European Data Protection Board logo
Close menu

Frequently Asked Questions

Filter on
Filter on topic

What should I do in case of a data breach?

A personal data breach is a security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

  • If the data breach poses a risk to the individuals concerned, you must report it to the relevant data protection authority within 72 hours.
  • If the breach is likely to result in a high risk to individuals, you will also need to communicate that breach to the individuals concerned without undue delay.

In any case, for all breaches – even those that are not notified to a DPA - you must record at least the basic details of the breach, the assessment thereof, its effects, and the steps taken in response.

More information:

How can I respect individuals’ data protection rights?

The GDPR foresees specific rights for individuals that have to be respected. You can do this by:

  • informing individuals whose data you process about your processing operations and the processing purposes when you collect their data, for example via a privacy statement on your website;
  • by responding to individuals’ requests to exercise their rights, such as access, rectification, objection, erasure or portability requests.

Organisations that are transparent about their use of personal data and that respect the rights of individuals are less likely to become subject to complaints.

More information:

Are you seeking to exercise data subject rights (deletion, correction, access) to personal data held in the Schengen Information System (SIS)?

The Coordination Supervision Committee (‘CSC’) - which exists within the EDPB - coordinates the supervision of the processing of personal data in the Schengen Information System (‘SIS’). The relevant EU laws are Regulation (EU) No 2018/1862 (in particular Article 71), and Regulation (EU) No. 2018/1861 (in particular Article 57).

For personal data included in the SIS, you have rights of access, rectification, and erasure. These rights include:

  • The right to know if information relating to you is processed in the SIS;
  • The right of access to that data;
  • The right to correction of inaccurate data or deletion relating when that data have been unlawfully stored; and
  • The right to take action with courts, your data protection authority and/or competent authorities, as appropriate, to correct or delete data relating to you or to obtain compensation.

To exercise your rights, please contact your national competent authority, in the Schengen country of your choice. For more information on the national competent authorities and on the data protection authority in each Schengen country, please consult the “Guide for exercising data subjects’ rights”, available on our website. There you can also find model letters to assist you with the exercise of your rights. 

Please note that the EDPB does not have the competence to handle individual complaints or requests. Besides, the EDPB does not have access to the content of these information systems and databases.

More details on how to exercise your rights is available on our website.

How can I keep up with the EDPB’s work?

The EDPB regularly publishes press releases, news items, blogs and other content on the EDPB website and its social media channels (Twitter: @EU_EDPB; Linkedin: European Data Protection Board) to keep the data protection community and the general public up-to-date with its work.

The EDPB website also has two RSS feeds, which you can subscribe to for automatic updates on EDPB news and the EDPB’s latest publications.

What is the GDPR?

The GDPR or General Data Protection Regulation creates a harmonised set of rules applicable to all personal data processing by organisations (public or private, regardless of their size)  established in the European Economic Area (EEA) or targeting individuals in the EU. The primary objective of GDPR is to ensure that personal data enjoys the same high standard of protection everywhere in the EEA, increasing legal certainty for both individuals and organisations processing data, and offering a high degree of protection for individuals.

The regulation entered into force on 24 May 2016 and applies since 25 May 2018.

What are my rights under the GDPR?

All individuals residing in the European Economic Area (EEA) have the right to the protection of their personal data.

More specifically, under the GDPR, you have several rights

  • Right to be informed
  • Right of access
  • Right to rectification
  • Right to restriction of processing
  • Right to data portability
  • Right to object
  • Right not be subject to a decision based solely on automated processing.

For more information on your rights, please consult our leaflet The GDPR and your rights or the EDPB Data Protection Guide for small business.

Does the GDPR also apply to paper records?

Yes, the GDPR applies if the personal data are contained or are intended to be contained in a filing system. This means that the GDPR also applies to paper records and not solely to automated processing of personal data.

More information:

What is a joint controller?

When there are two or more data controllers who jointly determine the purpose and means of processing, they are considered joint controllers. They decide together to process personal data for a joint purpose. Joint controllership can take many forms and participation of the different controllers may be unequal. Joint controllers must therefore determine their respective responsibilities for compliance with the GDPR.

It is important to note that joint controllership leads to joint responsibility for a processing activity.

  • Example of joint controllership:  Companies A and B have launched a co-branded product and wish to organise an event to promote this product. To that end, they decide to share data from their respective client and prospective client databases and decide on the list of invitees to the event on this basis. They also agree on the modalities for sending the invitations to the event, how to collect feedback during the event and follow-up marketing actions. Companies A and B can be considered joint controllers for the processing of personal data related to the organisation of the promotional event as they decide together on the jointly defined purpose and essential means of the data processing in this context.

More information:

I am organising an event as part of my business activities, can I make photos and videos of the event and the people attending?

Yes, but in order to do this, you will first need to determine the legal basis for processing this type of personal data. For example, the processing could be considered as a legitimate interest for your organisation. When processing personal data on the basis of legitimate interest, it is always necessary to conduct a balancing test to determine whether your legitimate interests outweigh individuals’ rights, particularly if children are involved.

Another possible legal basis for such processing could be consent. At any rate, individuals should always be informed in advance that the event is being photographed or filmed.

More information:

If I want to store CVs of candidates for future recruitment procedures, do I need to ask for the candidates’ consent?

Consent could indeed be a valid legal basis for storing job applicants’ CVs. Another possible legal basis could be legitimate interest. In that case, you would have to carry out a balancing test to prove that your organisation’s legitimate interests outweigh the applicants’ rights.

At any rate, you will have to inform the candidates that you plan to store their data and for which purposes.

More information:

Are you writing about a non-EU country recognised as providing an adequate level of data protection (adequacy decisions)?

The European Commission can decide whether a country outside Europe (or an international organisation) offers an ‘adequate’ level of data protection, which facilitates the data flows between Europe and this country. 

The EDPB is in charge of issuing opinions on the draft adequacy decisions, before the decision of the European Commission. The opinions are not binding on the European Commission but are usually useful for the other organisations which are consulted in this framework, such as the EU Member States.

Further, the European Commission is the one competent to monitor developments in non-European countries that could affect adequacy decisions. Some adequacy decisions provide for a specific regularity for the review of the decision and may refer to the possibility for EDPB representatives to take part in the review process organised by the European Commission.

Please also note that European Data Protection Authorities may protect individuals with respect with data transfers made within the context of adequacy decision (please find a list of them on our website: Our members).

If you believe that an existing adequacy decision is not in line with your fundamental rights of the individual to privacy and data protection, you may initiate a complaint to your DPA which may bring those objections before a national court which may be required to make a reference for a preliminary ruling to the Court of Justice (See Article 58(5) GDPR and ECJ Schrems judgment (Case C-362/14)).

For additional information, please see: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en

The deadline for submitting comments to a public consultation has expired, can I still submit comments?

Unfortunately, the EDPB cannot consider late contributions as part of the public consultation.

Can I only process personal data when I have the individual’s consent?

Processing personal data is allowed if there is a legal basis for it. In addition to free, specific , informed and unambiguous consent, other legal bases for processing can be used.
In other words, consent is necessary when none of the other legal bases applies.

More information:

Do I need to be certified to become a Data Protection Officer (DPO)?

No, you do not need to be certified to become a DPO.

DPOs must, however, be able to demonstrate that they have the necessary qualifications required by the GDPR, such as expert knowledge of data protection law and practices.

More information:

What is a data protection impact assessment and when is this mandatory?

A Data Protection Impact Assessment or DPIA is a written assessment that your organisation should make to evaluate the impact of a planned processing operation. It helps you to identify the appropriate measures to address the risks, and to demonstrate compliance.

While it is always preferable to anticipate the impact of planned processing operations of your organisation by doing DPIA, it is compulsory to carry out a DPIA when the processing is likely to result in a high risk for individuals’ rights and freedoms.

Specifically, this is the case when the envisaged processing involves:

  • the processing - on a large scale- of sensitive personal data or data related to criminal convictions;  
  • a systematic and extensive evaluation of an individual’s personal aspects based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the individual in questions or similarly significantly affect individuals;
  • systematic monitoring of a publicly accessible area on a large scale.

The EDPB has developed guidelines which list the criteria you need to take into account when assessing whether a DPIA is mandatory or not. Data protection authorities (DPAs) have also published lists of processing operations which are subject to a DPIA. In addition several DPAs have developed guides, software, or self-assessment tools to help you with your assessment.

More information:

What are the legal basics for processing under the GDPR?

Data controllers can only process personal data in one of the following circumstances:

  • with the consent of the individuals concerned;
  • where processing is necessary for the performance of a contract (a contract between your organisation and an individual);
  • to meet a legal obligation under EU or national legislation;
  • where processing is necessary for the performance of a task carried out in the public interest under EU or national legislation;
  • to protect the vital interests of an individual;
  • for your organisation’s legitimate interests - except where they are overridden by the rights and freedoms of individuals.

In addition, the GDPR establishes additional conditions for the processing of sensitive data.

More information:

Do data processors also have to respect the GDPR?

Yes, data processors (i.e. individuals or bodies that process data on behalf of a data controller), have obligations under the GDPR. There are, however, some differences between the responsibilities for data controllers and processors.

Data processors have to adhere to the responsibilities set out in the controller-processor contract, which details the processing operations and means to process personal data. For example, the processor will have to carry out the processing operations with the appropriate technical and organisational measures as instructed by the controller. In doing so, the processor assists the controller in complying with the GDPR.

More information:

What should be included in a controller-processor contract?

The contract between the data controller and the data processor must stipulate that the data processor:

  • processes the personal data only on the instructions of the data controller, including with regard to transfers of personal data to a country outside the EEA;
  • ensures that the persons authorised to process the data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
  • ensures security of processing;
  • shall not engage another data processor without prior specific or general written authorisation of the data controller;
  • assists the data controller for the fulfilment of the data controller’s obligations to respond to individual’s requests for exercising their rights;
  • assists the data controller in securing the processing, notifying data breaches, and performing DPIAs;
  • at the choice of the data controller, deletes or returns all personal data to the data controller after the end of the provision of services;
  • makes available to the data controller all necessary information to demonstrate compliance with the obligations under the GDPR;
  • allows for and contributes to audits, including inspections conducted by the data controller or another auditor mandated by the data controller.

In addition, the data processor shall immediately inform the data controller if, in its opinion, instructions infringe the GDPR or other EU or national data protection provisions.

More information:

Can I transfer personal data outside the European Economic Area (EEA)?

Under the GDPR, there are, in principle, two main ways to transfer personal data to a non-EEA country or international organisation. Transfers may take place on the basis of an adequacy decision, or, in the absence of such a decision, on the basis of appropriate safeguards, including enforceable rights and legal remedies for individuals.

More information:

Is the Data Protection Officer (DPO) responsible for compliance with the GDPR?

The DPO cannot be held responsible for failure to comply with the GDPR. Compliance with the GDPR is the responsibility of the organisation that appointed the DPO.

More information: