European Data Protection Board logo
Close menu

Frequently Asked Questions

Filter on
Filter on topic

How can my processing operations or my organisation become GDPR certified?

Under the GDPR, certification is conducted by national certification bodies or by the competent national data protection authorities (Art. 42(5) GDPR).

For further information, we recommend contacting the relevant national DPA for your organisation. You can find a overview of all EEA DPAs here.

You can find further information regarding certification in the EDPB guidelines on the topic: Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation - version adopted after public consultation

I think my data protection rights have been violated, what can I do?

If you believe your data protection rights have been violated you can contact the organisation holding your data, contact your national data protection authority (DPA), or go to a national court.

DPAs can conduct investigations and impose sanctions where necessary. You can find the contact details for all EEA DPAs here.

How can I apply for the European Data Protection Seal?

Controllers should formally submit their EU-wide certification criteria to:

  1. the competent data protection authority (DPA) in the EEA country where the scheme owners have their headquarters;
  2. the competent data protection authority (DPA) in the EEA country where a certification body operating the certification mechanism have their headquarters, considering the member state in which the most certificates are likely to be issued.

Should I appoint a Data Protection Officer (DPO)?

The appointment of a DPO is mandatory in the following three cases:

  • the organisation is a public authority;
  • the organisation’s core activities consist in regular and systematic monitoring of individuals on a large scale, for example geolocation via a mobile application, or surveillance of shopping centres and public spaces through CCTV;
  • the organisation’s core activities consist in large-scale processing of sensitive data  or personal data relating to criminal convictions and offences.

You can always appoint a DPO on a voluntary basis, even if this is not legally required. Please note that in that case, you must comply with all the provisions of the GDPR concerning the tasks and position of the data protection officer.

More information:

Am I required to make my record of processing public?

No, it is not necessary to make your record of processing public. You must, however, be able to make the record available to the data protection authority upon request.

More information:

An bhfuil do theachtaireacht faoi RGCS nó rialacha eile a fhorfheidhmiú?

An bhfuil tú ag iarraidh ar EDPB imscrúdú a dhéanamh ar eagraíocht a mheasann tú a bhfuil reachtaíocht an Aontais á sárú aici agus beart a dhéanamh ina coinne, lena n-áirítear trí theicneolaíochtaí sonracha, amhail IS, na meáin shóisialta, nó seirbhísí teachtaireachtaí?

I gcomhthéacs na rialacha cosanta sonraí, is féidir leat gearán a dhéanamh le d'údarás cosanta sonraí (DPA) (tá liosta díobh le fáil ar ár suíomh gréasáin: https://edpb.europa.eu/about-edpb/our-members). Is iad ÚCSanna atá freagrach as rialacha cosanta sonraí a fhorfheidhmiú. Is féidir leat teagmháil a dhéanamh leis an údarás cosanta sonraí san áit a bhfuil tú i do chónaí nó ag obair, nó san áit a ndearnadh an sárú líomhnaithe, mar shampla.

Rogha eile is ea dul chuig cúirteanna náisiúnta ina bhfuil cónaí ort nó ina bhfuil an rialaitheoir nó an próiseálaí bunaithe. 

Má tá feidhm ag an GDPR i do chás ach mura bhfuil tú lonnaithe san Eoraip, is féidir leat gearán a dhéanamh fós le DPA san Eoraip agus / nó dul chun na cúirte.

Níl aon inniúlacht ag an mBord Eorpach um Chosaint Sonraí iarrataí nó gearáin shonracha aonair a láimhseáil, ná seirbhísí comhairliúcháin aonair a sholáthar. Ní comhlacht fornáisiúnta é an Bord Eorpach um Chosaint Sonraí ar féidir leis gearáin a imscrúdú.

Ar deireadh, más mian leat gearán a dhéanamh faoin gcaoi a bhfuil institiúid, gníomhaireacht nó comhlacht de chuid an Aontais ag úsáid do shonraí pearsanta, is féidir leat gearán a dhéanamh leis an Maoirseoir Eorpach ar Chosaint Sonraí (féach na sonraí teagmhála ar ár suíomh gréasáin: https://edpb.europa.eu/about-edpb/our-members).

Tabhair do d’aire nach gcuirimid do theachtaireacht ar aghaidh chuig na ÚCSanna náisiúnta ná chuig MECS. Dá bhrí sin, ba cheart duit teagmháil a dhéanamh leo go díreach.

How can I obtain valid consent?

For consent to be considered valid, it must be:

  • freely given;
  • specific;
  • informed; and
  • unambiguous.

This means that individuals must have a genuinely free choice regarding whether or not they agree with the processing of their personal data; they need sufficient information so that they can understand which data is processed, for what purpose, and how this is done; they also need sufficient granularity in consent requests.

In addition, there should be a clear affirmative action from the individual (without pre-ticked boxes and made separately from applicable general conditions).

