European Data Protection Board logo
Close menu

Frequently Asked Questions

Filter on
Filter on topic

What should I do in case of a data breach?

A personal data breach is a security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

  • If the data breach poses a risk to the individuals concerned, you must report it to the relevant data protection authority within 72 hours.
  • If the breach is likely to result in a high risk to individuals, you will also need to communicate that breach to the individuals concerned without undue delay.

In any case, for all breaches – even those that are not notified to a DPA - you must record at least the basic details of the breach, the assessment thereof, its effects, and the steps taken in response.

More information:

How can I respect individuals’ data protection rights?

The GDPR foresees specific rights for individuals that have to be respected. You can do this by:

  • informing individuals whose data you process about your processing operations and the processing purposes when you collect their data, for example via a privacy statement on your website;
  • by responding to individuals’ requests to exercise their rights, such as access, rectification, objection, erasure or portability requests.

Organisations that are transparent about their use of personal data and that respect the rights of individuals are less likely to become subject to complaints.

More information:

Chcete uplatniť práva dotknutej osoby (vymazanie, oprava, prístup) k osobným údajom uchovávaným v Schengenskom informačnom systéme (SIS)?

Výbor pre koordinačný dohľad (ďalej len „CSC“), ktorý existuje v rámci EDPB, koordinuje dohľad nad spracúvaním osobných údajov v Schengenskom informačnom systéme (ďalej len „SIS“). Príslušnými právnymi predpismi EÚ sú nariadenie (EÚ) 2018/1862 (najmä článok 71) a nariadenie (EÚ) 2018/1861 (najmä článok 57).

V prípade osobných údajov uvedených v SIS máte právo na prístup, opravu a vymazanie. Tieto práva zahŕňajú:

  • právo vedieť, či sa v SIS spracúvajú informácie, ktoré sa vás týkajú;
  • právo na prístup k týmto údajom;
  • právo na opravu nesprávnych údajov alebo vymazanie, ak boli tieto údaje uchovávané nezákonne; a
  • Právo obrátiť sa na súdy, váš orgán na ochranu údajov a/alebo príslušné orgány, ak je to vhodné, s cieľom opraviť alebo vymazať údaje, ktoré sa vás týkajú, alebo získať náhradu škody.

Ak si chcete uplatniť svoje práva, obráťte sa na príslušný vnútroštátny orgán v krajine schengenského priestoru podľa vášho výberu. Viac informácií o príslušných vnútroštátnych orgánoch a o orgáne pre ochranu údajov v každej krajine schengenského priestoru nájdete v Príručkena uplatňovanie práv dotknutých osôb,ktorá je k dispozícii na našom webovom sídle. Nájdete tu aj vzorové listy, ktoré vám pomôžu pri uplatňovaní vašich práv. 

Upozorňujeme, že EDPB nemá právomoc vybavovať individuálne sťažnosti alebo žiadosti. EDPB okrem toho nemá prístup k obsahu týchto informačných systémov a databáz.

Podrobnejšie informácie o tom, ako si uplatniť svoje práva, sú k dispozícii na našom webovom sídle https://www.edpb.europa.eu/our-work-tools/our-documents/csc-data-subject-rights/schengen-information-system-guide-exercising_sk.

How can I keep up with the EDPB’s work?

The EDPB regularly publishes press releases, news items, blogs and other content on the EDPB website and its social media channels (Twitter: @EU_EDPB; Linkedin: European Data Protection Board) to keep the data protection community and the general public up-to-date with its work.

The EDPB website also has two RSS feeds, which you can subscribe to for automatic updates on EDPB news and the EDPB’s latest publications.

What is the GDPR?

The GDPR or General Data Protection Regulation creates a harmonised set of rules applicable to all personal data processing by organisations (public or private, regardless of their size)  established in the European Economic Area (EEA) or targeting individuals in the EU. The primary objective of GDPR is to ensure that personal data enjoys the same high standard of protection everywhere in the EEA, increasing legal certainty for both individuals and organisations processing data, and offering a high degree of protection for individuals.

The regulation entered into force on 24 May 2016 and applies since 25 May 2018.

What are my rights under the GDPR?

All individuals residing in the European Economic Area (EEA) have the right to the protection of their personal data.

More specifically, under the GDPR, you have several rights

  • Right to be informed
  • Right of access
  • Right to rectification
  • Right to restriction of processing
  • Right to data portability
  • Right to object
  • Right not be subject to a decision based solely on automated processing.

For more information on your rights, please consult our leaflet The GDPR and your rights or the EDPB Data Protection Guide for small business.

Does the GDPR also apply to paper records?

Yes, the GDPR applies if the personal data are contained or are intended to be contained in a filing system. This means that the GDPR also applies to paper records and not solely to automated processing of personal data.

More information:

What is a joint controller?

When there are two or more data controllers who jointly determine the purpose and means of processing, they are considered joint controllers. They decide together to process personal data for a joint purpose. Joint controllership can take many forms and participation of the different controllers may be unequal. Joint controllers must therefore determine their respective responsibilities for compliance with the GDPR.

It is important to note that joint controllership leads to joint responsibility for a processing activity.

  • Example of joint controllership:  Companies A and B have launched a co-branded product and wish to organise an event to promote this product. To that end, they decide to share data from their respective client and prospective client databases and decide on the list of invitees to the event on this basis. They also agree on the modalities for sending the invitations to the event, how to collect feedback during the event and follow-up marketing actions. Companies A and B can be considered joint controllers for the processing of personal data related to the organisation of the promotional event as they decide together on the jointly defined purpose and essential means of the data processing in this context.

More information:

I am organising an event as part of my business activities, can I make photos and videos of the event and the people attending?

Yes, but in order to do this, you will first need to determine the legal basis for processing this type of personal data. For example, the processing could be considered as a legitimate interest for your organisation. When processing personal data on the basis of legitimate interest, it is always necessary to conduct a balancing test to determine whether your legitimate interests outweigh individuals’ rights, particularly if children are involved.

Another possible legal basis for such processing could be consent. At any rate, individuals should always be informed in advance that the event is being photographed or filmed.

More information:

If I want to store CVs of candidates for future recruitment procedures, do I need to ask for the candidates’ consent?

Consent could indeed be a valid legal basis for storing job applicants’ CVs. Another possible legal basis could be legitimate interest. In that case, you would have to carry out a balancing test to prove that your organisation’s legitimate interests outweigh the applicants’ rights.

At any rate, you will have to inform the candidates that you plan to store their data and for which purposes.

More information:

Píšete o krajine mimo EÚ uznanej za krajinu poskytujúcu primeranú úroveň ochrany údajov (rozhodnutia o primeranosti)?

Európska komisia môže rozhodnúť, či krajina mimo Európy (alebo medzinárodná organizácia) ponúka „primeranú“ úroveň ochrany údajov, ktorá uľahčuje toky údajov medzi Európou a touto krajinou. 

EDPB je zodpovedný za vydávanie stanovísk k návrhom rozhodnutí o primeranosti pred rozhodnutím Európskej komisie. Stanoviská nie sú pre Európsku komisiu záväzné, ale zvyčajne sú užitočné pre ostatné organizácie, s ktorými sa v tomto rámci konzultuje, ako sú členské štáty EÚ.

Okrem toho je Európska komisia oprávnená monitorovať vývoj v neeurópskych krajinách, ktorý by mohol ovplyvniť rozhodnutia o primeranosti. V niektorých rozhodnutiach o primeranosti sa stanovuje osobitná pravidelnosť preskúmania rozhodnutia a môže sa odkazovať na možnosť zástupcov EDPB zúčastniť sa na procese preskúmania, ktorý organizuje Európska komisia.

Upozorňujeme tiež, že európske orgány pre ochranu údajov môžu chrániť jednotlivcov, pokiaľ ide o prenosy údajov uskutočnené v súvislosti s rozhodnutím o primeranosti (zoznam týchto údajov nájdete na našom webovom sídle: https://edpb.europa.eu/about-edpb/our-members).

Ak sa domnievate, že existujúce rozhodnutie o primeranosti nie je v súlade s vašimi základnými právami jednotlivca na súkromie a ochranu údajov, môžete podať sťažnosť na váš orgán pre ochranu osobných údajov, ktorý môže tieto námietky predložiť vnútroštátnemu súdu, od ktorého sa môže vyžadovať podanie návrhu na začatie prejudiciálneho konania na Súdny dvor [pozri článok 58 ods. 5 všeobecného nariadenia o ochrane údajov a rozsudok Súdneho dvora vo veci Schrems (vec C-362/14)].

Ďalšie informácie nájdete na stránke: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_sk 

The deadline for submitting comments to a public consultation has expired, can I still submit comments?

Unfortunately, the EDPB cannot consider late contributions as part of the public consultation.

Can I only process personal data when I have the individual’s consent?

Processing personal data is allowed if there is a legal basis for it. In addition to free, specific , informed and unambiguous consent, other legal bases for processing can be used.
In other words, consent is necessary when none of the other legal bases applies.

More information:

Do I need to be certified to become a Data Protection Officer (DPO)?

No, you do not need to be certified to become a DPO.

DPOs must, however, be able to demonstrate that they have the necessary qualifications required by the GDPR, such as expert knowledge of data protection law and practices.

More information:

What is a data protection impact assessment and when is this mandatory?

A Data Protection Impact Assessment or DPIA is a written assessment that your organisation should make to evaluate the impact of a planned processing operation. It helps you to identify the appropriate measures to address the risks, and to demonstrate compliance.

While it is always preferable to anticipate the impact of planned processing operations of your organisation by doing DPIA, it is compulsory to carry out a DPIA when the processing is likely to result in a high risk for individuals’ rights and freedoms.

Specifically, this is the case when the envisaged processing involves:

  • the processing - on a large scale- of sensitive personal data or data related to criminal convictions;  
  • a systematic and extensive evaluation of an individual’s personal aspects based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the individual in questions or similarly significantly affect individuals;
  • systematic monitoring of a publicly accessible area on a large scale.

The EDPB has developed guidelines which list the criteria you need to take into account when assessing whether a DPIA is mandatory or not. Data protection authorities (DPAs) have also published lists of processing operations which are subject to a DPIA. In addition several DPAs have developed guides, software, or self-assessment tools to help you with your assessment.

More information:

What are the legal basics for processing under the GDPR?

Data controllers can only process personal data in one of the following circumstances:

  • with the consent of the individuals concerned;
  • where processing is necessary for the performance of a contract (a contract between your organisation and an individual);
  • to meet a legal obligation under EU or national legislation;
  • where processing is necessary for the performance of a task carried out in the public interest under EU or national legislation;
  • to protect the vital interests of an individual;
  • for your organisation’s legitimate interests - except where they are overridden by the rights and freedoms of individuals.

In addition, the GDPR establishes additional conditions for the processing of sensitive data.

More information:

Do data processors also have to respect the GDPR?

Yes, data processors (i.e. individuals or bodies that process data on behalf of a data controller), have obligations under the GDPR. There are, however, some differences between the responsibilities for data controllers and processors.

Data processors have to adhere to the responsibilities set out in the controller-processor contract, which details the processing operations and means to process personal data. For example, the processor will have to carry out the processing operations with the appropriate technical and organisational measures as instructed by the controller. In doing so, the processor assists the controller in complying with the GDPR.

More information:

What should be included in a controller-processor contract?

The contract between the data controller and the data processor must stipulate that the data processor:

  • processes the personal data only on the instructions of the data controller, including with regard to transfers of personal data to a country outside the EEA;
  • ensures that the persons authorised to process the data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
  • ensures security of processing;
  • shall not engage another data processor without prior specific or general written authorisation of the data controller;
  • assists the data controller for the fulfilment of the data controller’s obligations to respond to individual’s requests for exercising their rights;
  • assists the data controller in securing the processing, notifying data breaches, and performing DPIAs;
  • at the choice of the data controller, deletes or returns all personal data to the data controller after the end of the provision of services;
  • makes available to the data controller all necessary information to demonstrate compliance with the obligations under the GDPR;
  • allows for and contributes to audits, including inspections conducted by the data controller or another auditor mandated by the data controller.

In addition, the data processor shall immediately inform the data controller if, in its opinion, instructions infringe the GDPR or other EU or national data protection provisions.

More information:

Can I transfer personal data outside the European Economic Area (EEA)?

Under the GDPR, there are, in principle, two main ways to transfer personal data to a non-EEA country or international organisation. Transfers may take place on the basis of an adequacy decision, or, in the absence of such a decision, on the basis of appropriate safeguards, including enforceable rights and legal remedies for individuals.

More information:

Is the Data Protection Officer (DPO) responsible for compliance with the GDPR?

The DPO cannot be held responsible for failure to comply with the GDPR. Compliance with the GDPR is the responsibility of the organisation that appointed the DPO.

More information: