European Data Protection Board logo
Close menu

Frequently Asked Questions

Filter on
Filter on topic

What should I do in case of a data breach?

A personal data breach is a security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

  • If the data breach poses a risk to the individuals concerned, you must report it to the relevant data protection authority within 72 hours.
  • If the breach is likely to result in a high risk to individuals, you will also need to communicate that breach to the individuals concerned without undue delay.

In any case, for all breaches – even those that are not notified to a DPA - you must record at least the basic details of the breach, the assessment thereof, its effects, and the steps taken in response.

More information:

How can I respect individuals’ data protection rights?

The GDPR foresees specific rights for individuals that have to be respected. You can do this by:

  • informing individuals whose data you process about your processing operations and the processing purposes when you collect their data, for example via a privacy statement on your website;
  • by responding to individuals’ requests to exercise their rights, such as access, rectification, objection, erasure or portability requests.

Organisations that are transparent about their use of personal data and that respect the rights of individuals are less likely to become subject to complaints.

More information:

Usilujete o výkon práv subjektu údajů (vymazání, oprava, přístup) k osobním údajům uchovávaným v Schengenském informačním systému (SIS)?

Výbor pro koordinační dohled, který existuje v rámci EDPB, koordinuje dohled nad zpracováním osobních údajů v Schengenském informačním systému (SIS). Příslušnými právními předpisy EU jsou nařízení (EU) 2018/1862 (zejména článek 71) a nařízení (EU) 2018/1861 (zejména článek 57).

Pokud jde o osobní údaje obsažené v SIS, máte právo na přístup, opravu a výmaz. Tato práva zahrnují:

  • právo vědět, zda jsou informace, které se vás týkají, zpracovávány v SIS;
  • právo na přístup k těmto údajům;
  • právo na opravu nepřesných údajů nebo vymazání, pokud byly tyto údaje uchovávány protiprávně; a
  • Právo podat žalobu u soudů, vašeho orgánu pro ochranu údajů a/nebo příslušných orgánů, pokud je to vhodné, na opravu nebo vymazání údajů, které se vás týkají, nebo na získání náhrady škody.

Chcete-li uplatnit svá práva, obraťte se na příslušný vnitrostátní orgán v zemi Schengenu, kterou si zvolíte. Další informace o příslušných vnitrostátních orgánech a o orgánu pro ochranu údajů v každé zemi schengenského prostoru naleznete v „Příručcepro výkon práv subjektů údajů“, která je k dispozici na našich internetových stránkách. Zde najdete také vzorové dopisy, které vám pomohou při výkonu vašich práv. 

Vezměte prosím na vědomí, že EDPB nemá pravomoc vyřizovat jednotlivé stížnosti nebo žádosti. Kromě toho nemá EDPB přístup k obsahu těchto informačních systémů a databází.

Další podrobnosti o tom, jak uplatnit svá práva, jsou k dispozici na našich internetových stránkách https://www.edpb.europa.eu/our-work-tools/our-documents/csc-data-subject-rights/schengen-information-system-guide-exercising_cs.

How can I keep up with the EDPB’s work?

The EDPB regularly publishes press releases, news items, blogs and other content on the EDPB website and its social media channels (Twitter: @EU_EDPB; Linkedin: European Data Protection Board) to keep the data protection community and the general public up-to-date with its work.

The EDPB website also has two RSS feeds, which you can subscribe to for automatic updates on EDPB news and the EDPB’s latest publications.

What is the GDPR?

The GDPR or General Data Protection Regulation creates a harmonised set of rules applicable to all personal data processing by organisations (public or private, regardless of their size)  established in the European Economic Area (EEA) or targeting individuals in the EU. The primary objective of GDPR is to ensure that personal data enjoys the same high standard of protection everywhere in the EEA, increasing legal certainty for both individuals and organisations processing data, and offering a high degree of protection for individuals.

The regulation entered into force on 24 May 2016 and applies since 25 May 2018.

What are my rights under the GDPR?

All individuals residing in the European Economic Area (EEA) have the right to the protection of their personal data.

More specifically, under the GDPR, you have several rights

  • Right to be informed
  • Right of access
  • Right to rectification
  • Right to restriction of processing
  • Right to data portability
  • Right to object
  • Right not be subject to a decision based solely on automated processing.

