The GDPR applies to the use of cookies when these are used to process personal data, but there are also more specific rules for cookies included the ePrivacy Directive.

The storing of a cookie, or the gaining of access to a cookie already stored, in the terminal equipment of a user is only allowed on condition that the subscriber or user concerned has been adequately informed (in particular about the purposes of the processing) and has given their consent.

The only exception are technically necessary cookies. Organisations do not need to ask for consent when using technically necessary cookies on their websites.

More information:

• Process personal data lawfully

No, you do not need to be certified to become a DPO.

DPOs must, however, be able to demonstrate that they have the necessary qualifications required by the GDPR, such as expert knowledge of data protection law and practices.

More information:

• Data Protection Officer

   

Yes, the GDPR applies if the personal data are contained or are intended to be contained in a filing system. This means that the GDPR also applies to paper records and not solely to automated processing of personal data.

More information:

• Data protection basics

Individuals have the right to request erasure of personal data concerning them and in that case, the controller has the obligation to erase the personal data. You should respond without undue delay and at the latest within one month after receipt of the request. This deadline can be extended by another two months if the request is too complex and more time is needed to comply with the request, provided that the individual is informed of this within one month after receiving the request.

It is important to note that the right to erasure is not absolute. It does not apply when the data in question is necessary for:

• exercising the right to freedom of expression and information (e.g. for journalistic purposes);
• compliance with a legal obligation which requires the processing of personal data (e.g. processing records on employees’ work hours);
• reasons of public interest in the area of public health
• archiving purposes in the public interest or scientific or historical research purposes or statistical purposes; and
• the establishment, exercise or defence of legal claims.

When the personal data that is to be erased was previously transferred to other organisations, you must inform these recipients that the individual has requested erasure, unless this proves impossible or would require disproportionate efforts.

More information:

• Respect individuals’ rights

   

When there are two or more data controllers who jointly determine the purpose and means of processing, they are considered joint controllers. They decide together to process personal data for a joint purpose. Joint controllership can take many forms and participation of the different controllers may be unequal. Joint controllers must therefore determine their respective responsibilities for compliance with the GDPR.

It is important to note that joint controllership leads to joint responsibility for a processing activity.

• Example of joint controllership:  Companies A and B have launched a co-branded product and wish to organise an event to promote this product. To that end, they decide to share data from their respective client and prospective client databases and decide on the list of invitees to the event on this basis. They also agree on the modalities for sending the invitations to the event, how to collect feedback during the event and follow-up marketing actions. Companies A and B can be considered joint controllers for the processing of personal data related to the organisation of the promotional event as they decide together on the jointly defined purpose and essential means of the data processing in this context.

More information:

• Data controller or data processor

Organisations must, in the case of direct collection of personal data from the individuals concerned, provide information about the processing operations in a concise and transparent way, using understandable, easily accessible and clear and plain language. This can be done in writing (e.g. on the reverse side of a tender) or by electronic means (e.g. on a website). If the person concerned so requests, you may also provide this information orally, but you must be able to prove this afterwards.

Even when the data was collected indirectly, i.e. if you do not directly collect the personal data from an individual yourself, but for example via a third party, you must provide the same detailed information to individuals

Personal data means any information relating to an identified or identifiable individual. An identifiable individual is anyone who can be identified, either directly or indirectly. Different pieces of information that added together could lead to the identification of a particular person also constitute personal data.

Examples of personal data include:

• name and surname;
• a home address;
• an email address;
• an ID card number;
• location data;
• an Internet Protocol (IP) address;
• a cookie ID;
• bank accounts;
• tax reports;
• biometric data (like fingerprint);
• a social security number;
• passport number;
• test results;
• grades in school;
• browsing history;
• photograph of individual;
• vehicle registration number etc.

More information:

• Data protection basics

The contract between the data controller and the data processor must stipulate that the data processor:

• processes the personal data only on the instructions of the data controller, including with regard to transfers of personal data to a country outside the EEA;
• ensures that the persons authorised to process the data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
• ensures security of processing;
• shall not engage another data processor without prior specific or general written authorisation of the data controller;
• assists the data controller for the fulfilment of the data controller’s obligations to respond to individual’s requests for exercising their rights;
• assists the data controller in securing the processing, notifying data breaches, and performing DPIAs;
• at the choice of the data controller, deletes or returns all personal data to the data controller after the end of the provision of services;
• makes available to the data controller all necessary information to demonstrate compliance with the obligations under the GDPR;
• allows for and contributes to audits, including inspections conducted by the data controller or another auditor mandated by the data controller.

In addition, the data processor shall immediately inform the data controller if, in its opinion, instructions infringe the GDPR or other EU or national data protection provisions.

More information:

• Data controller or data processor

A personal data breach is a security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

• If the data breach poses a risk to the individuals concerned, you must report it to the relevant data protection authority within 72 hours.
• If the breach is likely to result in a high risk to individuals, you will also need to communicate that breach to the individuals concerned without undue delay.

In any case, for all breaches – even those that are not notified to a DPA - you must record at least the basic details of the breach, the assessment thereof, its effects, and the steps taken in response.

More information:

• Data breaches

Individuals can ask you whether you are processing their data and where it is the case, they have a right to access that data. So when this happens and if you process their data, you should, for example provide a copy of their personal data, free of charge, together with any necessary additional information. Where a request is made electronically, your organisation should provide the required information in a commonly used electronic format, unless the individual requests otherwise.

More information:

• Respect individuals’ rights