Individuals have the right to request erasure of personal data concerning them and in that case, the controller has the obligation to erase the personal data. You should respond without undue delay and at the latest within one month after receipt of the request. This deadline can be extended by another two months if the request is too complex and more time is needed to comply with the request, provided that the individual is informed of this within one month after receiving the request.

It is important to note that the right to erasure is not absolute. It does not apply when the data in question is necessary for:

• exercising the right to freedom of expression and information (e.g. for journalistic purposes);
• compliance with a legal obligation which requires the processing of personal data (e.g. processing records on employees’ work hours);
• reasons of public interest in the area of public health
• archiving purposes in the public interest or scientific or historical research purposes or statistical purposes; and
• the establishment, exercise or defence of legal claims.

When the personal data that is to be erased was previously transferred to other organisations, you must inform these recipients that the individual has requested erasure, unless this proves impossible or would require disproportionate efforts.

More information:

• Respect individuals’ rights

   

You cannot store personal data forever.

As a rule, personal data can only be stored for as long necessary in light of the purposes for which the personal data is processed.

In some cases, the storage period can be determined by specific laws, for example, labour regulations determine a storage period for payroll lists.

Organisations should put in place data retention policies to make sure that personal data is not kept longer than is necessary. Individuals’ personal data must be deleted or anonymised once this data is no longer necessary for the purpose for which is was processed. 

More information:

• Data protection basics

You should respond without undue delay and at the latest within one month after receipt of the request. This deadline can be extended by another two months if the request is too complex and more time is needed to answer, provided that the individual is informed of this within one month after receiving the request.

You must do this free of charge.

More information:

• Respect individuals’ rights

No, the processing of sensitive data is generally prohibited, except under very specific circumstances:

• The individual has given their explicit consent for their sensitive data to be processed.
• The processing of sensitive data is necessary for the data controller to fulfil their obligations, specifically in the context of employment, social security and social protection. For example, the data controller may need to process a person’s sensitive data to be able to determine if they are entitled to certain social security benefits or employment stipends.
• The processing of sensitive data is necessary to protect the vital interests of a person where the individual is physically or legally incapable of giving consent. For example, if an individual is left unconscious as a result of an accident and requires immediate medical care, their health data may need to be processed for the appropriate medical care to be delivered.
• The processing of sensitive data is carried out in the context of the legitimate activities of a foundation, association or other non-for-profit organisation with a political, philosophical, religious or trade union aim, and only for the processing of the personal data of their members, former members or persons having regular contact with them.
• The sensitive data was manifestly made public by individual.
• The processing of sensitive data is necessary in the context of legal proceedings.
• The processing of sensitive data is necessary for matters of substantial public interest.
• The processing of sensitive data is necessary in the context of preventive or occupational medicine. For example, assessing an individual’s sensitive data, such as their medical data, may be necessary to determine their working capacity as an employee.
• The processing of sensitive data is necessary for matters of public health on the basis of EU or national law. For example, processing individuals’ sensitive data may be necessary to ensure a high quality of health care and a high quality of medical products, or to combat serious health threats, such as viruses.
• The processing of sensitive data is necessary for matters of archiving purposes in the public interest, or for scientific or historical  research purposes, or statistical purposes. For example, processing sensitive data may be necessary to provide accurate statistics on a country’s situation in a particular field. 

More information:

• Process personal data lawfully

The appointment of a DPO is mandatory in the following three cases:

• the organisation is a public authority;
• the organisation’s core activities consist in regular and systematic monitoring of individuals on a large scale, for example geolocation via a mobile application, or surveillance of shopping centres and public spaces through CCTV;
• the organisation’s core activities consist in large-scale processing of sensitive data  or personal data relating to criminal convictions and offences.

You can always appoint a DPO on a voluntary basis, even if this is not legally required. Please note that in that case, you must comply with all the provisions of the GDPR concerning the tasks and position of the data protection officer.

More information:

• Data Protection Officer

DPOs can fulfil other tasks within the organisation, but this cannot result in a conflict of interest. This implies that the DPO cannot have a position in which they determine the purposes and means of the processing activities. Conflicting functions include mainly management positions (chief executive, chief operating, chief financial officer, Head of HR, Head of IT, managing director) but may also involve other functions if they lead to the determination of purposes and means of processing.

The DPO must be able to perform their duties and tasks in an independent manner. This means that your organisation:

• may not give instructions to the DPO with regard to the performance of their DPO duties;
• may not penalise or dismiss the DPO for performing their tasks.

More information:

• Data Protection Officer

Individuals can ask you whether you are processing their data and where it is the case, they have a right to access that data. So when this happens and if you process their data, you should, for example provide a copy of their personal data, free of charge, together with any necessary additional information. Where a request is made electronically, your organisation should provide the required information in a commonly used electronic format, unless the individual requests otherwise.

More information:

• Respect individuals’ rights

Organisations must, in the case of direct collection of personal data from the individuals concerned, provide information about the processing operations in a concise and transparent way, using understandable, easily accessible and clear and plain language. This can be done in writing (e.g. on the reverse side of a tender) or by electronic means (e.g. on a website). If the person concerned so requests, you may also provide this information orally, but you must be able to prove this afterwards.

Even when the data was collected indirectly, i.e. if you do not directly collect the personal data from an individual yourself, but for example via a third party, you must provide the same detailed information to individuals

A personal data breach is a security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

• If the data breach poses a risk to the individuals concerned, you must report it to the relevant data protection authority within 72 hours.
• If the breach is likely to result in a high risk to individuals, you will also need to communicate that breach to the individuals concerned without undue delay.

In any case, for all breaches – even those that are not notified to a DPA - you must record at least the basic details of the breach, the assessment thereof, its effects, and the steps taken in response.

More information:

• Data breaches