Data protection guide for small business logo
Close menu
Back to EDPB

Frequently asked questions

Filter on
Filter on topic

What are the legal basics for processing under the GDPR?

Data controllers can only process personal data in one of the following circumstances:

  • with the consent of the individuals concerned;
  • where processing is necessary for the performance of a contract (a contract between your organisation and an individual);
  • to meet a legal obligation under EU or national legislation;
  • where processing is necessary for the performance of a task carried out in the public interest under EU or national legislation;
  • to protect the vital interests of an individual;
  • for your organisation’s legitimate interests - except where they are overridden by the rights and freedoms of individuals.

In addition, the GDPR establishes additional conditions for the processing of sensitive data.

More information:

Do data processors also have to respect the GDPR?

Yes, data processors (i.e. individuals or bodies that process data on behalf of a data controller), have obligations under the GDPR. There are, however, some differences between the responsibilities for data controllers and processors.

Data processors have to adhere to the responsibilities set out in the controller-processor contract, which details the processing operations and means to process personal data. For example, the processor will have to carry out the processing operations with the appropriate technical and organisational measures as instructed by the controller. In doing so, the processor assists the controller in complying with the GDPR.

More information:

What should be included in a controller-processor contract?

The contract between the data controller and the data processor must stipulate that the data processor:

  • processes the personal data only on the instructions of the data controller, including with regard to transfers of personal data to a country outside the EEA;
  • ensures that the persons authorised to process the data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
  • ensures security of processing;
  • shall not engage another data processor without prior specific or general written authorisation of the data controller;
  • assists the data controller for the fulfilment of the data controller’s obligations to respond to individual’s requests for exercising their rights;
  • assists the data controller in securing the processing, notifying data breaches, and performing DPIAs;
  • at the choice of the data controller, deletes or returns all personal data to the data controller after the end of the provision of services;
  • makes available to the data controller all necessary information to demonstrate compliance with the obligations under the GDPR;
  • allows for and contributes to audits, including inspections conducted by the data controller or another auditor mandated by the data controller.

In addition, the data processor shall immediately inform the data controller if, in its opinion, instructions infringe the GDPR or other EU or national data protection provisions.

More information:

Can I transfer personal data outside the European Economic Area (EEA)?

Under the GDPR, there are, in principle, two main ways to transfer personal data to a non-EEA country or international organisation. Transfers may take place on the basis of an adequacy decision, or, in the absence of such a decision, on the basis of appropriate safeguards, including enforceable rights and legal remedies for individuals.

More information:

Is the Data Protection Officer (DPO) responsible for compliance with the GDPR?

The DPO cannot be held responsible for failure to comply with the GDPR. Compliance with the GDPR is the responsibility of the organisation that appointed the DPO.

More information:

Can I set up the closed CCTV on my business premises to protect my property?

The first step to installing CCTV is to identify the purpose or purposes for doing so. The purposes for installing CCTV can be varied, such as ensuring the security of premises, aiding in the prevention and detection of theft and other crimes, or protection of the lives and health of employees, due to the nature of work.

As with any processing of personal data, the recording of individuals  must have a legal basis under the GDPR. Consent can provide a legal basis for such data processing. However, this is unlikely to apply to the use of CCTV in most cases, as it will be difficult to obtain the freely given consent of everyone likely to be recorded. The most common legal ground for this kind of processing of personal data is legitimate interest. When processing is based on a legitimate interest, you will need to carry out a balancing test to determine whether your legitimate interests outweigh individual’s rights.

You will need to inform individuals that they are being recorded. This can be done by placing easy to read signs in prominent places. In addition, a sign indicating the purpose of the CCTV system and the identity and contact details of the data controller should be placed at all entrances.

Individuals whose images are being recorded by a CCTV system should be provided with, the following information:

  • the identity and contact details of the data controller;
  • the purposes of the processing;
  • the legal basis of the processing (if legitimate interest, specific information about which legitimate interests relate to the specific processing, and about which  entity  pursues  each  legitimate  interest.);
  • the contact details of the Data Protection Officer, DPO (if there is a DPO);
  • the recipients or categories of recipients of the data;
  • the security arrangements for the CCTV footage;
  • the retention period for CCTV footage;
  • the existence of individuals’ rights under the GDPR and the right to lodge a complaint with the national data protection authority.

More information:

What information should I communicate to/share with individuals?

The GDPR gives individuals control over the processing of their personal data. In order to do this, transparency is key. This means you have to inform individuals whose data you process about your processing operations and the purposes. In other words, you have to explain who processes their data, but also how and why. Only if the use of personal data is 'transparent' for those involved, can they assess possible risks and make decisions about their personal data.

Under the GDPR you are obliged to share the following information with individuals:

  • the identity and contact details of the controller;
  • the purposes of the processing;
  • the legal basis of the processing (if legitimate interest, specific information about which legitimate interests relate to the specific processing, and about which  entity  pursues  each  legitimate  interest.)
  • the contact details of the controller;
  • the contact details of the DPO (if there is a DPO);
  • the recipients or categories of recipients of the data;
  • Information on whether the data will be transferred outside the European Economic Area (EEA) (where applicable: the existence or not of an adequacy decision or reference to the appropriate safeguards and how this information can be made available to data subjects);
  • the categories of personal data processed, when the data is not obtained from the individual.

In addition, the GDPR requires your organisation to provide the following information to ensure fair and transparent processing:

  • the retention period or, where this is not possible, the criteria used to determine this period;
  • the right to request access, erasure, rectification, restriction, objection and portability of personal data;
  • the right to lodge a complaint with a data protection authority;
  • if the legal basis for the processing is consent: the right to withdraw consent at any time;
  • in the case of automated decision-making, relevant information about the underlying logic and the intended consequences of the processing for the data subject;
  • the source of the personal data (if you did not directly receive it from the individual concerned;
  • whether the individual is required to provide the personal data (by law or by contract or to enter into a contract) and what the consequences of refusing to provide the data are.

More information:

What are cookies?

Cookies are small files stored on a device, such as a computer, a mobile device or any other device that can store information. Cookies serve a number of important functions, including remembering  users and their previous interactions with a website. They can be used to keep track of items in an online shopping cart or to keep track of information when details are inserted into an online application form.

Authentication cookies are also important to identify users when they log into banking services and other online services. The information stored in cookies can include personal data, such as an IP address, a username, a unique identifier, or an email address.

What are the sanctions if my organisation does not comply with the GDPR or if my processing violates the GDPR?

Compliance with the GDPR is monitored by the national data protection authorities (DPAs). DPAs can conduct investigations and impose sanctions where necessary. DPAs have a number of tools at their disposal, including fines up to 20 M€ or 4% of the worldwide annual turnover whichever is higher, reprimands, and temporary or permanent processing bans.

You can find the contact details for all EEA DPAs on the EDPB website: Members

More information: