Processing personal data means any type of activity (processing operation) performed on or with individuals’ personal data. This includes the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, inquiry, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data.

The GDPR applies to the use of cookies when these are used to process personal data, but there are also more specific rules for cookies included the ePrivacy Directive.

The storing of a cookie, or the gaining of access to a cookie already stored, in the terminal equipment of a user is only allowed on condition that the subscriber or user concerned has been adequately informed (in particular about the purposes of the processing) and has given their consent.

The only exception are technically necessary cookies. Organisations do not need to ask for consent when using technically necessary cookies on their websites.

More information:

• Process personal data lawfully

Compliance with the GDPR is monitored by the national data protection authorities (DPAs). DPAs can conduct investigations and impose sanctions where necessary. DPAs have a number of tools at their disposal, including fines up to 20 M€ or 4% of the worldwide annual turnover whichever is higher, reprimands, and temporary or permanent processing bans.

You can find the contact details for all EEA DPAs on the EDPB website: Members

More information:

• Data Protection Authority & you

A Data Protection Impact Assessment or DPIA is a written assessment that your organisation should make to evaluate the impact of a planned processing operation. It helps you to identify the appropriate measures to address the risks, and to demonstrate compliance.

While it is always preferable to anticipate the impact of planned processing operations of your organisation by doing DPIA, it is compulsory to carry out a DPIA when the processing is likely to result in a high risk for individuals’ rights and freedoms.

Specifically, this is the case when the envisaged processing involves:

• the processing - on a large scale- of sensitive personal data or data related to criminal convictions;  
• a systematic and extensive evaluation of an individual’s personal aspects based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the individual in questions or similarly significantly affect individuals;
• systematic monitoring of a publicly accessible area on a large scale.

The EDPB has developed guidelines which list the criteria you need to take into account when assessing whether a DPIA is mandatory or not. Data protection authorities (DPAs) have also published lists of processing operations which are subject to a DPIA. In addition several DPAs have developed guides, software, or self-assessment tools to help you with your assessment.

More information:

• Be compliant

The contract between the data controller and the data processor must stipulate that the data processor:

• processes the personal data only on the instructions of the data controller, including with regard to transfers of personal data to a country outside the EEA;
• ensures that the persons authorised to process the data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
• ensures security of processing;
• shall not engage another data processor without prior specific or general written authorisation of the data controller;
• assists the data controller for the fulfilment of the data controller’s obligations to respond to individual’s requests for exercising their rights;
• assists the data controller in securing the processing, notifying data breaches, and performing DPIAs;
• at the choice of the data controller, deletes or returns all personal data to the data controller after the end of the provision of services;
• makes available to the data controller all necessary information to demonstrate compliance with the obligations under the GDPR;
• allows for and contributes to audits, including inspections conducted by the data controller or another auditor mandated by the data controller.

In addition, the data processor shall immediately inform the data controller if, in its opinion, instructions infringe the GDPR or other EU or national data protection provisions.

More information:

• Data controller or data processor

The first step to installing CCTV is to identify the purpose or purposes for doing so. The purposes for installing CCTV can be varied, such as ensuring the security of premises, aiding in the prevention and detection of theft and other crimes, or protection of the lives and health of employees, due to the nature of work.

As with any processing of personal data, the recording of individuals  must have a legal basis under the GDPR. Consent can provide a legal basis for such data processing. However, this is unlikely to apply to the use of CCTV in most cases, as it will be difficult to obtain the freely given consent of everyone likely to be recorded. The most common legal ground for this kind of processing of personal data is legitimate interest. When processing is based on a legitimate interest, you will need to carry out a balancing test to determine whether your legitimate interests outweigh individual’s rights.

You will need to inform individuals that they are being recorded. This can be done by placing easy to read signs in prominent places. In addition, a sign indicating the purpose of the CCTV system and the identity and contact details of the data controller should be placed at all entrances.

Individuals whose images are being recorded by a CCTV system should be provided with, the following information:

• the identity and contact details of the data controller;
• the purposes of the processing;
• the legal basis of the processing (if legitimate interest, specific information about which legitimate interests relate to the specific processing, and about which  entity  pursues  each  legitimate  interest.);
• the contact details of the Data Protection Officer, DPO (if there is a DPO);
• the recipients or categories of recipients of the data;
• the security arrangements for the CCTV footage;
• the retention period for CCTV footage;
• the existence of individuals’ rights under the GDPR and the right to lodge a complaint with the national data protection authority.

More information:

• Process personal data lawfully
• Respect individuals’ rights

Under the GDPR, there are, in principle, two main ways to transfer personal data to a non-EEA country or international organisation. Transfers may take place on the basis of an adequacy decision, or, in the absence of such a decision, on the basis of appropriate safeguards, including enforceable rights and legal remedies for individuals.

More information:

• International transfers

1. Make sure that the data that you received was collected legitimately and that the individuals concerned have been informed about the processing of their personal data.
2. In case a third party is processing personal data on your behalf, make sure you have a controller-processor contract, which details the processing operations and means to process personal data.

And of course, comply with all the obligations of controllers.

More information:

• Data controller or data processor

Publishing the names of the winners of a competition on your website could be considered as a legitimate interest, if you can prove this by carrying out a balancing test to determine whether your legitimate interests outweigh individuals’ right.

A good practice would be to set up an internal procedure in which the rules on publishing personal data of winners are explained.

In addition, the processing of personal data for these purposes should be part of the competition’s privacy policy, so that participants are informed in advance about how their data is going to be processed.

More information:

• Process personal data lawfully

No, you do not need to be certified to become a DPO.

DPOs must, however, be able to demonstrate that they have the necessary qualifications required by the GDPR, such as expert knowledge of data protection law and practices.

More information:

• Data Protection Officer