European Data Protection Board logo
Close menu

Frequently Asked Questions

Filter on
Filter on topic

What is a privacy statement?

Organisations must, in the case of direct collection of personal data from the individuals concerned, provide information about the processing operations in a concise and transparent way, using understandable, easily accessible and clear and plain language. This can be done in writing (e.g. on the reverse side of a tender) or by electronic means (e.g. on a website). If the person concerned so requests, you may also provide this information orally, but you must be able to prove this afterwards.

Even when the data was collected indirectly, i.e. if you do not directly collect the personal data from an individual yourself, but for example via a third party, you must provide the same detailed information to individuals

How do I respond to a request for erasure?

Individuals have the right to request erasure of personal data concerning them and in that case, the controller has the obligation to erase the personal data. You should respond without undue delay and at the latest within one month after receipt of the request. This deadline can be extended by another two months if the request is too complex and more time is needed to comply with the request, provided that the individual is informed of this within one month after receiving the request.

It is important to note that the right to erasure is not absolute. It does not apply when the data in question is necessary for:

  • exercising the right to freedom of expression and information (e.g. for journalistic purposes);
  • compliance with a legal obligation which requires the processing of personal data (e.g. processing records on employees’ work hours);
  • reasons of public interest in the area of public health
  • archiving purposes in the public interest or scientific or historical research purposes or statistical purposes; and
  • the establishment, exercise or defence of legal claims.

When the personal data that is to be erased was previously transferred to other organisations, you must inform these recipients that the individual has requested erasure, unless this proves impossible or would require disproportionate efforts.

More information:

Can a Data Protection Authority (DPA) challenge an Art. 65 GDPR decision by the EDPB?

As addressees of the EDPB decisions, the relevant Data Protection Authorities (DPAs) that wish to challenge these decisions can bring an action for annulment before the European Court of Justice (CJEU) within two months of being notified.

Can I record telephone conversations with clients in order to improve quality of service and do I need consent for this?

Yes,your clients must be informed, when they make a telephone call, of the purposes of the recording, the recipients of the recordings, of their right to object and their right to access the recordings.

More information:

I wish to lodge a complaint with a data protection authority (DPA), which authority should I contact?

Under the GDPR, you have the right to lodge a complaint with the Data Protection Authority (DPA) in the country of:

  • your habitual residence;
  • your place of work; or
  • the place where the alleged infringement took place.

Find the contact details for all EEA DPAs

Related questions
Who is data controller and who is data processor?

Can I lodge a complaint with the EDPB?

No. The EDPB does not handle complaints or conduct investigations. If you believe your data protection rights have been violated you can contact the organisation holding your data, contact your national data protection authority (DPA), or go to a national court.

DPAs can conduct investigations and impose sanctions where necessary. Find the contact details for all EEA DPAs 

In which cases is the dispute resolution mechanism of Art. 65.1 (c) GDPR triggered?

While Art. 65 (a) and (b) relate to the one-stop-mechanism, Art.65.1 (c) GDPR concerns obligations of Data Protection Authorities (DPAs) stemming from the consistency mechanism.

More specifically, every competent DPA has the duty to request an opinion from the EDPB before adopting national measures pursuant to article 64.1 GDPR. Such measures include lists of processing operations for which a Data Protection Impact Assessment (DPIA) is required, or the approval of a new set of standard clauses. In addition, under Art. 64.2 GDPR, any SA may also request an EDPB consistency opinion on any matter of general application or producing effects in more than one Member State.

If an DPA does not request the opinion of the EDPB for the cases listed under Art. 64.1 GDPR or does not follow the EDPB opinion issued under Art. 64 GDPR, any DPA and the European Commission can launch the dispute resolution procedure of Art. 65.1 (c) GDPR about the matter.

How does cross-border cooperation work under the GDPR?

The General Data Protection Regulation (GDPR) requires the Data Protection Authority (DPA) of the European Economic Area (EEA) to cooperate closely - under the umbrella of the European Data Protection Board (EDPB) - to ensure the consistent application of the GDPR and the protection of individuals’ data protection rights across the EEA. One of their tasks is to coordinate decision-making in cross-border data processing cases.
A processing is cross-border when:

  • data processing takes place in more than one country;
  • or it substantially affects or it is likely to substantially affect individuals in more than one country.

Under the so-called one-stop-shop mechanism Art. 60 GDPR, the Lead Supervisory Authority (LSA) acts as the main point of contact for the controller or processor for a given processing, while the Concerned Supervisory Authorities (CSAs) act as the main point of contact for individuals in the territory of their Member State. The LSA is the authority in charge of leading the cooperation process. It will share relevant information with the CSAs, carry out the investigations, prepare the draft decision relating to the case, and cooperate with the other CSAs in an endeavour to reach consensus on this draft decision.

What is the EDPS?

The European Data Protection Supervisor (EDPS) is the European Union’s (EU) independent data protection authority.

The EDPS is responsible for monitoring the processing of personal data by the EU institutions, bodies, offices and agencies (EUIs) as well as providing advice on policies and legislation that affect privacy and cooperating with similar authorities to ensure consistent data protection.

For more information visit the EDPS website.

What does processing personal data mean?

Processing personal data means any type of activity (processing operation) performed on or with individuals’ personal data. This includes the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, inquiry, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data.

Is it possible to process sensitive data?

No, the processing of sensitive data is generally prohibited, except under very specific circumstances:

  • The individual has given their explicit consent for their sensitive data to be processed.
  • The processing of sensitive data is necessary for the data controller to fulfil their obligations, specifically in the context of employment, social security and social protection. For example, the data controller may need to process a person’s sensitive data to be able to determine if they are entitled to certain social security benefits or employment stipends.
  • The processing of sensitive data is necessary to protect the vital interests of a person where the individual is physically or legally incapable of giving consent. For example, if an individual is left unconscious as a result of an accident and requires immediate medical care, their health data may need to be processed for the appropriate medical care to be delivered.
  • The processing of sensitive data is carried out in the context of the legitimate activities of a foundation, association or other non-for-profit organisation with a political, philosophical, religious or trade union aim, and only for the processing of the personal data of their members, former members or persons having regular contact with them.
  • The sensitive data was manifestly made public by individual.
  • The processing of sensitive data is necessary in the context of legal proceedings.
  • The processing of sensitive data is necessary for matters of substantial public interest.
  • The processing of sensitive data is necessary in the context of preventive or occupational medicine. For example, assessing an individual’s sensitive data, such as their medical data, may be necessary to determine their working capacity as an employee.
  • The processing of sensitive data is necessary for matters of public health on the basis of EU or national law. For example, processing individuals’ sensitive data may be necessary to ensure a high quality of health care and a high quality of medical products, or to combat serious health threats, such as viruses.
  • The processing of sensitive data is necessary for matters of archiving purposes in the public interest, or for scientific or historical  research purposes, or statistical purposes. For example, processing sensitive data may be necessary to provide accurate statistics on a country’s situation in a particular field. 

More information:

What can I do in case the data processor does not want to sign a controller-processor contract?

A valid contract between the data controller and data processor is obligatory under the GDPR. An infringement can be subject to an administrative fine up to 10M€ or up to 2% of the total annual turnover of a company, whichever is higher.

To help guide you when setting up a controller-processor agreement, the Danish and Slovenian data protection authorities, as well as the European Commission, have developed template agreements.

More information:

What should I do when someone asks how I process their data?

Individuals can ask you whether you are processing their data and where it is the case, they have a right to access that data. So when this happens and if you process their data, you should, for example provide a copy of their personal data, free of charge, together with any necessary additional information. Where a request is made electronically, your organisation should provide the required information in a commonly used electronic format, unless the individual requests otherwise.

More information:

How long do I have to respond to an access request?

You should respond without undue delay and at the latest within one month after receipt of the request. This deadline can be extended by another two months if the request is too complex and more time is needed to answer, provided that the individual is informed of this within one month after receiving the request.

You must do this free of charge.

More information:

Are you asking the EDPB to issue guidance on a specific topic?

We take note of your suggestion to the EDPB to consider this matter for future guidance. You may consult the topics currently included in the EDPB's Work Programme on our website.

I have received a communication from someone claiming to be working for the EDPB informing me that I am not in compliance with the GDPR, is this something the EDPB does?

Please note that the EDPB does not contact individuals, via phone or other means of communication, to inform them of such matters.

Therefore, it could be that the call you received represents a phishing attack targeting you abusing our name.

Go to contact form

The EDPB has adopted its binding decision: when is it notified to the relevant national Data Protection Authorities (DPAs), in which language and what happens next?

Once the EDPB has adopted a binding decision, the EDPB Chair notifies the binding decision to the relevant national Data Protection Authorities (DPAs) without undue delay.

Prior to the notification, the binding decision is translated into the languages of the relevant national DPAs that have to adopt a final decision or take measures at national level on the basis of the binding decision1. Translation and proofreading can take a few weeks. In any case, the English version of the decision is the only authentic language version.

Next step for the relevant  Data Protection Authorities (DPAs)

Once the relevant SAs have been notified of the binding decision, a decision has to be adopted at national level to implement the content of the binding decision. This decision will be adopted without undue delay and at the latest one month after the EDPB has notified its decision.
For cross-border cases where no consensus was found (Art. 65.1 (a) GDPR), the final decision will be addressed to the controller or processor and, where relevant, to the complainant.

  1. Please see paragraphs 6 and 7 of Art. 11 of the EDPB Rules of Procedure. In exceptional cases, other Concerned Supervisory Authority (CSAs) can request, providing the reasons, an urgent translation in their official EU language(s) no later than at the moment of adoption of the binding decision.

The dispute resolution mechanism of Art. 65 GDPR has been triggered - what happens next?

Within one month from the referral of the subject matter, the EDPB must adopt a decision by a two-thirds majority. 

The one-month deadline to adopt this binding decision can be extended by another month, if the case is complex. When the EDPB is not able to reach a decision within the abovementioned period, the decision must be adopted by a simple majority within two additional weeks. Should the members of the EDPB be split, the decision will be adopted by the vote of the EDPB Chair.

Do I need consent in order to use cookies on my organisation’s website?

The GDPR applies to the use of cookies when these are used to process personal data, but there are also more specific rules for cookies included the ePrivacy Directive.

The storing of a cookie, or the gaining of access to a cookie already stored, in the terminal equipment of a user is only allowed on condition that the subscriber or user concerned has been adequately informed (in particular about the purposes of the processing) and has given their consent.

The only exception are technically necessary cookies. Organisations do not need to ask for consent when using technically necessary cookies on their websites.

More information:

What is the difference between pseudonymised data and anonymised data?

Pseudonymisation consists in transforming personal data so that it can no longer be attributed to a specific individual without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to individual. In practice, it may mean replacing personal data (name, first name, personal number, phone number, etc.) in a data set with indirectly identifying data (alias, sequential number, etc.). Pseudonymised data is still personal data and is subject to the GDPR.

Anonymised data is data that has been rendered anonymous in such a manner that the individual is not or no longer identifiable by any means that are reasonably likely to be used. When the anonymisation is implemented properly, the GDPR no longer applies to the anonymised data.

More information: