Frequently Asked Questions
Who is data controller and who is data processor?
The GDPR distinguishes between two main roles: those of data controller and data processor. This distinction is crucial as the data controller bears more responsibility and has to fulfil more obligations than the processor.
Data controllers and processors can be natural or legal persons, for example: an SME, a public authority, a company, an organisation, a state body, an association etc.
A data controller determines the purposes and means of a processing operation. In other words, the controller decides the how and why of a processing operation. Whereas processors process personal data on behalf of the controller. The processing carried out by processors needs to be regulated by a contract with the data controller or other legal act.
Examples of data controllers:
- companies that process the personal data of their customers to complete a sale;
- financial institutions that process personal data of their clients;
- associations that process the data of their members;
- schools or universities that process personal data of students and teachers;
- hospitals that process personal data of their patients;
- government agencies that process personal data of citizens.
Examples of data processors:
- an SME hires a bookkeeping service to keep its books and records, the SME is a data controller and the bookkeeping service a data processor;
- a payroll company processes personal data for an SME. The payroll company will act as a processor if it solely processes the personal data on behalf of the SME. The SME determines the purposes and means of the data processing, and is therefore data controller.
- an SME commissions a marketing company to collect email addresses via third-party websites. The marketing company does this according to the explicit instructions of the SME and for the SME’s exclusive purposes. The marketing Company acts as processor for this collection.
More information:
What is personal data?
Personal data means any information relating to an identified or identifiable individual. An identifiable individual is anyone who can be identified, either directly or indirectly. Different pieces of information that added together could lead to the identification of a particular person also constitute personal data.
Examples of personal data include:
- name and surname;
- a home address;
- an email address;
- an ID card number;
- location data;
- an Internet Protocol (IP) address;
- a cookie ID;
- bank accounts;
- tax reports;
- biometric data (like fingerprint);
- a social security number;
- passport number;
- test results;
- grades in school;
- browsing history;
- photograph of individual;
- vehicle registration number etc.
More information:
Am I required to make my record of processing public?
No, it is not necessary to make your record of processing public. You must, however, be able to make the record available to the data protection authority upon request.
More information:
What is the GDPR?
The GDPR or General Data Protection Regulation creates a harmonised set of rules applicable to all personal data processing by organisations (public or private, regardless of their size) established in the European Economic Area (EEA) or targeting individuals in the EU. The primary objective of GDPR is to ensure that personal data enjoys the same high standard of protection everywhere in the EEA, increasing legal certainty for both individuals and organisations processing data, and offering a high degree of protection for individuals.
The regulation entered into force on 24 May 2016 and applies since 25 May 2018.
How can I keep up with the EDPB’s work?
The EDPB regularly publishes press releases, news items, blogs and other content on the EDPB website and its social media channels (Twitter: @EU_EDPB; Linkedin: European Data Protection Board) to keep the data protection community and the general public up-to-date with its work.
The EDPB website also has two RSS feeds, which you can subscribe to for automatic updates on EDPB news and the EDPB’s latest publications.
Do I need a record of processing?
Generally speaking, every organisation should keep a record of their processing activities. This is an inventory of all processing operations and can help you make correct assumptions of your responsibilities under the GDPR and possible risks.
Each of these processing operations must be described in the record with the following information:
- the purpose of the processing (e.g. customer loyalty);
- the categories of data processed (e.g. for payroll: name, first name, date of birth, salary, etc.);
- who has access to the data (the recipients – e.g.: the department in charge of recruitment, the IT service, management, service providers, partners...);
- where applicable, information related to transfers of personal data outside the European Economic Area (EEA),
- where possible, the storage period (the period for which the data are useful from an operational point of view, and from an archiving perspective).
- where possible, a general description of the security measures.
The record of processing activities falls under the responsibility of your organisation’s manager.
This record must be available to the data protection authority of the EEA country where you operate, if requested.
It is not required for organisations employing fewer than 250 persons to mention purely occasional activities in their record (e.g. data processed for one-off events such as the opening of a shop).
More information:
Can I share a list of individuals’ personal data with my business partners (third parties)?
Yes, you can, but the GDPR places certain obligations on businesses which share personal data. Your organisation must inform individuals that you will share their data with a third party. You must also inform them of your purposes, security, access and the retention measures that will apply.
What is sensitive data?
Some types of personal data belong to special categories of personal data, meaning they deserve more protection, so-called sensitive data. Sensitive data includes data that reveals information about:
- an individual’s health;
- an individual’s sexual orientation;
- an individual’s racial or ethnic origin;
- an individual’s political opinions, religious or philosophical beliefs; an individual’s trade union membership;
- an individual’s biometric and genetic data.
The processing of an individual’s sensitive data is generally prohibited, except under specific circumstances that justify its processing.
More information:
What is the difference between pseudonymised data and anonymised data?
Pseudonymisation consists in transforming personal data so that it can no longer be attributed to a specific individual without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to individual. In practice, it may mean replacing personal data (name, first name, personal number, phone number, etc.) in a data set with indirectly identifying data (alias, sequential number, etc.). Pseudonymised data is still personal data and is subject to the GDPR.
Anonymised data is data that has been rendered anonymous in such a manner that the individual is not or no longer identifiable by any means that are reasonably likely to be used. When the anonymisation is implemented properly, the GDPR no longer applies to the anonymised data.
More information:
Do I need consent in order to use cookies on my organisation’s website?
The GDPR applies to the use of cookies when these are used to process personal data, but there are also more specific rules for cookies included the ePrivacy Directive.
The storing of a cookie, or the gaining of access to a cookie already stored, in the terminal equipment of a user is only allowed on condition that the subscriber or user concerned has been adequately informed (in particular about the purposes of the processing) and has given their consent.
The only exception are technically necessary cookies. Organisations do not need to ask for consent when using technically necessary cookies on their websites.
More information: