in these languages.

This process takes time and various steps need to be completed in order to provide translations of the best quality.

Please note that documents undergoing public consultation are usually not translated. It is only after the public consultation has been concluded and a final version of the document has been adopted by the Board that these documents will be translated.

Certification bodies are accredited by the national data protection authorities (DPA) or by the national accreditation body (named in accordance with Regulation 17065/2012). For further information regarding certification bodies, we recommend contacting the national DPA in your country. You can find an overview of all EEA DPAs here.

You can find further information regarding accreditation of certification bodies here: Guidelines 4/2018 on the accreditation of certification bodies under Article 43 of the General Data Protection Regulation (2016/679)

1. Make sure that the data that you received was collected legitimately and that the individuals concerned have been informed about the processing of their personal data.
2. In case a third party is processing personal data on your behalf, make sure you have a controller-processor contract, which details the processing operations and means to process personal data.

And of course, comply with all the obligations of controllers.

More information:

• Data controller or data processor

The necessary security measures can differ based on the nature of the personal data you process and the associated risks to individuals. In any case, there are some minimum measures you should put into place:

• secure access to the premises;
• use regularly updated antivirus software;
• carefully choose your passwords;
• make users authenticate themselves before using the computer facilities;
• have a data back-up and retrieval policy in place in case of an incident.

In addition, some basic measures such as locking your screen while you are away and locking up the office at the end of the day are never out of place...

More information:

• Secure personal data

Publishing the names of the winners of a competition on your website could be considered as a legitimate interest, if you can prove this by carrying out a balancing test to determine whether your legitimate interests outweigh individuals’ right.

A good practice would be to set up an internal procedure in which the rules on publishing personal data of winners are explained.

In addition, the processing of personal data for these purposes should be part of the competition’s privacy policy, so that participants are informed in advance about how their data is going to be processed.

More information:

• Process personal data lawfully

All documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.

Once published, recently adopted documents will be listed under “latest publications” on the main page of this website.

You can also find overviews of the documents adopted per plenary on the EDPB news page.

EDPB neposkytuje občanům nebo soukromým/veřejným organizacím individuálně uzpůsobené právní poradenství ohledně toho, jak uplatňovat právní předpisy o ochraně údajů v konkrétních případech. 

Hlavním úkolem EDPB je vydávat obecné pokyny a stanoviska. Všechny přijaté pokyny a stanoviska jsou k dispozici zde: Pokyny, doporučení, osvědčené postupy a stanoviska. Doporučujeme rovněž přečíst si příručku o ochraně údajů pro malé podniky. Tato příručka vám pomůže porozumět klíčovým pojmům ochrany údajů, právům jednotlivců podle obecného nařízení o ochraně osobních údajů, požadavkům na dodržování předpisů, bezpečnostním opatřením a způsobu řešení případů porušení zabezpečení údajů.

Další informace o úloze EDPB a uplatňování obecného nařízení o ochraně osobních údajů naleznete také zde: Frequently Asked Questions.

Také vás vyzýváme, abyste se seznámili s webovými stránkami úřadu pro ochranu osobních údajů ve vaší zemi. Odkazy na internetové stránky našich členů naleznete zde: Our members.

Once the Lead Supervisory Authority (LSA) or, in some cases the Concerned Supervisory Authority (CSA), with which the complaint was lodged has notified the EDPB of the date its final decision was communicated to the controller or processor and, where relevant, to the complainant, the EDPB will publish its own decision on its website.

The European Data Protection Board (EDPB) is an independent European body, which contributes to the consistent application of data protection rules throughout the European Union, and promotes cooperation between the EU’s data protection authorities (DPAs), as well as the DPAs of Iceland, Liechtenstein and Norway (the European Economic Area or EEA).

The EDPB aims to ensure the consistent application of the General Data Protection Regulation and of the Law Enforcement Directive in the European Economic Area (EEA). The EDPB also looks into the application of certain aspects of the ePrivacy Directive.

Our main tasks and duties are:

• providing general guidance (including guidelines, recommendations and best practices) to clarify the law and to promote a common understanding of EU data protection laws;
• adopting opinions addressed to the European Commission or to the national Data Protection Authorities (DPAs):
  • to advise the European Commission on any issue related to the protection of personal data and newly proposed legislation in the European Union (Art. 70 GDPR). In some instances, we issue Joint Opinions together with the EDPS (Art.42 of Regulation 2018/1725);
  • to ensure consistency of the activities of national data protection authorities (DPAs) on cross-border matters (Art. 64 GDPR). If authorities fail to respect an opinion issued by the EDPB, we may adopt a binding decision;
• adopting binding decisions addressed to the national DPAs and aiming to settle disputes between them when they cooperate in cross-border cases, with the purpose of ensuring the correct and consistent application of the GDPR in individual cases;
• promoting and supporting the cooperation among national DPAs.

Yes, you can, but the GDPR places certain obligations on businesses which share personal data. Your organisation must inform individuals that you will share their data with a third party. You must also inform them of your purposes, security, access and the retention measures that will apply.