For more information on your rights, please consult our leaflet The GDPR and your rights or the EDPB Data Protection Guide for small business.

Does the GDPR also apply to paper records?

Yes, the GDPR applies if the personal data are contained or are intended to be contained in a filing system. This means that the GDPR also applies to paper records and not solely to automated processing of personal data.

More information:

What is a joint controller?

When there are two or more data controllers who jointly determine the purpose and means of processing, they are considered joint controllers. They decide together to process personal data for a joint purpose. Joint controllership can take many forms and participation of the different controllers may be unequal. Joint controllers must therefore determine their respective responsibilities for compliance with the GDPR.

It is important to note that joint controllership leads to joint responsibility for a processing activity.

  • Example of joint controllership:  Companies A and B have launched a co-branded product and wish to organise an event to promote this product. To that end, they decide to share data from their respective client and prospective client databases and decide on the list of invitees to the event on this basis. They also agree on the modalities for sending the invitations to the event, how to collect feedback during the event and follow-up marketing actions. Companies A and B can be considered joint controllers for the processing of personal data related to the organisation of the promotional event as they decide together on the jointly defined purpose and essential means of the data processing in this context.

More information:

I am organising an event as part of my business activities, can I make photos and videos of the event and the people attending?

Yes, but in order to do this, you will first need to determine the legal basis for processing this type of personal data. For example, the processing could be considered as a legitimate interest for your organisation. When processing personal data on the basis of legitimate interest, it is always necessary to conduct a balancing test to determine whether your legitimate interests outweigh individuals’ rights, particularly if children are involved.

Another possible legal basis for such processing could be consent. At any rate, individuals should always be informed in advance that the event is being photographed or filmed.

More information:

If I want to store CVs of candidates for future recruitment procedures, do I need to ask for the candidates’ consent?

Consent could indeed be a valid legal basis for storing job applicants’ CVs. Another possible legal basis could be legitimate interest. In that case, you would have to carry out a balancing test to prove that your organisation’s legitimate interests outweigh the applicants’ rights.

At any rate, you will have to inform the candidates that you plan to store their data and for which purposes.

More information:

Píšete o zemi mimo EU, která byla uznána jako země poskytující odpovídající úroveň ochrany údajů (rozhodnutí o odpovídající ochraně)?

Evropská komise může rozhodnout, zda země mimo Evropu (nebo mezinárodní organizace) nabízí „přiměřenou“ úroveň ochrany údajů, která usnadňuje toky údajů mezi Evropou a touto zemí. 

EDPB je odpovědný za vydávání stanovisek k návrhům rozhodnutí o odpovídající ochraně před rozhodnutím Evropské komise. Stanoviska nejsou pro Evropskou komisi závazná, ale jsou obvykle užitečná pro ostatní organizace, které jsou v tomto rámci konzultovány, jako jsou členské státy EU.

Evropská komise je navíc oprávněna sledovat vývoj v mimoevropských zemích, který by mohl ovlivnit rozhodnutí o odpovídající ochraně. Některá rozhodnutí o odpovídající ochraně stanoví zvláštní správnost přezkumu rozhodnutí a mohou odkazovat na možnost zástupců EDPB účastnit se procesu přezkumu organizovaného Evropskou komisí.

Vezměte prosím také na vědomí, že evropské orgány pro ochranu údajů mohou chránit fyzické osoby v souvislosti s předáváním údajů v souvislosti s rozhodnutím o odpovídající ochraně (jejich seznam naleznete na našich internetových stránkách: https://edpb.europa.eu/about-edpb/our-members).

Pokud se domníváte, že stávající rozhodnutí o odpovídající ochraně není v souladu s vašimi základními právy na soukromí a ochranu údajů, můžete podat stížnost u svého orgánu pro ochranu údajů, který může tyto námitky vznést u vnitrostátního soudu, který může být povinen předložit Soudnímu dvoru žádost o rozhodnutí o předběžné otázce (viz čl. 58 odst. 5 nařízení GDPR a rozsudek ESD ve věci Schrems (věc C-362/14)).

Další informace naleznete na adrese: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_cs

The deadline for submitting comments to a public consultation has expired, can I still submit comments?

Unfortunately, the EDPB cannot consider late contributions as part of the public consultation.

Can I only process personal data when I have the individual’s consent?

Processing personal data is allowed if there is a legal basis for it. In addition to free, specific , informed and unambiguous consent, other legal bases for processing can be used.
In other words, consent is necessary when none of the other legal bases applies.

More information:

Do I need to be certified to become a Data Protection Officer (DPO)?

No, you do not need to be certified to become a DPO.

DPOs must, however, be able to demonstrate that they have the necessary qualifications required by the GDPR, such as expert knowledge of data protection law and practices.

More information:

What is a data protection impact assessment and when is this mandatory?

A Data Protection Impact Assessment or DPIA is a written assessment that your organisation should make to evaluate the impact of a planned processing operation. It helps you to identify the appropriate measures to address the risks, and to demonstrate compliance.

While it is always preferable to anticipate the impact of planned processing operations of your organisation by doing DPIA, it is compulsory to carry out a DPIA when the processing is likely to result in a high risk for individuals’ rights and freedoms.

Specifically, this is the case when the envisaged processing involves:

  • the processing - on a large scale- of sensitive personal data or data related to criminal convictions;  
  • a systematic and extensive evaluation of an individual’s personal aspects based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the individual in questions or similarly significantly affect individuals;
  • systematic monitoring of a publicly accessible area on a large scale.

The EDPB has developed guidelines which list the criteria you need to take into account when assessing whether a DPIA is mandatory or not. Data protection authorities (DPAs) have also published lists of processing operations which are subject to a DPIA. In addition several DPAs have developed guides, software, or self-assessment tools to help you with your assessment.

More information:

What are the legal basics for processing under the GDPR?

Data controllers can only process personal data in one of the following circumstances:

  • with the consent of the individuals concerned;
  • where processing is necessary for the performance of a contract (a contract between your organisation and an individual);
  • to meet a legal obligation under EU or national legislation;
  • where processing is necessary for the performance of a task carried out in the public interest under EU or national legislation;
  • to protect the vital interests of an individual;
  • for your organisation’s legitimate interests - except where they are overridden by the rights and freedoms of individuals.

In addition, the GDPR establishes additional conditions for the processing of sensitive data.

More information:

Do data processors also have to respect the GDPR?

Yes, data processors (i.e. individuals or bodies that process data on behalf of a data controller), have obligations under the GDPR. There are, however, some differences between the responsibilities for data controllers and processors.

Data processors have to adhere to the responsibilities set out in the controller-processor contract, which details the processing operations and means to process personal data. For example, the processor will have to carry out the processing operations with the appropriate technical and organisational measures as instructed by the controller. In doing so, the processor assists the controller in complying with the GDPR.

More information:

What should be included in a controller-processor contract?

The contract between the data controller and the data processor must stipulate that the data processor:

  • processes the personal data only on the instructions of the data controller, including with regard to transfers of personal data to a country outside the EEA;
  • ensures that the persons authorised to process the data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
  • ensures security of processing;
  • shall not engage another data processor without prior specific or general written authorisation of the data controller;
  • assists the data controller for the fulfilment of the data controller’s obligations to respond to individual’s requests for exercising their rights;
  • assists the data controller in securing the processing, notifying data breaches, and performing DPIAs;
  • at the choice of the data controller, deletes or returns all personal data to the data controller after the end of the provision of services;
  • makes available to the data controller all necessary information to demonstrate compliance with the obligations under the GDPR;
  • allows for and contributes to audits, including inspections conducted by the data controller or another auditor mandated by the data controller.

In addition, the data processor shall immediately inform the data controller if, in its opinion, instructions infringe the GDPR or other EU or national data protection provisions.

More information:

Can I transfer personal data outside the European Economic Area (EEA)?

Under the GDPR, there are, in principle, two main ways to transfer personal data to a non-EEA country or international organisation. Transfers may take place on the basis of an adequacy decision, or, in the absence of such a decision, on the basis of appropriate safeguards, including enforceable rights and legal remedies for individuals.

More information:

Is the Data Protection Officer (DPO) responsible for compliance with the GDPR?

The DPO cannot be held responsible for failure to comply with the GDPR. Compliance with the GDPR is the responsibility of the organisation that appointed the DPO.

More information: