Frequently Asked Questions
Can I transfer personal data outside the European Economic Area (EEA)?
Under the GDPR, there are, in principle, two main ways to transfer personal data to a non-EEA country or international organisation. Transfers may take place on the basis of an adequacy decision, or, in the absence of such a decision, on the basis of appropriate safeguards, including enforceable rights and legal remedies for individuals.
More information:
Does the GDPR also apply to paper records?
Yes, the GDPR applies if the personal data are contained or are intended to be contained in a filing system. This means that the GDPR also applies to paper records and not solely to automated processing of personal data.
More information:
What are the sanctions if my organisation does not comply with the GDPR or if my processing violates the GDPR?
Compliance with the GDPR is monitored by the national data protection authorities (DPAs). DPAs can conduct investigations and impose sanctions where necessary. DPAs have a number of tools at their disposal, including fines up to 20 M€ or 4% of the worldwide annual turnover whichever is higher, reprimands, and temporary or permanent processing bans.
You can find the contact details for all EEA DPAs on the EDPB website: Members
More information:
Do data processors also have to respect the GDPR?
Yes, data processors (i.e. individuals or bodies that process data on behalf of a data controller), have obligations under the GDPR. There are, however, some differences between the responsibilities for data controllers and processors.
Data processors have to adhere to the responsibilities set out in the controller-processor contract, which details the processing operations and means to process personal data. For example, the processor will have to carry out the processing operations with the appropriate technical and organisational measures as instructed by the controller. In doing so, the processor assists the controller in complying with the GDPR.
More information:
Do I need to be certified to become a Data Protection Officer (DPO)?
No, you do not need to be certified to become a DPO.
DPOs must, however, be able to demonstrate that they have the necessary qualifications required by the GDPR, such as expert knowledge of data protection law and practices.
More information:
Does my organisation have to comply with the GDPR?
Every organisation, regardless of the their size or sector, established in the European Economic Area (EEA) or offering products or services to individuals in the EEA, processing personal data whether or not by automated means needs to comply with the GDPR. Even if the GDPR mainly relates to automated processing of personal data, processing operations carried out manually will also be subject to the GDPR from the moment the paper files are organised in a systematic manner, e.g. ordered alphabetically in a filing cabinet.
Examples of processing operations include collecting, recording, organising, using, modifying, storing, disclosing, altering and erasing individuals’ personal data.
Nevertheless, the application of the GDPR is modulated according to the nature, context, purposes and risks of the processing operations carried out. For SMEs whose core business is not the processing of personal data, the obligations can be less strict than for a large company.
More information:
I am organising an event as part of my business activities, can I make photos and videos of the event and the people attending?
Yes, but in order to do this, you will first need to determine the legal basis for processing this type of personal data. For example, the processing could be considered as a legitimate interest for your organisation. When processing personal data on the basis of legitimate interest, it is always necessary to conduct a balancing test to determine whether your legitimate interests outweigh individuals’ rights, particularly if children are involved.
Another possible legal basis for such processing could be consent. At any rate, individuals should always be informed in advance that the event is being photographed or filmed.
More information:
If I want to store CVs of candidates for future recruitment procedures, do I need to ask for the candidates’ consent?
Consent could indeed be a valid legal basis for storing job applicants’ CVs. Another possible legal basis could be legitimate interest. In that case, you would have to carry out a balancing test to prove that your organisation’s legitimate interests outweigh the applicants’ rights.
At any rate, you will have to inform the candidates that you plan to store their data and for which purposes.
More information:
Is the Data Protection Officer (DPO) responsible for compliance with the GDPR?
The DPO cannot be held responsible for failure to comply with the GDPR. Compliance with the GDPR is the responsibility of the organisation that appointed the DPO.
More information:
What are cookies?
Cookies are small files stored on a device, such as a computer, a mobile device or any other device that can store information. Cookies serve a number of important functions, including remembering users and their previous interactions with a website. They can be used to keep track of items in an online shopping cart or to keep track of information when details are inserted into an online application form.
Authentication cookies are also important to identify users when they log into banking services and other online services. The information stored in cookies can include personal data, such as an IP address, a username, a unique identifier, or an email address.