Frequently Asked Questions

Under the GDPR, certification is conducted by national certification bodies or by the competent national data protection authorities (Art. 42(5) GDPR).

For further information, we recommend contacting the relevant national DPA for your organisation. You can find a overview of all EEA DPAs here.

You can find further information regarding certification in the EDPB guidelines on the topic: Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation - version adopted after public consultation

If you believe your data protection rights have been violated you can contact the organisation holding your data, contact your national data protection authority (DPA), or go to a national court.

DPAs can conduct investigations and impose sanctions where necessary. You can find the contact details for all EEA DPAs here.

Controllers should formally submit their EU-wide certification criteria to:

1. the competent data protection authority (DPA) in the EEA country where the scheme owners have their headquarters;
2. the competent data protection authority (DPA) in the EEA country where a certification body operating the certification mechanism have their headquarters, considering the member state in which the most certificates are likely to be issued.

The appointment of a DPO is mandatory in the following three cases:

• the organisation is a public authority;
• the organisation’s core activities consist in regular and systematic monitoring of individuals on a large scale, for example geolocation via a mobile application, or surveillance of shopping centres and public spaces through CCTV;
• the organisation’s core activities consist in large-scale processing of sensitive data  or personal data relating to criminal convictions and offences.

You can always appoint a DPO on a voluntary basis, even if this is not legally required. Please note that in that case, you must comply with all the provisions of the GDPR concerning the tasks and position of the data protection officer.

More information:

• Data Protection Officer

No, it is not necessary to make your record of processing public. You must, however, be able to make the record available to the data protection authority upon request.

More information:

• Be compliant

Beder du Databeskyttelsesrådet om at undersøge og træffe foranstaltninger over for en organisation, som du mener overtræder EU-lovgivningen, herunder gennem specifikke teknologier såsom kunstig intelligens, sociale medier eller meddelelsestjenester?

I forbindelse med databeskyttelsesreglerne kan du indgive en klage til din databeskyttelsesmyndighed (du finder en liste over dem på vores websted: https://edpb.europa.eu/about-edpb/our-members). Det er databeskyttelsesmyndighedernes ansvar at håndhæve databeskyttelsesreglerne. Du kan f.eks. kontakte den databeskyttelsesmyndighed, hvor du bor eller arbejder, eller hvor den påståede overtrædelse fandt sted.

Et andet alternativ er at gå til de nationale domstole, hvor du bor, eller hvor den dataansvarlige eller databehandleren er etableret. 

Hvis GDPR gælder i din situation, men du ikke er baseret i Europa, kan du stadig klage til en databeskyttelsesmyndighed i Europa og/eller gå rettens vej.

Databeskyttelsesrådet har ingen kompetence til at behandle specifikke individuelle anmodninger eller klager eller til at yde individuelle konsulenttjenester. Databeskyttelsesrådet er ikke et overnationalt organ, der kan undersøge klager.

Endelig kan du, hvis du vil klage over, hvordan en EU-institution, et EU-agentur eller et EU-organ anvender dine personoplysninger, indgive en klage til Den Europæiske Tilsynsførende for Databeskyttelse (se kontaktoplysninger på vores websted: https://edpb.europa.eu/about-edpb/our-members).

Bemærk venligst, at vi ikke videresender din meddelelse til de nationale databeskyttelsesmyndigheder eller til EDPS. Derfor bør du kontakte dem direkte.

For consent to be considered valid, it must be:

• freely given;
• specific;
• informed; and
• unambiguous.

This means that individuals must have a genuinely free choice regarding whether or not they agree with the processing of their personal data; they need sufficient information so that they can understand which data is processed, for what purpose, and how this is done; they also need sufficient granularity in consent requests.

In addition, there should be a clear affirmative action from the individual (without pre-ticked boxes and made separately from applicable general conditions).

In addition, individuals need to be able to freely withdraw their consent (without any negative consequences) if they change their mind later on.

More information:

• Process personal data lawfully

If your organisation is collecting the personal data directly from individuals, it must provide the necessary information at the time of collection.

In case of indirect collection of personal data, your organisation must provide the information at the latest within one month after the personal data has been initially obtained. This maximum period of one month can be reduced:

• if the personal data is used for the purpose of communication with the data subject. In that case, you must inform the data subject at the latest at the time of the first communication to the data subject;
• if the data is transmitted to another recipient, the organisation informs the data subjects of this at the latest when the personal data is transferred. 

More information:

• Respect individuals’ rights

The dispute resolution mechanism triggered under Art.65.1 (a) and (b) GDPR contributes to the good functioning of the cooperation mechanism by addressing any disagreements Concerned Supervisory Authorities (CSAs) may have in a given case or if there are conflicting views as to which authority is the Lead Supervisory Authority (LSA).
The EDPB will act as a dispute resolution body. It must adopt a decision to address the conflict between the involved Data Protection Authorities (DPAs), which is binding on them (Art. 65 GDPR). The decision is adopted by a two-thirds majority of the members of the Board, and in case a decision cannot be adopted within 2 months, the decision is adopted within the next 2 weeks by a simple majority.

The European Data Protection Supervisor (EDPS) is a Member of the European Data Protection Board. In addition, the EDPS provides the EDPB Secretariat. The Secretariat offers administrative and logistic support to the EDPB, performs analytical work and contributes to the EDPB’s tasks.

Although staff at the Secretariat is employed by the EDPS, staff members only work under the instructions of the Chair of the EDPB.

The terms of cooperation between the EDPB and the EDPS are established by the Memorandum of Understanding.

Every organisation, regardless of the their size or sector, established in the European Economic Area (EEA) or offering products or services to individuals in the EEA, processing personal data whether or not by automated means needs to comply with the GDPR. Even if the GDPR mainly relates to automated processing of personal data, processing operations carried out manually will also be subject to the GDPR from the moment the paper files are organised in a systematic manner, e.g. ordered alphabetically in a filing cabinet. 

Examples of processing operations include collecting, recording, organising, using, modifying, storing, disclosing, altering and erasing individuals’ personal data.

Nevertheless, the application of the GDPR is modulated according to the nature, context, purposes and risks of the processing operations carried out. For SMEs whose core business is not the processing of personal data, the obligations can be less strict than for a large company.

More information:

• Data protection basics

The task of the DPO include, among others:

• to inform and advise the organisation and its employees on data protection compliance;
• to monitor data protection compliance;
• to provide advice on requests concerning the data protection impact assessment (DPIA);
• to act as a contact point for the data protection authority (DPA) and to cooperate with that DPA;
• to act as a contact point for individuals.

In addition, the DPO’s presence is generally recommended where decisions with data protection implications are taken. The DPO should also be promptly consulted once a data breach or another incident has occurred.

More information:

• Data Protection Officer

The GDPR imposes obligations on all organisations that process personal data, regardless of whether they are data controllers or data processors.

In particular, you should:

• Ask yourself if the purpose for which personal data may be collected is justified, and collect only personal data that is necessary for the specific purpose(s) envisaged;
• Keep individuals’ personal data accurate and up to date, and delete the data when it is no longer necessary;
• Respect individuals’ rights by informing them about how and why their data are processed, and allowing them to exercise their rights;
• Check if you have an appropriate legal basis for the processing of personal data. In case you intend to rely on the consent of individuals, ask for their consent before processing their personal data;
• Make sure that individuals’ personal data is handled in a secure way;
• Maintain a record of processing operations.

Data processors will have to adhere to the responsibilities set out in the controller-processor contract, and they must not process the data otherwise than according to the controller’s instructions.

More information:

• Be compliant
• Data controller or data processor
• Data protection basics

• Any processing of personal data must be lawful, fair and transparent.
• Only collect personal data for specified, explicit and legitimate purposes. The processing of an individual’s data must be strictly limited to the purpose(s) initially established, and therefore not processed for subsequent or other purpose(s) that are incompatible with the initial purposes.
• Only process personal data that is necessary and proportionate in light of the purpose envisaged.
• All personal data you process must be accurate and kept up to date. Inaccurate personal data must be rectified or erased.
• The storage of individuals’ personal data must be limited in time, in light of the purpose for which this data was collected and processed. As such, individuals’ personal data must be deleted or anonymised once this data is no longer necessary.
• The processing of individuals’ data must be done in a secure way. In this sense, robust cybersecurity controls, must be put in place to ensure that individuals’ data is adequately protected.

Finally, the controller is accountable. This means it is responsible for and must be able to demonstrate compliance with the principles above.

More information:

• Data protection basic

You cannot store personal data forever.

As a rule, personal data can only be stored for as long necessary in light of the purposes for which the personal data is processed.

In some cases, the storage period can be determined by specific laws, for example, labour regulations determine a storage period for payroll lists.

Organisations should put in place data retention policies to make sure that personal data is not kept longer than is necessary. Individuals’ personal data must be deleted or anonymised once this data is no longer necessary for the purpose for which is was processed. 

More information:

• Data protection basics

The EDPB brings together the EU DPAs and the European Data Protection Supervisor (EDPS). The EEA EFTA countries (Iceland, Liechtenstein and Norway) are also members with regard to GDPR-related matters and without the rights to vote and to be elected as chair or deputy chair. The European Commission and - with regard to GDPR-related matters - the EFTA Surveillance Authority have the right to participate in the activities and meetings of the Board without voting rights.

You can find an overview of the EEA DPAs here.

When a Lead Supervisory Authority (LSA) issues a draft decision, it consults the Concerned Supervisory Authorities (CSAs), which can express their disagreement with the draft decision by submitting relevant and reasoned objections (RRO) within a period of four weeks (Art. 60.4 GDPR).
When none of the CSAs objects, the LSA may proceed to adopt the decision.

In case at least one of the CSAs has expressed an RRO, and if the LSA intends to follow the objection, it shall submit a revised draft decision to all the CSAs. The CSAs then have a period of two weeks (Art. 60.5 GDPR) to express their RROs to the revised draft decision.

However, if the LSA does not intend to follow the objection(s), since no consensus can be reached, the consistency mechanism is triggered. This means that the LSA is obliged to refer the case to the European Data Protection Board (EDPB) and the dispute resolution role of the EDPB is activated (Art. 65.1(a) GDPR).

The dispute resolution mechanism can be triggered in two further cases:

• there is a disagreement as to which authority is the LSA (Art. 65.1(b) GDPR);
• an SA does not seek the opinion of the EDPB as obliged under Art. 64.1 GDPR or does not follow such an opinion (Art. 64.1 - 2 GDPR) (Art. 65.1(c) GDPR).

Databeskyttelsesrådet har ikke kompetence til at føre tilsyn med databeskyttelsesmyndighedernes aktiviteter efter anmodning fra enkeltpersoner.

Bemærk, at kompetencen til at udstede generelle retningslinjer ikke kan forstås som en mekanisme for Databeskyttelsesrådet til at føre tilsyn med, hvordan databeskyttelsesmyndighederne håndterer din individuelle sag. 

Hvis du mener, at GDPR er blevet overtrådt, og du ikke er tilfreds med databeskyttelsesmyndighedens svar, er den resterende løsning, at du indleder en retssag.

Generally speaking, every organisation should keep a record of their processing activities. This is an inventory of all processing operations and can help you make correct assumptions of your responsibilities under the GDPR and possible risks.

Each of these processing operations must be described in the record with the following information:

• the purpose of the processing (e.g. customer loyalty);
• the categories of data processed (e.g. for payroll: name, first name, date of birth, salary, etc.);
• who has access to the data (the recipients – e.g.: the department in charge of recruitment, the IT service, management, service providers, partners...);
• where applicable, information related to transfers of personal data outside the European Economic Area (EEA),
• where possible, the storage period (the period for which the data are useful from an operational point of view, and from an archiving perspective).
• where possible, a general description of the security measures.

The record of processing activities falls under the responsibility of your organisation’s manager.

This record must be available to the data protection authority of the EEA country where you operate, if requested.

It is not required for organisations employing fewer than 250 persons to mention purely occasional activities in their record (e.g. data processed for one-off events such as the opening of a shop).

More information:

• Be compliant

DPOs can fulfil other tasks within the organisation, but this cannot result in a conflict of interest. This implies that the DPO cannot have a position in which they determine the purposes and means of the processing activities. Conflicting functions include mainly management positions (chief executive, chief operating, chief financial officer, Head of HR, Head of IT, managing director) but may also involve other functions if they lead to the determination of purposes and means of processing.

The DPO must be able to perform their duties and tasks in an independent manner. This means that your organisation:

• may not give instructions to the DPO with regard to the performance of their DPO duties;
• may not penalise or dismiss the DPO for performing their tasks.

More information:

• Data Protection Officer