Data protection guide for small business logo
Close menu
Back to EDPB

Frequently asked questions

Filter on
Filter on topic

What is a privacy statement?

Organisations must, in the case of direct collection of personal data from the individuals concerned, provide information about the processing operations in a concise and transparent way, using understandable, easily accessible and clear and plain language. This can be done in writing (e.g. on the reverse side of a tender) or by electronic means (e.g. on a website). If the person concerned so requests, you may also provide this information orally, but you must be able to prove this afterwards.

Even when the data was collected indirectly, i.e. if you do not directly collect the personal data from an individual yourself, but for example via a third party, you must provide the same detailed information to individuals

How do I respond to a request for erasure?

Individuals have the right to request erasure of personal data concerning them and in that case, the controller has the obligation to erase the personal data. You should respond without undue delay and at the latest within one month after receipt of the request. This deadline can be extended by another two months if the request is too complex and more time is needed to comply with the request, provided that the individual is informed of this within one month after receiving the request.

It is important to note that the right to erasure is not absolute. It does not apply when the data in question is necessary for:

  • exercising the right to freedom of expression and information (e.g. for journalistic purposes);
  • compliance with a legal obligation which requires the processing of personal data (e.g. processing records on employees’ work hours);
  • reasons of public interest in the area of public health
  • archiving purposes in the public interest or scientific or historical research purposes or statistical purposes; and
  • the establishment, exercise or defence of legal claims.

When the personal data that is to be erased was previously transferred to other organisations, you must inform these recipients that the individual has requested erasure, unless this proves impossible or would require disproportionate efforts.

More information:

Can I record telephone conversations with clients in order to improve quality of service and do I need consent for this?

Yes,your clients must be informed, when they make a telephone call, of the purposes of the recording, the recipients of the recordings, of their right to object and their right to access the recordings.

More information:

What does processing personal data mean?

Processing personal data means any type of activity (processing operation) performed on or with individuals’ personal data. This includes the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, inquiry, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data.

Is it possible to process sensitive data?

No, the processing of sensitive data is generally prohibited, except under very specific circumstances:

  • The individual has given their explicit consent for their sensitive data to be processed.
  • The processing of sensitive data is necessary for the data controller to fulfil their obligations, specifically in the context of employment, social security and social protection. For example, the data controller may need to process a person’s sensitive data to be able to determine if they are entitled to certain social security benefits or employment stipends.
  • The processing of sensitive data is necessary to protect the vital interests of a person where the individual is physically or legally incapable of giving consent. For example, if an individual is left unconscious as a result of an accident and requires immediate medical care, their health data may need to be processed for the appropriate medical care to be delivered.
  • The processing of sensitive data is carried out in the context of the legitimate activities of a foundation, association or other non-for-profit organisation with a political, philosophical, religious or trade union aim, and only for the processing of the personal data of their members, former members or persons having regular contact with them.
  • The sensitive data was manifestly made public by individual.
  • The processing of sensitive data is necessary in the context of legal proceedings.
  • The processing of sensitive data is necessary for matters of substantial public interest.
  • The processing of sensitive data is necessary in the context of preventive or occupational medicine. For example, assessing an individual’s sensitive data, such as their medical data, may be necessary to determine their working capacity as an employee.
  • The processing of sensitive data is necessary for matters of public health on the basis of EU or national law. For example, processing individuals’ sensitive data may be necessary to ensure a high quality of health care and a high quality of medical products, or to combat serious health threats, such as viruses.
  • The processing of sensitive data is necessary for matters of archiving purposes in the public interest, or for scientific or historical  research purposes, or statistical purposes. For example, processing sensitive data may be necessary to provide accurate statistics on a country’s situation in a particular field. 

More information:

What can I do in case the data processor does not want to sign a controller-processor contract?

A valid contract between the data controller and data processor is obligatory under the GDPR. An infringement can be subject to an administrative fine up to 10M€ or up to 2% of the total annual turnover of a company, whichever is higher.

To help guide you when setting up a controller-processor agreement, the Danish and Slovenian data protection authorities, as well as the European Commission, have developed template agreements.

More information:

What should I do when someone asks how I process their data?

Individuals can ask you whether you are processing their data and where it is the case, they have a right to access that data. So when this happens and if you process their data, you should, for example provide a copy of their personal data, free of charge, together with any necessary additional information. Where a request is made electronically, your organisation should provide the required information in a commonly used electronic format, unless the individual requests otherwise.

More information:

How long do I have to respond to an access request?

You should respond without undue delay and at the latest within one month after receipt of the request. This deadline can be extended by another two months if the request is too complex and more time is needed to answer, provided that the individual is informed of this within one month after receiving the request.

You must do this free of charge.

More information:

Do I need consent in order to use cookies on my organisation’s website?

The GDPR applies to the use of cookies when these are used to process personal data, but there are also more specific rules for cookies included the ePrivacy Directive.

The storing of a cookie, or the gaining of access to a cookie already stored, in the terminal equipment of a user is only allowed on condition that the subscriber or user concerned has been adequately informed (in particular about the purposes of the processing) and has given their consent.

The only exception are technically necessary cookies. Organisations do not need to ask for consent when using technically necessary cookies on their websites.

More information:

What is the difference between pseudonymised data and anonymised data?

Pseudonymisation consists in transforming personal data so that it can no longer be attributed to a specific individual without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to individual. In practice, it may mean replacing personal data (name, first name, personal number, phone number, etc.) in a data set with indirectly identifying data (alias, sequential number, etc.). Pseudonymised data is still personal data and is subject to the GDPR.

Anonymised data is data that has been rendered anonymous in such a manner that the individual is not or no longer identifiable by any means that are reasonably likely to be used. When the anonymisation is implemented properly, the GDPR no longer applies to the anonymised data.

More information:

Who is data controller and who is data processor?

The GDPR distinguishes between two main roles: those of data controller and data processor. This distinction is crucial as the data controller bears more responsibility and has to fulfil more obligations than the processor.

Data controllers and processors can be natural or legal persons, for example: an SME, a public authority, a company, an organisation, a state body, an association etc.

A data controller determines the purposes and means of a processing operation. In other words, the controller decides the how and why of a processing operation. Whereas processors process personal data on behalf of the controller. The processing carried out by processors needs to be regulated by a contract with the data controller or other legal act.

Examples of data controllers:

  • companies that process the personal data of their customers to complete a sale;
  • financial institutions that process personal data of their clients;
  • associations that process the data of their members;
  • schools or universities that process personal data of students and teachers;
  • hospitals that process personal data of their patients;
  • government agencies that process personal data of citizens.
     

Examples of data processors:

  • an SME hires a bookkeeping service to keep its books and records, the SME is a data controller and the bookkeeping service a data processor;
  • a payroll company processes personal data for an SME. The payroll company will act as a processor if it solely processes the personal data on behalf of the SME. The SME determines the purposes and means of the data processing, and is therefore data controller.
  • an SME commissions a marketing company to collect email addresses via third-party websites.  The marketing company does this according to the explicit instructions of the SME and for the SME’s exclusive purposes. The marketing Company acts as processor for this collection.

More information:

What is sensitive data?

Some types of personal data belong to special categories of personal data, meaning they deserve more protection, so-called sensitive data. Sensitive data includes data that reveals information about:

  • an individual’s health;
  • an individual’s sexual orientation;
  • an individual’s racial or ethnic origin;
  • an individual’s political opinions, religious or philosophical beliefs; an individual’s trade union membership;
  • an individual’s biometric and genetic data.

The processing of an individual’s sensitive data is generally prohibited, except under specific circumstances that justify its processing.

More information:

Who can fulfil the role of Data Protection Officer (DPO)?

The DPO can be an existing employee with sufficient knowledge of GDPR (if the professional tasks of the employee are compatible with those of the DPO and this does not lead to conflicts of interest) or an external person. The DPO should be able to carry out tasks independently and should be able to report directly to the highest management.

More information:

What is personal data?

Personal data means any information relating to an identified or identifiable individual. An identifiable individual is anyone who can be identified, either directly or indirectly. Different pieces of information that added together could lead to the identification of a particular person also constitute personal data.

Examples of personal data include:

  • name and surname;
  • a home address;
  • an email address;
  • an ID card number;
  • location data;
  • an Internet Protocol (IP) address;
  • a cookie ID;
  • bank accounts;
  • tax reports;
  • biometric data (like fingerprint);
  • a social security number;
  • passport number;
  • test results;
  • grades in school;
  • browsing history;
  • photograph of individual;
  • vehicle registration number etc.

More information:

As a data controller I have collected individuals’ personal data from a third party, what do I need to do to be compliant?

  1. Make sure that the data that you received was collected legitimately and that the individuals concerned have been informed about the processing of their personal data.
  2. In case a third party is processing personal data on your behalf, make sure you have a controller-processor contract, which details the processing operations and means to process personal data.

And of course, comply with all the obligations of controllers.

More information:

How can I know which security measures I need to take?

The necessary security measures can differ based on the nature of the personal data you process and the associated risks to individuals. In any case, there are some minimum measures you should put into place:

  • secure access to the premises;
  • use regularly updated antivirus software;
  • carefully choose your passwords;
  • make users authenticate themselves before using the computer facilities;
  • have a data back-up and retrieval policy in place in case of an incident.

In addition, some basic measures such as locking your screen while you are away and locking up the office at the end of the day are never out of place...

More information:

Can I publish the names of the winners of a competition on my organisation’s website?

Publishing the names of the winners of a competition on your website could be considered as a legitimate interest, if you can prove this by carrying out a balancing test to determine whether your legitimate interests outweigh individuals’ right.

A good practice would be to set up an internal procedure in which the rules on publishing personal data of winners are explained.

In addition, the processing of personal data for these purposes should be part of the competition’s privacy policy, so that participants are informed in advance about how their data is going to be processed.

More information:

Can I share a list of individuals’ personal data with my business partners (third parties)?

Yes, you can, but the GDPR places certain obligations on businesses which share personal data. Your organisation must inform individuals that you will share their data with a third party. You must also inform them of your purposes, security, access and the retention measures that will apply.

Should I appoint a Data Protection Officer (DPO)?

The appointment of a DPO is mandatory in the following three cases:

  • the organisation is a public authority;
  • the organisation’s core activities consist in regular and systematic monitoring of individuals on a large scale, for example geolocation via a mobile application, or surveillance of shopping centres and public spaces through CCTV;
  • the organisation’s core activities consist in large-scale processing of sensitive data  or personal data relating to criminal convictions and offences.

You can always appoint a DPO on a voluntary basis, even if this is not legally required. Please note that in that case, you must comply with all the provisions of the GDPR concerning the tasks and position of the data protection officer.

More information:

Am I required to make my record of processing public?

No, it is not necessary to make your record of processing public. You must, however, be able to make the record available to the data protection authority upon request.

More information: