European Data Protection Board logo
Close menu

Frequently Asked Questions

Filter on
Filter on topic

What should I do in case of a data breach?

A personal data breach is a security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

  • If the data breach poses a risk to the individuals concerned, you must report it to the relevant data protection authority within 72 hours.
  • If the breach is likely to result in a high risk to individuals, you will also need to communicate that breach to the individuals concerned without undue delay.

In any case, for all breaches – even those that are not notified to a DPA - you must record at least the basic details of the breach, the assessment thereof, its effects, and the steps taken in response.

More information:

How can I respect individuals’ data protection rights?

The GDPR foresees specific rights for individuals that have to be respected. You can do this by:

  • informing individuals whose data you process about your processing operations and the processing purposes when you collect their data, for example via a privacy statement on your website;
  • by responding to individuals’ requests to exercise their rights, such as access, rectification, objection, erasure or portability requests.

Organisations that are transparent about their use of personal data and that respect the rights of individuals are less likely to become subject to complaints.

More information:

Ønsker du at udøve registreredes rettigheder (sletning, rettelse, adgang) til personoplysninger i Schengeninformationssystemet (SIS)?

Koordinationstilsynsudvalget — som findes i Databeskyttelsesrådet — koordinerer tilsynet med behandlingen af personoplysninger i Schengeninformationssystemet ("SIS"). De relevante EU-love er forordning (EU) 2018/1862 (navnlig artikel 71) og forordning (EU) 2018/1861 (navnlig artikel 57).

For personoplysninger, der indgår i SIS, har du ret til adgang, berigtigelse og sletning. Disse rettigheder omfatter:

  • retten til at vide, om oplysninger om dig behandles i SIS
  • retten til adgang til disse oplysninger
  • Ret til berigtigelse af urigtige oplysninger eller sletning i forbindelse med ulovlig opbevaring af disse oplysninger; og
  • Retten til at anlægge sag ved domstolene, din databeskyttelsesmyndighed og/eller kompetente myndigheder, alt efter hvad der er relevant, for at rette eller slette oplysninger om dig eller for at opnå erstatning.

For at udøve dine rettigheder bedes du kontakte din nationale kompetente myndighed i det Schengenland, du ønsker. Yderligere oplysninger om de nationale kompetente myndigheder og om databeskyttelsesmyndigheden i hvert Schengenland findes i vejledningenom udøvelse af registreredes rettighederpå vores websted. Der kan du også finde standardbreve, der kan hjælpe dig med at udøve dine rettigheder.

Bemærk, at Databeskyttelsesrådet ikke har kompetence til at behandle individuelle klager eller anmodninger. Desuden har Databeskyttelsesrådet ikke adgang til indholdet af disse informationssystemer og databaser.

Yderligere oplysninger om, hvordan du udøver dine rettigheder, findes på vores websted https://www.edpb.europa.eu/our-work-tools/our-documents/csc-data-subject-rights/schengen-information-system-guide-exercising_da.

How can I keep up with the EDPB’s work?

The EDPB regularly publishes press releases, news items, blogs and other content on the EDPB website and its social media channels (Twitter: @EU_EDPB; Linkedin: European Data Protection Board) to keep the data protection community and the general public up-to-date with its work.

The EDPB website also has two RSS feeds, which you can subscribe to for automatic updates on EDPB news and the EDPB’s latest publications.

What is the GDPR?

The GDPR or General Data Protection Regulation creates a harmonised set of rules applicable to all personal data processing by organisations (public or private, regardless of their size)  established in the European Economic Area (EEA) or targeting individuals in the EU. The primary objective of GDPR is to ensure that personal data enjoys the same high standard of protection everywhere in the EEA, increasing legal certainty for both individuals and organisations processing data, and offering a high degree of protection for individuals.

The regulation entered into force on 24 May 2016 and applies since 25 May 2018.

What are my rights under the GDPR?

All individuals residing in the European Economic Area (EEA) have the right to the protection of their personal data.

More specifically, under the GDPR, you have several rights

  • Right to be informed
  • Right of access
  • Right to rectification
  • Right to restriction of processing
  • Right to data portability
  • Right to object
  • Right not be subject to a decision based solely on automated processing.

For more information on your rights, please consult our leaflet The GDPR and your rights or the EDPB Data Protection Guide for small business.

Does the GDPR also apply to paper records?

Yes, the GDPR applies if the personal data are contained or are intended to be contained in a filing system. This means that the GDPR also applies to paper records and not solely to automated processing of personal data.

More information:

What is a joint controller?

When there are two or more data controllers who jointly determine the purpose and means of processing, they are considered joint controllers. They decide together to process personal data for a joint purpose. Joint controllership can take many forms and participation of the different controllers may be unequal. Joint controllers must therefore determine their respective responsibilities for compliance with the GDPR.

It is important to note that joint controllership leads to joint responsibility for a processing activity.

  • Example of joint controllership:  Companies A and B have launched a co-branded product and wish to organise an event to promote this product. To that end, they decide to share data from their respective client and prospective client databases and decide on the list of invitees to the event on this basis. They also agree on the modalities for sending the invitations to the event, how to collect feedback during the event and follow-up marketing actions. Companies A and B can be considered joint controllers for the processing of personal data related to the organisation of the promotional event as they decide together on the jointly defined purpose and essential means of the data processing in this context.

More information:

I am organising an event as part of my business activities, can I make photos and videos of the event and the people attending?

Yes, but in order to do this, you will first need to determine the legal basis for processing this type of personal data. For example, the processing could be considered as a legitimate interest for your organisation. When processing personal data on the basis of legitimate interest, it is always necessary to conduct a balancing test to determine whether your legitimate interests outweigh individuals’ rights, particularly if children are involved.

Another possible legal basis for such processing could be consent. At any rate, individuals should always be informed in advance that the event is being photographed or filmed.

More information:

If I want to store CVs of candidates for future recruitment procedures, do I need to ask for the candidates’ consent?

Consent could indeed be a valid legal basis for storing job applicants’ CVs. Another possible legal basis could be legitimate interest. In that case, you would have to carry out a balancing test to prove that your organisation’s legitimate interests outweigh the applicants’ rights.

At any rate, you will have to inform the candidates that you plan to store their data and for which purposes.

More information:

Skriver du om et land uden for EU, der er anerkendt som et land med et tilstrækkeligt databeskyttelsesniveau (afgørelser om tilstrækkeligt beskyttelsesniveau)?

Europa-Kommissionen kan beslutte, om et land uden for Europa (eller en international organisation) tilbyder et "tilstrækkeligt" databeskyttelsesniveau, som letter datastrømmene mellem Europa og dette land. 

Databeskyttelsesrådet er ansvarligt for at afgive udtalelser om udkastene til afgørelser om tilstrækkeligheden af beskyttelsesniveauet inden Europa-Kommissionens afgørelse. Udtalelserne er ikke bindende for Kommissionen, men er normalt nyttige for de andre organisationer, der høres inden for disse rammer, f.eks. EU-medlemsstaterne.

Desuden er Europa-Kommissionen den, der har kompetence til at overvåge udviklingen i ikke-europæiske lande, som kan påvirke afgørelser om tilstrækkeligheden af beskyttelsesniveauet. Nogle afgørelser om tilstrækkeligheden af beskyttelsesniveauet indeholder bestemmelser om en specifik regelmæssighed i forbindelse med revisionen af afgørelsen og kan henvise til muligheden for, at Databeskyttelsesrådets repræsentanter kan deltage i den revisionsproces, som Europa-Kommissionen tilrettelægger.

Bemærk også, at de europæiske databeskyttelsesmyndigheder kan beskytte enkeltpersoner med hensyn til dataoverførsler, der foretages inden for rammerne af afgørelsen om tilstrækkeligheden af beskyttelsesniveauet (du kan finde en liste over dem på vores websted: https://edpb.europa.eu/about-edpb/our-members).

Hvis du mener, at en eksisterende afgørelse om tilstrækkeligheden af beskyttelsesniveauet ikke er i overensstemmelse med dine grundlæggende rettigheder til privatlivets fred og databeskyttelse, kan du indgive en klage til din databeskyttelsesmyndighed, som kan indbringe disse indsigelser for en national domstol, som kan være forpligtet til at forelægge Domstolen en anmodning om præjudiciel afgørelse (se artikel 58, stk. 5, i GDPR og Domstolens Schrems-dom (sag C-362/14)).

Yderligere oplysninger findes på: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_da

The deadline for submitting comments to a public consultation has expired, can I still submit comments?

Unfortunately, the EDPB cannot consider late contributions as part of the public consultation.

Can I only process personal data when I have the individual’s consent?

Processing personal data is allowed if there is a legal basis for it. In addition to free, specific , informed and unambiguous consent, other legal bases for processing can be used.
In other words, consent is necessary when none of the other legal bases applies.

More information:

Do I need to be certified to become a Data Protection Officer (DPO)?

No, you do not need to be certified to become a DPO.

DPOs must, however, be able to demonstrate that they have the necessary qualifications required by the GDPR, such as expert knowledge of data protection law and practices.

More information:

What is a data protection impact assessment and when is this mandatory?

A Data Protection Impact Assessment or DPIA is a written assessment that your organisation should make to evaluate the impact of a planned processing operation. It helps you to identify the appropriate measures to address the risks, and to demonstrate compliance.

While it is always preferable to anticipate the impact of planned processing operations of your organisation by doing DPIA, it is compulsory to carry out a DPIA when the processing is likely to result in a high risk for individuals’ rights and freedoms.

Specifically, this is the case when the envisaged processing involves:

  • the processing - on a large scale- of sensitive personal data or data related to criminal convictions;  
  • a systematic and extensive evaluation of an individual’s personal aspects based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the individual in questions or similarly significantly affect individuals;
  • systematic monitoring of a publicly accessible area on a large scale.

The EDPB has developed guidelines which list the criteria you need to take into account when assessing whether a DPIA is mandatory or not. Data protection authorities (DPAs) have also published lists of processing operations which are subject to a DPIA. In addition several DPAs have developed guides, software, or self-assessment tools to help you with your assessment.

More information:

What are the legal basics for processing under the GDPR?

Data controllers can only process personal data in one of the following circumstances:

  • with the consent of the individuals concerned;
  • where processing is necessary for the performance of a contract (a contract between your organisation and an individual);
  • to meet a legal obligation under EU or national legislation;
  • where processing is necessary for the performance of a task carried out in the public interest under EU or national legislation;
  • to protect the vital interests of an individual;
  • for your organisation’s legitimate interests - except where they are overridden by the rights and freedoms of individuals.

In addition, the GDPR establishes additional conditions for the processing of sensitive data.

More information:

Do data processors also have to respect the GDPR?

Yes, data processors (i.e. individuals or bodies that process data on behalf of a data controller), have obligations under the GDPR. There are, however, some differences between the responsibilities for data controllers and processors.

Data processors have to adhere to the responsibilities set out in the controller-processor contract, which details the processing operations and means to process personal data. For example, the processor will have to carry out the processing operations with the appropriate technical and organisational measures as instructed by the controller. In doing so, the processor assists the controller in complying with the GDPR.

More information:

What should be included in a controller-processor contract?

The contract between the data controller and the data processor must stipulate that the data processor:

  • processes the personal data only on the instructions of the data controller, including with regard to transfers of personal data to a country outside the EEA;
  • ensures that the persons authorised to process the data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
  • ensures security of processing;
  • shall not engage another data processor without prior specific or general written authorisation of the data controller;
  • assists the data controller for the fulfilment of the data controller’s obligations to respond to individual’s requests for exercising their rights;
  • assists the data controller in securing the processing, notifying data breaches, and performing DPIAs;
  • at the choice of the data controller, deletes or returns all personal data to the data controller after the end of the provision of services;
  • makes available to the data controller all necessary information to demonstrate compliance with the obligations under the GDPR;
  • allows for and contributes to audits, including inspections conducted by the data controller or another auditor mandated by the data controller.

In addition, the data processor shall immediately inform the data controller if, in its opinion, instructions infringe the GDPR or other EU or national data protection provisions.

More information:

Can I transfer personal data outside the European Economic Area (EEA)?

Under the GDPR, there are, in principle, two main ways to transfer personal data to a non-EEA country or international organisation. Transfers may take place on the basis of an adequacy decision, or, in the absence of such a decision, on the basis of appropriate safeguards, including enforceable rights and legal remedies for individuals.

More information:

Is the Data Protection Officer (DPO) responsible for compliance with the GDPR?

The DPO cannot be held responsible for failure to comply with the GDPR. Compliance with the GDPR is the responsibility of the organisation that appointed the DPO.

More information: