Data controllers can only process personal data in one of the following circumstances:

• with the consent of the individuals concerned;
• where processing is necessary for the performance of a contract (a contract between your organisation and an individual);
• to meet a legal obligation under EU or national legislation;
• where processing is necessary for the performance of a task carried out in the public interest under EU or national legislation;
• to protect the vital interests of an individual;
• for your organisation’s legitimate interests - except where they are overridden by the rights and freedoms of individuals.

In addition, the GDPR establishes additional conditions for the processing of sensitive data.

More information:

• Process personal data lawfully

• Any processing of personal data must be lawful, fair and transparent.
• Only collect personal data for specified, explicit and legitimate purposes. The processing of an individual’s data must be strictly limited to the purpose(s) initially established, and therefore not processed for subsequent or other purpose(s) that are incompatible with the initial purposes.
• Only process personal data that is necessary and proportionate in light of the purpose envisaged.
• All personal data you process must be accurate and kept up to date. Inaccurate personal data must be rectified or erased.
• The storage of individuals’ personal data must be limited in time, in light of the purpose for which this data was collected and processed. As such, individuals’ personal data must be deleted or anonymised once this data is no longer necessary.
• The processing of individuals’ data must be done in a secure way. In this sense, robust cybersecurity controls, must be put in place to ensure that individuals’ data is adequately protected.

Finally, the controller is accountable. This means it is responsible for and must be able to demonstrate compliance with the principles above.

More information:

• Data protection basic

A valid contract between the data controller and data processor is obligatory under the GDPR. An infringement can be subject to an administrative fine up to 10M€ or up to 2% of the total annual turnover of a company, whichever is higher.

To help guide you when setting up a controller-processor agreement, the Danish and Slovenian data protection authorities, as well as the European Commission, have developed template agreements.

More information:

• Data controller or data processor

Yes, data processors (i.e. individuals or bodies that process data on behalf of a data controller), have obligations under the GDPR. There are, however, some differences between the responsibilities for data controllers and processors.

Data processors have to adhere to the responsibilities set out in the controller-processor contract, which details the processing operations and means to process personal data. For example, the processor will have to carry out the processing operations with the appropriate technical and organisational measures as instructed by the controller. In doing so, the processor assists the controller in complying with the GDPR.

More information:

• Data controller or data processor

The contract between the data controller and the data processor must stipulate that the data processor:

• processes the personal data only on the instructions of the data controller, including with regard to transfers of personal data to a country outside the EEA;
• ensures that the persons authorised to process the data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
• ensures security of processing;
• shall not engage another data processor without prior specific or general written authorisation of the data controller;
• assists the data controller for the fulfilment of the data controller’s obligations to respond to individual’s requests for exercising their rights;
• assists the data controller in securing the processing, notifying data breaches, and performing DPIAs;
• at the choice of the data controller, deletes or returns all personal data to the data controller after the end of the provision of services;
• makes available to the data controller all necessary information to demonstrate compliance with the obligations under the GDPR;
• allows for and contributes to audits, including inspections conducted by the data controller or another auditor mandated by the data controller.

In addition, the data processor shall immediately inform the data controller if, in its opinion, instructions infringe the GDPR or other EU or national data protection provisions.

More information:

• Data controller or data processor

The GDPR imposes obligations on all organisations that process personal data, regardless of whether they are data controllers or data processors.

In particular, you should:

• Ask yourself if the purpose for which personal data may be collected is justified, and collect only personal data that is necessary for the specific purpose(s) envisaged;
• Keep individuals’ personal data accurate and up to date, and delete the data when it is no longer necessary;
• Respect individuals’ rights by informing them about how and why their data are processed, and allowing them to exercise their rights;
• Check if you have an appropriate legal basis for the processing of personal data. In case you intend to rely on the consent of individuals, ask for their consent before processing their personal data;
• Make sure that individuals’ personal data is handled in a secure way;
• Maintain a record of processing operations.

Data processors will have to adhere to the responsibilities set out in the controller-processor contract, and they must not process the data otherwise than according to the controller’s instructions.

More information:

• Be compliant
• Data controller or data processor
• Data protection basics

When there are two or more data controllers who jointly determine the purpose and means of processing, they are considered joint controllers. They decide together to process personal data for a joint purpose. Joint controllership can take many forms and participation of the different controllers may be unequal. Joint controllers must therefore determine their respective responsibilities for compliance with the GDPR.

It is important to note that joint controllership leads to joint responsibility for a processing activity.

• Example of joint controllership:  Companies A and B have launched a co-branded product and wish to organise an event to promote this product. To that end, they decide to share data from their respective client and prospective client databases and decide on the list of invitees to the event on this basis. They also agree on the modalities for sending the invitations to the event, how to collect feedback during the event and follow-up marketing actions. Companies A and B can be considered joint controllers for the processing of personal data related to the organisation of the promotional event as they decide together on the jointly defined purpose and essential means of the data processing in this context.

More information:

• Data controller or data processor

The GDPR distinguishes between two main roles: those of data controller and data processor. This distinction is crucial as the data controller bears more responsibility and has to fulfil more obligations than the processor.

Data controllers and processors can be natural or legal persons, for example: an SME, a public authority, a company, an organisation, a state body, an association etc.

A data controller determines the purposes and means of a processing operation. In other words, the controller decides the how and why of a processing operation. Whereas processors process personal data on behalf of the controller. The processing carried out by processors needs to be regulated by a contract with the data controller or other legal act.

Examples of data controllers:

• companies that process the personal data of their customers to complete a sale;
• financial institutions that process personal data of their clients;
• associations that process the data of their members;
• schools or universities that process personal data of students and teachers;
• hospitals that process personal data of their patients;
• government agencies that process personal data of citizens.
   

Examples of data processors:

• an SME hires a bookkeeping service to keep its books and records, the SME is a data controller and the bookkeeping service a data processor;
• a payroll company processes personal data for an SME. The payroll company will act as a processor if it solely processes the personal data on behalf of the SME. The SME determines the purposes and means of the data processing, and is therefore data controller.
• an SME commissions a marketing company to collect email addresses via third-party websites.  The marketing company does this according to the explicit instructions of the SME and for the SME’s exclusive purposes. The marketing Company acts as processor for this collection.

More information:

• Data controller or data processor

You cannot store personal data forever.

As a rule, personal data can only be stored for as long necessary in light of the purposes for which the personal data is processed.

In some cases, the storage period can be determined by specific laws, for example, labour regulations determine a storage period for payroll lists.

Organisations should put in place data retention policies to make sure that personal data is not kept longer than is necessary. Individuals’ personal data must be deleted or anonymised once this data is no longer necessary for the purpose for which is was processed. 

More information:

• Data protection basics

No, the processing of sensitive data is generally prohibited, except under very specific circumstances:

• The individual has given their explicit consent for their sensitive data to be processed.
• The processing of sensitive data is necessary for the data controller to fulfil their obligations, specifically in the context of employment, social security and social protection. For example, the data controller may need to process a person’s sensitive data to be able to determine if they are entitled to certain social security benefits or employment stipends.
• The processing of sensitive data is necessary to protect the vital interests of a person where the individual is physically or legally incapable of giving consent. For example, if an individual is left unconscious as a result of an accident and requires immediate medical care, their health data may need to be processed for the appropriate medical care to be delivered.
• The processing of sensitive data is carried out in the context of the legitimate activities of a foundation, association or other non-for-profit organisation with a political, philosophical, religious or trade union aim, and only for the processing of the personal data of their members, former members or persons having regular contact with them.
• The sensitive data was manifestly made public by individual.
• The processing of sensitive data is necessary in the context of legal proceedings.
• The processing of sensitive data is necessary for matters of substantial public interest.
• The processing of sensitive data is necessary in the context of preventive or occupational medicine. For example, assessing an individual’s sensitive data, such as their medical data, may be necessary to determine their working capacity as an employee.
• The processing of sensitive data is necessary for matters of public health on the basis of EU or national law. For example, processing individuals’ sensitive data may be necessary to ensure a high quality of health care and a high quality of medical products, or to combat serious health threats, such as viruses.
• The processing of sensitive data is necessary for matters of archiving purposes in the public interest, or for scientific or historical  research purposes, or statistical purposes. For example, processing sensitive data may be necessary to provide accurate statistics on a country’s situation in a particular field. 

More information:

• Process personal data lawfully