In addition, individuals need to be able to freely withdraw their consent (without any negative consequences) if they change their mind later on.

More information:

When should you share this information?

If your organisation is collecting the personal data directly from individuals, it must provide the necessary information at the time of collection.

In case of indirect collection of personal data, your organisation must provide the information at the latest within one month after the personal data has been initially obtained. This maximum period of one month can be reduced:

  • if the personal data is used for the purpose of communication with the data subject. In that case, you must inform the data subject at the latest at the time of the first communication to the data subject;
  • if the data is transmitted to another recipient, the organisation informs the data subjects of this at the latest when the personal data is transferred. 

More information:

What is the purpose of the dispute resolution mechanism of Art. 65.1 (a) and (b) GDPR?

The dispute resolution mechanism triggered under Art.65.1 (a) and (b) GDPR contributes to the good functioning of the cooperation mechanism by addressing any disagreements Concerned Supervisory Authorities (CSAs) may have in a given case or if there are conflicting views as to which authority is the Lead Supervisory Authority (LSA).
The EDPB will act as a dispute resolution body. It must adopt a decision to address the conflict between the involved Data Protection Authorities (DPAs), which is binding on them (Art. 65 GDPR). The decision is adopted by a two-thirds majority of the members of the Board, and in case a decision cannot be adopted within 2 months, the decision is adopted within the next 2 weeks by a simple majority.

How are the EDPB & EDPS related?

The European Data Protection Supervisor (EDPS) is a Member of the European Data Protection Board. In addition, the EDPS provides the EDPB Secretariat. The Secretariat offers administrative and logistic support to the EDPB, performs analytical work and contributes to the EDPB’s tasks.

Although staff at the Secretariat is employed by the EDPS, staff members only work under the instructions of the Chair of the EDPB.

The terms of cooperation between the EDPB and the EDPS are established by the Memorandum of Understanding.

Does my organisation have to comply with the GDPR?

Every organisation, regardless of the their size or sector, established in the European Economic Area (EEA) or offering products or services to individuals in the EEA, processing personal data whether or not by automated means needs to comply with the GDPR. Even if the GDPR mainly relates to automated processing of personal data, processing operations carried out manually will also be subject to the GDPR from the moment the paper files are organised in a systematic manner, e.g. ordered alphabetically in a filing cabinet. 

Examples of processing operations include collecting, recording, organising, using, modifying, storing, disclosing, altering and erasing individuals’ personal data.

Nevertheless, the application of the GDPR is modulated according to the nature, context, purposes and risks of the processing operations carried out. For SMEs whose core business is not the processing of personal data, the obligations can be less strict than for a large company.

More information:

What are the tasks of the Data Protection Officer (DPO)?

The task of the DPO include, among others:

  • to inform and advise the organisation and its employees on data protection compliance;
  • to monitor data protection compliance;
  • to provide advice on requests concerning the data protection impact assessment (DPIA);
  • to act as a contact point for the data protection authority (DPA) and to cooperate with that DPA;
  • to act as a contact point for individuals.

In addition, the DPO’s presence is generally recommended where decisions with data protection implications are taken. The DPO should also be promptly consulted once a data breach or another incident has occurred.

More information:

What are my responsibilities under the GDPR?

The GDPR imposes obligations on all organisations that process personal data, regardless of whether they are data controllers or data processors.

In particular, you should:

  • Ask yourself if the purpose for which personal data may be collected is justified, and collect only personal data that is necessary for the specific purpose(s) envisaged;
  • Keep individuals’ personal data accurate and up to date, and delete the data when it is no longer necessary;
  • Respect individuals’ rights by informing them about how and why their data are processed, and allowing them to exercise their rights;
  • Check if you have an appropriate legal basis for the processing of personal data. In case you intend to rely on the consent of individuals, ask for their consent before processing their personal data;
  • Make sure that individuals’ personal data is handled in a secure way;
  • Maintain a record of processing operations.

Data processors will have to adhere to the responsibilities set out in the controller-processor contract, and they must not process the data otherwise than according to the controller’s instructions.

More information:

What are the basic processing principles under the GDPR?

  • Any processing of personal data must be lawful, fair and transparent.
  • Only collect personal data for specified, explicit and legitimate purposes. The processing of an individual’s data must be strictly limited to the purpose(s) initially established, and therefore not processed for subsequent or other purpose(s) that are incompatible with the initial purposes.
  • Only process personal data that is necessary and proportionate in light of the purpose envisaged.
  • All personal data you process must be accurate and kept up to date. Inaccurate personal data must be rectified or erased.
  • The storage of individuals’ personal data must be limited in time, in light of the purpose for which this data was collected and processed. As such, individuals’ personal data must be deleted or anonymised once this data is no longer necessary.
  • The processing of individuals’ data must be done in a secure way. In this sense, robust cybersecurity controls, must be put in place to ensure that individuals’ data is adequately protected.

Finally, the controller is accountable. This means it is responsible for and must be able to demonstrate compliance with the principles above.

More information:

How long can I store personal data?

You cannot store personal data forever.

As a rule, personal data can only be stored for as long necessary in light of the purposes for which the personal data is processed.

In some cases, the storage period can be determined by specific laws, for example, labour regulations determine a storage period for payroll lists.

Organisations should put in place data retention policies to make sure that personal data is not kept longer than is necessary. Individuals’ personal data must be deleted or anonymised once this data is no longer necessary for the purpose for which is was processed. 

More information:

Who are the members of the Board?

The EDPB brings together the EU DPAs and the European Data Protection Supervisor (EDPS). The EEA EFTA countries (Iceland, Liechtenstein and Norway) are also members with regard to GDPR-related matters and without the rights to vote and to be elected as chair or deputy chair. The European Commission and - with regard to GDPR-related matters - the EFTA Surveillance Authority have the right to participate in the activities and meetings of the Board without voting rights.

You can find an overview of the EEA DPAs here.

What is the dispute resolution mechanism of Art. 65 GDPR?

When a Lead Supervisory Authority (LSA) issues a draft decision, it consults the Concerned Supervisory Authorities (CSAs), which can express their disagreement with the draft decision by submitting relevant and reasoned objections (RRO) within a period of four weeks (Art. 60.4 GDPR).
When none of the CSAs objects, the LSA may proceed to adopt the decision.

In case at least one of the CSAs has expressed an RRO, and if the LSA intends to follow the objection, it shall submit a revised draft decision to all the CSAs. The CSAs then have a period of two weeks (Art. 60.5 GDPR) to express their RROs to the revised draft decision.

However, if the LSA does not intend to follow the objection(s), since no consensus can be reached, the consistency mechanism is triggered. This means that the LSA is obliged to refer the case to the European Data Protection Board (EDPB) and the dispute resolution role of the EDPB is activated (Art. 65.1(a) GDPR).

The dispute resolution mechanism can be triggered in two further cases:

  • there is a disagreement as to which authority is the LSA (Art. 65.1(b) GDPR);
  • an SA does not seek the opinion of the EDPB as obliged under Art. 64.1 GDPR or does not follow such an opinion (Art. 64.1 - 2 GDPR) (Art. 65.1(c) GDPR).

An bhfuil tú ag scríobh toisc nach bhfuil tú sásta leis an gcaoi ar láimhseáil do DPA d'iarratas nó do ghearán?

Níl sé d’inniúlacht ag an mBord Eorpach um Chosaint Sonraí formhaoirseacht a dhéanamh ar ghníomhaíochtaí ÚCSanna arna iarraidh sin do dhaoine aonair.

Tabhair do d’aire nach féidir an inniúlacht chun treoraíocht ghinearálta a eisiúint a thuiscint mar shásra chun go bhfeidhmeoidh an Bord Eorpach um Chosaint Sonraí formhaoirseacht ar an gcaoi a láimhseálann ÚCSanna do chás aonair. 

Má chreideann tú gur sáraíodh RGCS agus nach bhfuil tú sásta le freagra an DPA, is é an réiteach atá fágtha ná go dtionscnóidh tú imeachtaí dlíthiúla.

Do I need a record of processing?

Generally speaking, every organisation should keep a record of their processing activities. This is an inventory of all processing operations and can help you make correct assumptions of your responsibilities under the GDPR and possible risks.

Each of these processing operations must be described in the record with the following information:

  • the purpose of the processing (e.g. customer loyalty);
  • the categories of data processed (e.g. for payroll: name, first name, date of birth, salary, etc.);
  • who has access to the data (the recipients – e.g.: the department in charge of recruitment, the IT service, management, service providers, partners...);
  • where applicable, information related to transfers of personal data outside the European Economic Area (EEA),
  • where possible, the storage period (the period for which the data are useful from an operational point of view, and from an archiving perspective).
  • where possible, a general description of the security measures.

The record of processing activities falls under the responsibility of your organisation’s manager.

This record must be available to the data protection authority of the EEA country where you operate, if requested.

It is not required for organisations employing fewer than 250 persons to mention purely occasional activities in their record (e.g. data processed for one-off events such as the opening of a shop).

More information:

What constitutes a conflict of interest for a Data Protection Officer (DPO)?

DPOs can fulfil other tasks within the organisation, but this cannot result in a conflict of interest. This implies that the DPO cannot have a position in which they determine the purposes and means of the processing activities. Conflicting functions include mainly management positions (chief executive, chief operating, chief financial officer, Head of HR, Head of IT, managing director) but may also involve other functions if they lead to the determination of purposes and means of processing.

The DPO must be able to perform their duties and tasks in an independent manner. This means that your organisation:

  • may not give instructions to the DPO with regard to the performance of their DPO duties;
  • may not penalise or dismiss the DPO for performing their tasks.

More information: