Every organisation, regardless of the their size or sector, established in the European Economic Area (EEA) or offering products or services to individuals in the EEA, processing personal data whether or not by automated means needs to comply with the GDPR. Even if the GDPR mainly relates to automated processing of personal data, processing operations carried out manually will also be subject to the GDPR from the moment the paper files are organised in a systematic manner, e.g. ordered alphabetically in a filing cabinet. 

Examples of processing operations include collecting, recording, organising, using, modifying, storing, disclosing, altering and erasing individuals’ personal data.

Nevertheless, the application of the GDPR is modulated according to the nature, context, purposes and risks of the processing operations carried out. For SMEs whose core business is not the processing of personal data, the obligations can be less strict than for a large company.

More information:

• Data protection basics

Yes, you can, but the GDPR places certain obligations on businesses which share personal data. Your organisation must inform individuals that you will share their data with a third party. You must also inform them of your purposes, security, access and the retention measures that will apply.

The task of the DPO include, among others:

• to inform and advise the organisation and its employees on data protection compliance;
• to monitor data protection compliance;
• to provide advice on requests concerning the data protection impact assessment (DPIA);
• to act as a contact point for the data protection authority (DPA) and to cooperate with that DPA;
• to act as a contact point for individuals.

In addition, the DPO’s presence is generally recommended where decisions with data protection implications are taken. The DPO should also be promptly consulted once a data breach or another incident has occurred.

More information:

• Data Protection Officer

The appointment of a DPO is mandatory in the following three cases:

• the organisation is a public authority;
• the organisation’s core activities consist in regular and systematic monitoring of individuals on a large scale, for example geolocation via a mobile application, or surveillance of shopping centres and public spaces through CCTV;
• the organisation’s core activities consist in large-scale processing of sensitive data  or personal data relating to criminal convictions and offences.

You can always appoint a DPO on a voluntary basis, even if this is not legally required. Please note that in that case, you must comply with all the provisions of the GDPR concerning the tasks and position of the data protection officer.

More information:

• Data Protection Officer

The GDPR applies to the use of cookies when these are used to process personal data, but there are also more specific rules for cookies included the ePrivacy Directive.

The storing of a cookie, or the gaining of access to a cookie already stored, in the terminal equipment of a user is only allowed on condition that the subscriber or user concerned has been adequately informed (in particular about the purposes of the processing) and has given their consent.

The only exception are technically necessary cookies. Organisations do not need to ask for consent when using technically necessary cookies on their websites.

More information:

• Process personal data lawfully

Cookies are small files stored on a device, such as a computer, a mobile device or any other device that can store information. Cookies serve a number of important functions, including remembering  users and their previous interactions with a website. They can be used to keep track of items in an online shopping cart or to keep track of information when details are inserted into an online application form.

Authentication cookies are also important to identify users when they log into banking services and other online services. The information stored in cookies can include personal data, such as an IP address, a username, a unique identifier, or an email address.

The contract between the data controller and the data processor must stipulate that the data processor:

• processes the personal data only on the instructions of the data controller, including with regard to transfers of personal data to a country outside the EEA;
• ensures that the persons authorised to process the data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
• ensures security of processing;
• shall not engage another data processor without prior specific or general written authorisation of the data controller;
• assists the data controller for the fulfilment of the data controller’s obligations to respond to individual’s requests for exercising their rights;
• assists the data controller in securing the processing, notifying data breaches, and performing DPIAs;
• at the choice of the data controller, deletes or returns all personal data to the data controller after the end of the provision of services;
• makes available to the data controller all necessary information to demonstrate compliance with the obligations under the GDPR;
• allows for and contributes to audits, including inspections conducted by the data controller or another auditor mandated by the data controller.

In addition, the data processor shall immediately inform the data controller if, in its opinion, instructions infringe the GDPR or other EU or national data protection provisions.

More information:

• Data controller or data processor

Processing personal data is allowed if there is a legal basis for it. In addition to free, specific , informed and unambiguous consent, other legal bases for processing can be used.
In other words, consent is necessary when none of the other legal bases applies.

More information:

• Process personal data lawfully

Under the GDPR, there are, in principle, two main ways to transfer personal data to a non-EEA country or international organisation. Transfers may take place on the basis of an adequacy decision, or, in the absence of such a decision, on the basis of appropriate safeguards, including enforceable rights and legal remedies for individuals.

More information:

• International transfers

Data controllers can only process personal data in one of the following circumstances:

• with the consent of the individuals concerned;
• where processing is necessary for the performance of a contract (a contract between your organisation and an individual);
• to meet a legal obligation under EU or national legislation;
• where processing is necessary for the performance of a task carried out in the public interest under EU or national legislation;
• to protect the vital interests of an individual;
• for your organisation’s legitimate interests - except where they are overridden by the rights and freedoms of individuals.

In addition, the GDPR establishes additional conditions for the processing of sensitive data.

More information:

• Process personal data lawfully