European Data Protection Board logo
Close menu

Frequently Asked Questions

Filter on
Filter on topic

What should I do in case of a data breach?

A personal data breach is a security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

  • If the data breach poses a risk to the individuals concerned, you must report it to the relevant data protection authority within 72 hours.
  • If the breach is likely to result in a high risk to individuals, you will also need to communicate that breach to the individuals concerned without undue delay.

In any case, for all breaches – even those that are not notified to a DPA - you must record at least the basic details of the breach, the assessment thereof, its effects, and the steps taken in response.

More information:

How can I respect individuals’ data protection rights?

The GDPR foresees specific rights for individuals that have to be respected. You can do this by:

  • informing individuals whose data you process about your processing operations and the processing purposes when you collect their data, for example via a privacy statement on your website;
  • by responding to individuals’ requests to exercise their rights, such as access, rectification, objection, erasure or portability requests.

Organisations that are transparent about their use of personal data and that respect the rights of individuals are less likely to become subject to complaints.

More information:

Qed tfittex li teżerċita d-drittijiet tas-suġġett tad-data (tħassir, korrezzjoni, aċċess) għad-data personali miżmuma fis-Sistema ta’ Informazzjoni ta’ Schengen (SIS)?

Il-Kumitat ta’ Sorveljanza tal-Koordinazzjoni (“CSC”) - li jeżisti fi ħdan l-EDPB - jikkoordina s-superviżjoni tal-ipproċessar ta’ data personali fis-Sistema ta’ Informazzjoni ta’ Schengen (“SIS”). Il-liġijiet rilevanti tal-UE huma r-Regolament (UE) 2018/1862 (b’mod partikolari l-Artikolu 71), u r-Regolament (UE) 2018/1861 (b’mod partikolari l-Artikolu 57).

Għad-data personali inkluża fis-SIS, għandek id-drittijiet ta’ aċċess, ta’ rettifika u ta’ tħassir. Dawn id-drittijiet jinkludu:

  • Id-dritt li tkun taf jekk l-informazzjoni relatata miegħek hijiex ipproċessata fis-SIS;
  • id-dritt ta' aċċess għal dik id-data;
  • Id-dritt għal korrezzjoni ta’ data mhux preċiża jew tħassir relatat meta dik id-data tkun ġiet maħżuna illegalment; u
  • Id-dritt li tieħu azzjoni mal-qrati, mal-awtorità tal-protezzjoni tad-data tiegħek u/jew mal-awtoritajiet kompetenti, kif xieraq, biex tikkoreġi jew tħassar data relatata miegħek jew biex tikseb kumpens.

Biex teżerċita d-drittijiet tiegħek, jekk jogħġbok ikkuntattja lill-awtorità nazzjonali kompetenti tiegħek, fil-pajjiż ta’ Schengen tal-għażla tiegħek. Għal aktar informazzjoni dwar l-awtoritajiet nazzjonali kompetenti u dwar l-awtorità tal-protezzjoni tad-data f’kull pajjiż ta’ Schengen, jekk jogħġbok ikkonsulta l-“Gwidagħall-eżerċizzju tad-drittijiet tas-suġġetti tad-data”, disponibbli fuq is-sit web tagħna. Hemmhekk tista’ ssib ukoll mudelli ta’ ittri biex jgħinuk fl-eżerċizzju tad-drittijiet tiegħek. 

Jekk jogħġbok innota li l-EDPB ma għandux il-kompetenza li jittratta lmenti jew talbiet individwali. Barra minn hekk, l-EDPB ma għandux aċċess għall-kontenut ta’ dawn is-sistemi ta’ informazzjoni u l-bażijiet ta’ data.

Aktar dettalji dwar kif teżerċita d-drittijiet tiegħek huma disponibbli fuq is-sit web tagħna https://www.edpb.europa.eu/our-work-tools/our-documents/csc-data-subject-rights/schengen-information-system-guide-exercising_mt.

How can I keep up with the EDPB’s work?

The EDPB regularly publishes press releases, news items, blogs and other content on the EDPB website and its social media channels (Twitter: @EU_EDPB; Linkedin: European Data Protection Board) to keep the data protection community and the general public up-to-date with its work.

The EDPB website also has two RSS feeds, which you can subscribe to for automatic updates on EDPB news and the EDPB’s latest publications.

What is the GDPR?

The GDPR or General Data Protection Regulation creates a harmonised set of rules applicable to all personal data processing by organisations (public or private, regardless of their size)  established in the European Economic Area (EEA) or targeting individuals in the EU. The primary objective of GDPR is to ensure that personal data enjoys the same high standard of protection everywhere in the EEA, increasing legal certainty for both individuals and organisations processing data, and offering a high degree of protection for individuals.

The regulation entered into force on 24 May 2016 and applies since 25 May 2018.

What are my rights under the GDPR?

All individuals residing in the European Economic Area (EEA) have the right to the protection of their personal data.

More specifically, under the GDPR, you have several rights

  • Right to be informed
  • Right of access
  • Right to rectification
  • Right to restriction of processing
  • Right to data portability
  • Right to object
  • Right not be subject to a decision based solely on automated processing.

For more information on your rights, please consult our leaflet The GDPR and your rights or the EDPB Data Protection Guide for small business.

Does the GDPR also apply to paper records?

Yes, the GDPR applies if the personal data are contained or are intended to be contained in a filing system. This means that the GDPR also applies to paper records and not solely to automated processing of personal data.

More information:

What is a joint controller?

When there are two or more data controllers who jointly determine the purpose and means of processing, they are considered joint controllers. They decide together to process personal data for a joint purpose. Joint controllership can take many forms and participation of the different controllers may be unequal. Joint controllers must therefore determine their respective responsibilities for compliance with the GDPR.

It is important to note that joint controllership leads to joint responsibility for a processing activity.

  • Example of joint controllership:  Companies A and B have launched a co-branded product and wish to organise an event to promote this product. To that end, they decide to share data from their respective client and prospective client databases and decide on the list of invitees to the event on this basis. They also agree on the modalities for sending the invitations to the event, how to collect feedback during the event and follow-up marketing actions. Companies A and B can be considered joint controllers for the processing of personal data related to the organisation of the promotional event as they decide together on the jointly defined purpose and essential means of the data processing in this context.

More information:

I am organising an event as part of my business activities, can I make photos and videos of the event and the people attending?

Yes, but in order to do this, you will first need to determine the legal basis for processing this type of personal data. For example, the processing could be considered as a legitimate interest for your organisation. When processing personal data on the basis of legitimate interest, it is always necessary to conduct a balancing test to determine whether your legitimate interests outweigh individuals’ rights, particularly if children are involved.

Another possible legal basis for such processing could be consent. At any rate, individuals should always be informed in advance that the event is being photographed or filmed.

More information:

If I want to store CVs of candidates for future recruitment procedures, do I need to ask for the candidates’ consent?

Consent could indeed be a valid legal basis for storing job applicants’ CVs. Another possible legal basis could be legitimate interest. In that case, you would have to carry out a balancing test to prove that your organisation’s legitimate interests outweigh the applicants’ rights.

At any rate, you will have to inform the candidates that you plan to store their data and for which purposes.

More information:

Qed tikteb dwar pajjiż mhux tal-UE rikonoxxut bħala li jipprovdi livell adegwat ta’ protezzjoni tad-data (deċiżjonijiet ta’ adegwatezza)?

Il-Kummissjoni Ewropea tista’ tiddeċiedi jekk pajjiż barra mill-Ewropa (jew organizzazzjoni internazzjonali) joffrix livell “adegwat” ta’ protezzjoni tad-data, li jiffaċilita l-flussi tad-data bejn l-Ewropa u dan il-pajjiż. 

L-EDPB huwa inkarigat mill-ħruġ ta’ opinjonijiet dwar l-abbozzi ta’ deċiżjonijiet ta’ adegwatezza, qabel id-deċiżjoni tal-Kummissjoni Ewropea. L-opinjonijiet mhumiex vinkolanti fuq il-Kummissjoni Ewropea iżda normalment huma utli għall-organizzazzjonijiet l-oħra li jiġu kkonsultati f’dan il-qafas, bħall-Istati Membri tal-UE.

Barra minn hekk, il-Kummissjoni Ewropea hija dik kompetenti biex timmonitorja l-iżviluppi f’pajjiżi mhux Ewropej li jistgħu jaffettwaw id-deċiżjonijiet ta’ adegwatezza. Xi deċiżjonijiet ta’ adegwatezza jipprevedu regolarità speċifika għar-rieżami tad-deċiżjoni u jistgħu jirreferu għall-possibbiltà li r-rappreżentanti tal-EDPB jieħdu sehem fil-proċess ta’ rieżami organizzat mill-Kummissjoni Ewropea.

Jekk jogħġbok innota wkoll li l-Awtoritajiet Ewropej għall-Protezzjoni tad-Data jistgħu jipproteġu lill-individwi fir-rigward tat-trasferimenti tad-data li jsiru fil-kuntest tad-deċiżjoni ta’ adegwatezza (jekk jogħġbok sib lista tagħhom fuq is-sit web tagħna: https://edpb.europa.eu/about-edpb/our-members).

Jekk temmen li deċiżjoni ta’ adegwatezza eżistenti mhijiex konformi mad-drittijiet fundamentali tiegħek tal-individwu għall-privatezza u l-protezzjoni tad-data, tista’ tibda lment lid-DPA tiegħek li tista’ tressaq dawk l-oġġezzjonijiet quddiem qorti nazzjonali li tista’ tkun meħtieġa tagħmel referenza għal deċiżjoni preliminari lill-Qorti tal-Ġustizzja (Ara l-Artikolu 58(5) tal-GDPR u s-sentenza Schrems tal-QĠUE (il-Kawża C-362/14)).

Għal aktar informazzjoni, jekk jogħġbok ara: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_mt

The deadline for submitting comments to a public consultation has expired, can I still submit comments?

Unfortunately, the EDPB cannot consider late contributions as part of the public consultation.

Can I only process personal data when I have the individual’s consent?

Processing personal data is allowed if there is a legal basis for it. In addition to free, specific , informed and unambiguous consent, other legal bases for processing can be used.
In other words, consent is necessary when none of the other legal bases applies.

More information:

Do I need to be certified to become a Data Protection Officer (DPO)?

No, you do not need to be certified to become a DPO.

DPOs must, however, be able to demonstrate that they have the necessary qualifications required by the GDPR, such as expert knowledge of data protection law and practices.

More information:

What is a data protection impact assessment and when is this mandatory?

A Data Protection Impact Assessment or DPIA is a written assessment that your organisation should make to evaluate the impact of a planned processing operation. It helps you to identify the appropriate measures to address the risks, and to demonstrate compliance.

While it is always preferable to anticipate the impact of planned processing operations of your organisation by doing DPIA, it is compulsory to carry out a DPIA when the processing is likely to result in a high risk for individuals’ rights and freedoms.

Specifically, this is the case when the envisaged processing involves:

  • the processing - on a large scale- of sensitive personal data or data related to criminal convictions;  
  • a systematic and extensive evaluation of an individual’s personal aspects based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the individual in questions or similarly significantly affect individuals;
  • systematic monitoring of a publicly accessible area on a large scale.

The EDPB has developed guidelines which list the criteria you need to take into account when assessing whether a DPIA is mandatory or not. Data protection authorities (DPAs) have also published lists of processing operations which are subject to a DPIA. In addition several DPAs have developed guides, software, or self-assessment tools to help you with your assessment.

More information:

What are the legal basics for processing under the GDPR?

Data controllers can only process personal data in one of the following circumstances:

  • with the consent of the individuals concerned;
  • where processing is necessary for the performance of a contract (a contract between your organisation and an individual);
  • to meet a legal obligation under EU or national legislation;
  • where processing is necessary for the performance of a task carried out in the public interest under EU or national legislation;
  • to protect the vital interests of an individual;
  • for your organisation’s legitimate interests - except where they are overridden by the rights and freedoms of individuals.

In addition, the GDPR establishes additional conditions for the processing of sensitive data.

More information:

Do data processors also have to respect the GDPR?

Yes, data processors (i.e. individuals or bodies that process data on behalf of a data controller), have obligations under the GDPR. There are, however, some differences between the responsibilities for data controllers and processors.

Data processors have to adhere to the responsibilities set out in the controller-processor contract, which details the processing operations and means to process personal data. For example, the processor will have to carry out the processing operations with the appropriate technical and organisational measures as instructed by the controller. In doing so, the processor assists the controller in complying with the GDPR.

More information:

What should be included in a controller-processor contract?

The contract between the data controller and the data processor must stipulate that the data processor:

  • processes the personal data only on the instructions of the data controller, including with regard to transfers of personal data to a country outside the EEA;
  • ensures that the persons authorised to process the data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
  • ensures security of processing;
  • shall not engage another data processor without prior specific or general written authorisation of the data controller;
  • assists the data controller for the fulfilment of the data controller’s obligations to respond to individual’s requests for exercising their rights;
  • assists the data controller in securing the processing, notifying data breaches, and performing DPIAs;
  • at the choice of the data controller, deletes or returns all personal data to the data controller after the end of the provision of services;
  • makes available to the data controller all necessary information to demonstrate compliance with the obligations under the GDPR;
  • allows for and contributes to audits, including inspections conducted by the data controller or another auditor mandated by the data controller.

In addition, the data processor shall immediately inform the data controller if, in its opinion, instructions infringe the GDPR or other EU or national data protection provisions.

More information:

Can I transfer personal data outside the European Economic Area (EEA)?

Under the GDPR, there are, in principle, two main ways to transfer personal data to a non-EEA country or international organisation. Transfers may take place on the basis of an adequacy decision, or, in the absence of such a decision, on the basis of appropriate safeguards, including enforceable rights and legal remedies for individuals.

More information:

Is the Data Protection Officer (DPO) responsible for compliance with the GDPR?

The DPO cannot be held responsible for failure to comply with the GDPR. Compliance with the GDPR is the responsibility of the organisation that appointed the DPO.

More information: