Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

EU - Data Protection Overview
Back

EU - Data Protection Overview

September 2021

1. Governing Texts

The General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') entered into force on 25 May 2018, aiming to harmonise data protection law in all member states of the European Union. The GDPR lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data (Article 1(1) of the GDPR).   

This guidance note will provide an overview of the GDPR.

1.1. Key acts, regulations, directives, bills

  • the GDPR

1.2. Guidelines

The European Data Protection Board ('EDPB') has issued the following guidance:

1.3. Case law

General case law under the GDPR is found through the EDPB and European Data Protection Supervisor's ('EUPS') websites, here and here, respectively.

2. Scope of Application

2.1. Personal scope

The GDPR establishes rules for the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data. (Article 1(1) of the GDPR).

Further to this, the protection afforded within should applies to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data (Recital 14 of the GDPR). However, the GDPR does not apply to the processing of personal data which concerns legal persons and in particular undertakings established as legal persons, including the name and the form of the legal person and the contact details of the legal person (Recital 14 of the GDPR).

2.2. Territorial scope

The GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor within the EU, regardless of whether the processing takes place in the EU (Article 3(1) of the GDPR).

In addition, the GDPR applies to the processing of personal data of data subjects who are in the EU by a controller or processor not established in the same, where the processing activities are related to (Article 3(2) of the GDPR):

  • the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the EU; or
  • the monitoring of their behaviour as far as their behaviour takes place within the EU.

Furthermore, the GDPR applies to the processing of personal data by a controller not established in the EU, but in a place where member state law applies by virtue of public international law (Article 3(3) of the GDPR).

2.3. Material scope

The GDPR applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system (Article 2(1) of the GDPR).

The GDPR does not apply to the processing of personal data:

  • in the course of an activity which falls outside the scope of EU law;
  • by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the Treaty on the European Union;
  • by a natural person in the course of a purely personal or household activity; and
  • by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences, or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

EDPB

The EDPB is an independent European body, which contributes to the consistent application of data protection rules throughout the EU, and promotes cooperation between the EU's data protection authorities.

National data protection authorities

Under the guidance of the EUPB, member states' data protection authorities regulate and monitor GDPR compliance within their respective jurisdictions.

3.2. Main powers, duties and responsibilities

EDPB

The EDPB Main powers, duties, and responsibilities include (EDPB homepage):

  • providing general guidance (including guidelines, recommendations, and best practices) to clarify the law and to promote a common understanding or EU data protection laws;
  • adopting opinions addressed to the Commission's or to the national Supervisory Authorities:
    • advising the Commission on any issue related to the protection of personal data and new proposed legislation in the EU; and
    • to ensure consistency of the activities of national Supervisory Authorities on cross border matters.
  • adopting binding decisions addressed to the national Supervisory Authorities and aiming to settle disputes arising between them when they cooperate to enforce the GDPR, with the purpose of ensuring the correct and consistent application of the GDPR in individual cases; and
  • promote and support the cooperation among national Supervisory Authorities.

National data protection authorities

Chapter 6 of the GDPR sets outs the responsibilities and role of data protection authorities. These include the following tasks provided in Article 57 of the GDPR:

  • to monitor and enforce the application of the GDPR;
  • to promote public awareness and understanding of the risks, rules, safeguards and rights in relation to processing. Activities addressed specifically to children shall receive specific attention;
  • to advise, in accordance with EU law, the national parliament, the government, and other institutions and bodies on legislative and administrative measures relating to the protection of natural persons' rights and freedoms with regard to processing;
  • to promote the awareness of controllers and processors of their obligations under the GDPR;
  • upon request, to provide information to any data subject concerning the exercise of their rights under the GDPR and, if appropriate, cooperate with the supervisory authorities in other member states to that end;
  • to handle complaints lodged by a data subject, or by a body, organisation, or association in accordance with Article 80 of the GDPR, and investigate, to the extent appropriate, the subject matter of the complaint and inform the complainant of the progress and the outcome of the investigation within a reasonable period, in particular if further investigation or coordination with another supervisory authority is necessary;
  • to cooperate with, including sharing information and provide mutual assistance to, other supervisory authorities with a view to ensuring the consistency of application and enforcement of the GDPR;
  • conduct investigations on the application of the GDPR, including on the basis of information received from another supervisory authority or other public authority;
  • to monitor relevant developments, insofar as they have an impact on the protection of personal data, in particular the development of information and communication technologies and commercial practices;
  • to adopt standard contractual clauses referred to in Article 28(8) and of Article 46 (2)(d) of the GDPR;
  • to establish and maintain a list in relation to the requirement for Data Protection Impact Assessment ('DPIA') pursuant to Article 35(4) of the GDPR;
  • to give advice on the processing operations referred to in Article 36(2) of the GDPR;
  • to encourage the drawing up of codes of conduct pursuant to Article 40(1) of the GDPR and provide an opinion and approve such codes of conduct which provide sufficient safeguards, pursuant to Article 40(5) of the GDPR;
  • to encourage the establishment of data protection certification mechanisms and of data protection seals and marks pursuant to Article 42(1) of the GDPR, and approve the criteria of certification pursuant to Article 42(5) of the GDPR ;
  • where applicable, carry out a periodic review of certifications issued in accordance with Article 42(7) of the GDPR;
  •  to draft and publish the requirements for accreditation of a body for monitoring codes of conduct pursuant to Article 41 of the GDPR and of a certification body pursuant to Article 43 of the GDPR;
  • to conduct the accreditation of a body for monitoring codes of conduct pursuant to Article 41 of the GDPR and of a certification body pursuant to Article 43 of the GDPR;
  • to authorise contractual clauses and provisions referred to in Article 46(3) of the GDPR;
  • to approve binding corporate rules pursuant to Article 47 of the GDPR;
  • to contribute to the activities of the EDPB;
  • to keep internal records of infringements of this Regulation and of measures taken in accordance with Article 58(2) of the GDPR; and
  • to fulfil any other tasks related to the protection of personal data.

Investigative powers

More specifically, data protection authorities have the following investigative powers (Article 58 of the GDPR):

  • to order the controller and the processor, and, where applicable, the controller's or the processor's representative to provide any information it requires for the performance of its tasks;
  • to carry out investigations in the form of data protection audits;
  • to carry out a review on certifications issued pursuant to Article 42(7) of the GDPR;
  • to notify the controller or the processor of an alleged infringement of the GDPR;
  • to obtain, from the controller and the processor, access to all personal data and to all information necessary for the performance of its tasks; and
  • to obtain access to any premises of the controller and the processor, including to any data processing equipment and means, in accordance with EU or Member State procedural law.

Corrective powers

Moreover, data protection authorities have corrective powers including (Article 58 of the GDPR):

  • to issue warnings to a controller or processor that intended processing operations are likely to infringe provisions of the GDPR;
  • to issue reprimands to a controller or a processor where processing operations have infringed provisions of the GDPR;
  • to order the controller or the processor to comply with the data subject's requests to exercise his or her rights pursuant to the GDPR;
  • to order the controller or processor to bring processing operations into compliance with the provisions of the GDPR, where appropriate, in a specified manner and within a specified period;
  • to order the controller to communicate a personal data breach to the data subject;
  • to impose a temporary or definitive limitation including a ban on processing;
  • to order the rectification or erasure of personal data or restriction of processing pursuant to Articles 16 to 18 of the GDPR and the notification of such actions to recipients to whom the personal data have been disclosed pursuant to Articles 17(2) and 19 of the GDPR;
  • to withdraw a certification or to order the certification body to withdraw a certification issued pursuant to Articles 42 and 43 of the GDPR, or to order the certification body not to issue certification if the requirements for the certification are not or are no longer met;
  • to impose an administrative fine pursuant to Article 83 of the GDPR, in addition to, or instead of measures referred to in this paragraph, depending on the circumstances of each individual case; and
  • to order the suspension of data flows to a recipient in a third country or to an international organisation.

Authorisation and advisory powers

Under the GDPR, data protection authorities shall have the following authorisation and advisory powers (Article 58 of GDPR):

  • to advise the controller in accordance with the prior consultation procedure referred to in Article 36 of the GDPR;
  • to issue, on its own initiative or on request, opinions to the national parliament, the Member State government or, in accordance with Member State law, to other institutions and bodies as well as to the public on any issue related to the protection of personal data;
  • to authorise processing referred to in Article 36(5) of the GDPR, if the law of the Member State requires such prior authorisation;
  • to issue an opinion and approve draft codes of conduct pursuant to Article 40(5) of the GDPR;
  • to accredit certification bodies pursuant to Article 43 of the GDPR;
  • to issue certifications and approve criteria of certification in accordance with Article 42(5) of the GDPR;
  • to adopt standard data protection clauses referred to in Articles 28(8) and 46(2)(d) of the GDPR;
  • to authorise contractual clauses referred to under Article 46(3)(a) of the GDPR;
  • to authorise administrative arrangements referred under Article 46(3)(b) of the GDPR; and
  • to approve binding corporate rules pursuant to Article 47 of the GDPR.

4. Key Definitions

Data controller: Means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by the EU or Member State law, the controller or the specific criteria for its nomination may be provided for by the EU or Member State law (Article 4(7) of the GDPR).

Data processor: Means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller (Article 4(8) of the GDPR).

Personal data: Means any information relating to an identified or identifiable natural person, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person (Article 4(1) of the GDPR).

Sensitive data: The GDPR does not explicitly define 'sensitive data'. However, special category data includes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation (Article 9(1) of the GDPR).

Health data: Means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status (Article 4(15) of the GDPR).

Biometric data: Means personal data resulting from specific technical processing relating to the physical, physiological, or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data (Article 4(14) of the GDPR).

Pseudonymisation: Means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person (Article 4(5) of the GDPR).

Processing: Means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (Article 4(1) of the GDPR).

5. Legal Bases

5.1. Consent

The processing of personal data will be lawful where the data subject has given consent to the processing of his or her personal data for one or more specific purposes (Article 6(1)(a) of the GDPR).

Consent of the data subject means any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which he/she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him/her (Article 4(11) of the GDPR).

Conditions for consent

A data controller must be able to demonstrate that the data subject has consented to processing of his/her personal data (Article 7(1) of the GDPR).

In addition, where the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent must be presented in a manner that is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language (Article 7(2) of the GDPR).

Withdrawal of consent

The data subject has the right to withdraw his/her consent at any time and the withdrawal should be as easy as the giving of consent (Article 7(3) of the GDPR).

However, the withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal (Article 7(3) of the GDPR).

5.2. Contract with the data subject

The processing of personal data will be lawful where the data controller demonstrates that processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Article 6(1)(b) of the GDPR).

5.3. Legal obligations

The processing of personal data will be lawful where the data controller demonstrates processing is necessary for compliance with a legal obligation to which the controller is subject (Article 6(1)(c) of the GDPR).

Where processing is carried out in accordance with a legal obligation to which the controller is subject or where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority, the processing should have a basis in EU or Member State law (Recital 45 of the GDPR).

5.4. Interests of the data subject

The processing of personal data will be lawful where the data controller demonstrates processing is necessary in order to protect the vital interests of the data subject or of another natural person (Article 6(1)(d) of the GDPR).

5.5. Public interest

The processing of personal data shall be lawful where the data controller demonstrates processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (Article 6(1)(e) of the GDPR).

5.6. Legitimate interests of the data controller

Processing of personal data shall be lawful where the data controller demonstrates processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child (Article 6(1)(f) of the GDPR).

The existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place (Recital 47 of the GDPR). In particular, the interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing (Recital 47 of the GDPR).

Notably, the processing of personal data strictly necessary for the purposes of preventing fraud and direct marketing purposes may constitutes a legitimate interest of the data controller (Recital 47 of the GDPR). However, this legal basis should not apply to the processing by public authorities in the performance of their tasks (Article 6(1)(f)(2) of the GDPR).

5.7. Legal bases in other instances

The Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, shall be subject to appropriate safeguards, for the rights and freedoms of the data subject it (Article 89 of the GDPR).

Morever, the processing of personal data may be lawful where appropriate measures for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes (Recital 156 of the GDPR). Specifically, data controllers should ensure that technical and organisational measures are in place in order to ensure, in particular, the principle of data minimisation (Recital 156 of the GDPR).

6. Principles

Under the GDPR the principles relating to processing of personal data are namely (Article 5(1) of the GDPR):

  • lawfulness, fairness and transparency;
  • purpose limitation;
  • data minimisation;
  • accuracy;
  • storage limitation;
  • integrity and confidentiality; and
  • accountability.

Lawfulness, fairness, and transparency

Personal data must be processed lawfully, fairly, and in a transparent manner in relation to the data subject (Article 5(1)(a) of the GDPR).

Purpose limitation

Personal data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with such purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes must, in accordance with Article 89(1) of the GDPR, not be considered to be incompatible with the initial purposes (Article 5(1)(b) of the GDPR).

Data minimisation

Personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed (Article 5(1)(c) of the GDPR).

Accuracy

Personal data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (Article 5(1)(d) of the GDPR).

Storage limitation

Personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed (Article 5(1)(e) of the GDPR).

However, personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in accordance with Article 89(1) of GDPR subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of the data subject (Article 5(1)(e) of the GDPR).

Integrity and confidentiality

Personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (Article 5(1)(f) of the GDPR).

Accountability

Controllers are responsible for, and must be able to demonstrate compliance with, Article 5(1) of the GDPR (Article 5(2) of the GDPR).

7. Controller and Processor Obligations

7.1. Data processing notification

The GDPR does not provide a general data processing notification requirement.

7.2. Data transfers

Any transfer of personal information which is to undergo processing, or intended to undergo processing within a third country or an international organisation, shall take place only if, subject to the other provisions of the GDPR, the conditions laid down under Articles 45 to 50 of the GDPR are complied with by data controllers and processors (Article 44 of the GDPR).

This includes subsequent transfers of personal data from the third country or an international organisation to another third country or to another international organisation (Article 44 of the GDPR).

Adequate protection

A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection (Article 45(1) of the GDPR).

Appropriate safeguards

In the absence of an adequacy decision, controllers or processors may transfer personal data to a third country or an international organisation only if appropriate safeguards and conditions have been put in place appropriate safeguards and on condition that enforceable data subject rights and effective legal remedies for data subjects are available (Article 46(1) of the GDPR).

Such appropriate safeguards are namely (Article 46(2) of the GDPR):

  • a legally binding and enforceable contract between public authorities or bodies;
  • binding corporate rules ('BCR') in accordance with Article 47 of the GDPR;
  • standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93(2) of the GDPR;
  • standard data protection clauses adopted by a supervisory authority and approved by the Commission pursuant to the examination procedure referred to in Article 93(2) of the GDPR;
  • an approved code of conduct pursuant to Article 40 of the GDPR, together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights; or
  • an approved certification mechanism pursuant to Article 42 of the GDPR, together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights.

Derogations for specific situations

In addition, in the absence of an adequacy decision or appropriate safeguards, a transfer or a set of transfers of personal data to a third country or an international organisation may take place based on one of the following conditions (Article 49 of the GDPR):

  • the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;
  • the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request;
  • the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
  • the transfer is necessary for important reasons of public interest;
  • the transfer is necessary for the establishment, exercise or defence of legal claims;
  • the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent; or
  • the transfer is made from a register which according to the EU or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by the EU or Member State law for consultation are fulfilled in the particular case.

In addition, where a transfer could not be based on a provision in Articles 45 and 46 of GDPR including the provisions on BCR, and none of the derogations for a specific situation referred to in the Article 49(1) of the GDPR is applicable, a transfer to a third country or an international organisation may take place only where (Article 49(1)(2) of the GDPR):

  • the transfer is not repetitive;
  • concerns only a limited number of data subjects;
  • is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject;
  • the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data; and
  • the controller shall inform the supervisory authority of the transfer.

Further to the above, the controller must provide information referred to in Articles 13 and 14 of GDPR, and inform the data subject of the transfer and on the compelling legitimate interests pursued.

See our EU - GDPR - Data Transfers Guidance Note for further information on data transfers under the GDPR (Article 49(1) of the GDPR):.

7.3. Data processing records

Controllers

A controller, and where applicable, the controller's representative, must maintain a record of processing activities under its responsibility. Such records must contain the following information (Section 30(1) of the GDPR):

  • the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer ('DPO');
  • the purposes of the processing;
  • a description of the categories of data subjects and of the categories of personal data;
  • the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
  • where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in Article 49(1) of the GDPR, the documentation of suitable safeguards;
  • where possible, the envisaged time limits for erasure of the different categories of data; and
  • where possible, a general description of the technical and organisational security measures referred to in Article 32(1) of the GDPR.

Processors

In addition, processors, or the processor's representative, must maintain a record of all categories of processing activities carried out on behalf of a controller, containing:

  • the name and contact details of the processor or processors, and of each controller on behalf of which the processor is acting, and, where applicable, of the controller’s or the processor's representative, and the DPO;
  • the categories of processing carried out on behalf of each controller;
  • where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1) of the GDPR, the documentation of suitable safeguards; and
  • where possible, a general description of the technical and organisational security measures referred to in Article 32(1) of GDPR.

7.4. Data protection impact assessment

Where a type of processing in particular using new technologies, and taking into account the nature, scope, context, and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller must, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (Article 35(1) of the GDPR). The controller should seek the advice of the DPO, where designated, when carrying out a DPIA (Article 35(2) of the GDPR).

More specifically, a DPIA is required in cases where (Article 35(3) of the GDPR):

  • a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
  • processing on a large scale of special categories of data referred to in Article 9(1) of the GDPR, or of personal data relating to criminal convictions and offences referred to in Article 10 of the GDPR; or
  • a systematic monitoring of a publicly accessible area on a large scale.

A number of Member States' Supervisory Authorities have established a public a list of the kind of processing operations which are subject to the requirement for DPIA. Please see our GDPR Implementation Comparison for further information.

A DPIA must contain at least the following information (Article 35(7) of the GDPR):

  • a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;
  • an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
  • an assessment of the risks to the rights and freedoms of data subjects referred to in Article 35(1) of the GDPR; and
  • the measures envisaged to address the risks, including safeguards, security measures, and mechanisms to ensure the protection of personal data and to demonstrate compliance with the GDPR, taking into account the rights and legitimate interests of data subjects and other persons concerned.

Prior consultation

Controllers must consult the supervisory authority prior to processing where a DPIA, indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk (Article 36(1) of the GDPR).

When consulting the supervisory authority pursuant to Article 36(1) of the GDPR, the controller shall provide the supervisory authority with (Article 36(2) of the GDPR):

  • where applicable, the respective responsibilities of the controller, joint controllers and processors involved in the processing, in particular for processing within a group of undertakings;
  • the purposes and means of the intended processing;
  • the measures and safeguards provided to protect the rights and freedoms of data subjects pursuant to the GDPR;
  • where applicable, the contact details of the DPO;
  • the DPIA provided for in Article 35 of the GDPR; and
  • any other information requested by the supervisory authority.

7.5. Data protection officer appointment

Controller and processors are required to designate a DPO in cases where (Article 37(1) of the GDPR):

  • the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
  • the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope, and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
  • the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 of the GDPR or personal data relating to criminal convictions and offences referred to in Article 10 of the GDPR. 

A group of undertakings may appoint a single DPO provided that a DPO is easily accessible from each establishment (Article 37(2) of the GDPR).

However, DPOs, whether or not they are an employee of the controller, should be in a position to perform their duties and tasks in an independent manner (Recital 97 of the GDPR).

DPO tasks and qualifications

A DPO is designated on the basis of their professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39 of the GDPR (Article 37(5) of the GDPR. The tasks of the DPO include (Article 39(1) of the GDPR):

  • to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to the GDPR and to other EU or Member State data protection provisions;
  • to monitor compliance with the GDPR, with other EU or Member State data protection provisions, and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
  • to provide advice where requested as regards DPIAs and monitor its performance pursuant to Article 35 of the GDPR;
  • to cooperate with the supervisory authority; and
  • to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36 of the GDPR, and to consult, where appropriate, with regard to any other matter.

7.6. Data breach notification

In the case of a data breach, a data controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of the data breach, notify the personal data breach to the supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons (Article 33(1) of the GDPR). Personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, must be communicated the data subject without undue delay (Article 34(1) of the GDPR).

In addition, processors must notify the controller without undue delay after becoming aware of a personal data breach.

Notification to supervisory authority

The notification to the supervisory authority must include the following (Article 33(3) of the GDPR):

  • describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of personal data records concerned;
  • communicate the name and contact details of the DPO or other contact point where more information can be obtained;
  • describe the likely consequences of the personal data breach; and
  • describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

Where applicable, notification to the data subject must explain in clear and plain language the nature of the personal data breach and contain at least the information and measures referred to above in points 2, 3, and 4 (Article 34(2) of the GDPR).

Communication to the data subject referred to in Article 34(1) of the GDPR will not be required if any of the following conditions are met:

  • the data controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
  • the data controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in Article 34(1) is no longer likely to materialise; or
  • it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

7.7. Data retention

As previously stated under the section on principles, personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; and may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89 of the GDPR (Article 5(1)(e) of the GDPR).

7.8. Children's data

Where Article 6(1)(a) applies, in relation to the offer of information society services directly to a child, the processing of a child's personal data will be lawful where the child is at least 16 years old. (Article 8(1) of the GDPR). Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child (Article 8(1) of the GDPR).

Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years (Article 8(1) of the GDPR).

Controller are required to make a reasonable effort to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology (Article 8(2) of the GDPR).

The Recital 38 of the GDPR clarifies that children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences, and safeguards concerned and their rights in relation to the processing of personal data.

7.9. Special categories of personal data

Special category personal information under the GDPR can only be processed where one of the expectations outlined in Article 9(2) of the GDPR apply.

Article 9(2) of the GDPR provides that special category personal information can be processed where:

  • the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where EU or member state law provide that the prohibition referred to in Article 9(1) of the GDPR may not be lifted by the data subject;
  • processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by EU or member state law, or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;
  • processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
  • processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;
  • processing relates to personal data which are manifestly made public by the data subject;
  • processing is necessary for the establishment, exercise, or defence of legal claims or whenever courts are acting in their judicial capacity;
  • processing is necessary for reasons of substantial public interest, on the basis of EU or member state law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;
  • processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of EU or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in Article 9(3) of the GDPR);
  • processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy; and
  • processing is necessary for archiving purposes in the public interest, scientific, or historical research purposes or statistical purposes in accordance with Article 89(1) of the GDPR based on EU or member state law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

Criminal convictions

The processing of personal data relating to criminal convictions and offences or related security measures under Article 6(1) of the GDPR can be carried out only under the control of official authority or when the processing is authorised by EU or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects (Article 10 of the GDPR).

Further to the above, any comprehensive register of criminal convictions shall be kept only under the control of official authority (Article 10 of the GDPR).

7.10. Controller and processor contracts

Where processing is to be carried out on behalf of a controller, the controller must use only processors who provide sufficient guarantees to implement appropriate technical and organisational measures in such a manner, that processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subject (Article 28(1) of the GDPR).

In addition, processing by a processor must be governed by a contract or other legal act under EU or Member State law, that is binding on the processor with regard to the controller and that sets out (Article 28(3) of the GDPR):

  • the subject-matter and duration of the processing;
  • the nature and purpose of the processing;
  • the type of personal data and categories of data subjects; and
  • the obligations and rights of the controller.

The contract or other legal act must stipulate that the processor undertakes the following:

  1. processes personal data only on documented instructions from the controller;
  2. ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
  3. take all measures required pursuant to Article 32 of the GDPR;
  4. respect the conditions referred to in Articles 28(2) and (4) of the GDPR for engaging another processor;
  5. take into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's;
  6. assist the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to the processor;
  7. at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless EU or Member State law requires storage of the personal data; and
  8. make available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.

With regard to point 8, the processor must immediately inform the controller if, in its opinion, an instruction infringes the GDPR, EU, or Member State data protection provisions.

Without prejudice to an individual contract between the controller and the processor, the contract or the other legal act referred to in Article 28(3), (4), and (6) of the GDPR may be based, in whole or in part, on standard contractual clauses referred to under Articles 28(7) and (8) of the GDPR, including when they are part of a certification granted to the controller or processor pursuant to Articles 42 and 43 of the GDPR (Article 28(6) of the GDPR).

Sub processors

Where a data processor engages another processor (sub-processor) for carrying out specific processing activities on behalf of the controller, the same data protection obligations as set out in the contract or other legal act between the controller and the processor as referred to in Article 28(3) of the GDPR, will be imposed on that other processor by way of a contract or other legal act under EU or Member State law (Article 28(4) of the GDPR).

In particular, the processor providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the GDPR (Article 28(4) of the GDPR). Where that sub-processor fails to fulfil its data protection obligations, the initial processor shall remain fully liable to the controller for the performance of that other processor's obligations (Article 28(4) of the GDPR).

8. Data Subject Rights

Transparency

Data controllers responding to data subjects' queries must take appropriate measures to provide any information referred to in the below sections to be in a concise, transparent, intelligible, and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child (Article 12(1) of the GDPR). Such information must be provided in writing or by other means, including, where appropriate, by electronic means. Where requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means (Article 12(1) of the GDPR).

Identity verification

The controller must facilitate the exercise of data subjects rights, where processing does not require identifications of the data subject under Article 11 of the GDPR, the controller cannot refuse the facilitation of a data subject's rights unless it demonstrates that it is not in a position to identify the data subject (Article 12(2) of the GDPR).

Where the controller has reasonable doubts concerning the identity of the natural person making the data subject request, the controller may request the provision of additional information necessary to confirm the identity of the data subject (Article 12(6) of the GDPR).

Time limits

The controller must provide information on action taken on a data subject request to the data subject without undue delay and in any event within one month of receipt of the request (Article 12(3) of the GDPR). Such time period may be extended where necessary by two further months, taking into account the complexity and number of the requests. Such extension must be informed to the data subject, with the reasons for such delay (Article 12(3) of the GDPR).

Response

If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy (Article 12(4) of the GDPR).

Fees

The information provided to data subjects and their facilitation of their rights shall be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:

  • charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or
  • refuse to act on the request.

The data controller must demonstrate that such a request is manifestly unfounded or excessive (Article 12(5) of the GDPR). 

8.1. Right to be informed

Personal data obtained directly from the data subject

Where personal data is obtained directly from a data subject, the following information must be provided (Articles 13(1) and 13(2) of GPDR):

  • the identity and the contact details of the controller and, where applicable, of the controller's representative;
  • the contact details of the DPO where applicable;
  • the purposes of the processing and the legal basis for the processing;
  • where the processing is based Article 6(1)(f), the legitimate interests pursued by the controller or by a third party;
  • the recipients or categories of recipients of the personal data, if any;
  • where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation along with:
    • the existence or absence of an adequacy decision by the Commission; or
    • in the case of transfers referred to in Articles 46 or 47 or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available;
  • the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
  • the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject, or to object to processing, as well as the right to data portability;
  • where the processing is based on Articles 6(1)(a) or 9(2)(a), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
  • the right to lodge a complaint with a supervisory authority;
  • whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data; and
  • the existence of automated decision-making, including profiling, referred to in Articles 22(1) and 22(4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

Personal data obtained indirectly from the data subject

Where personal data is not obtained directly from a data subject, the information required above applies, with the exception of the following points:

  • the controller is not required to provide information on whether the provision of personal data is a statutory or contractual requirement; and
  • the controller is required to inform the data subject regarding:
    • the categories of personal data concerned (Article 14(1)(d) of the GDPR); and
    • the source from which the personal data originates and, if applicable, whether it came from publicly accessible sources (Article 14(2)(f) of the GDPR).

Exemptions

Articles 13 and 14 do not apply where the data subject already has the information (Articles 13(4) and 14(5)(a) of the GDPR).

Where personal data is not obtained directly from a data subject, the requirements under Article 14 do not apply where (Article 14(5) of the GDPR):

  • the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, subject to the conditions and safeguards referred to in Article 89(1) or in so far as the obligation referred to in the same Article is likely to render impossible or seriously impair the achievement of the objectives of that processing. In such cases, the controller shall take appropriate measures to protect the data subject's rights and freedoms and legitimate interests, including making the information publicly available;
  • obtaining or disclosure is expressly laid down by EU or Member State law to which the controller is subject and which provides appropriate measures to protect the data subject's legitimate interests; or
  • where the personal data must remain confidential subject to an obligation of professional secrecy regulated by EU or Member State law, including a statutory obligation of secrecy.

8.2. Right to access

Where personal data is being processed by the controller, the controller must provide the following information when requested (Article 15(1) of the GDPR):

  • the purposes of the processing;
  • the categories of personal data concerned;
  • the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
  • where possible, the envisaged period for which the personal data will be stored or, if not possible, the criteria used to determine that period;
  • the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject, or to object to such processing;
  • the right to lodge a complaint with a supervisory authority;
  • where the personal data is not collected from the data subject, any available information as to their source; and
  • the existence of automated decision-making, including profiling, referred to in Articles 22(1) and 22(4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

Where personal data is transferred to a third country or to an international organisation, data subjects also have the right to be informed of the appropriate safeguards pursuant to Article 46 (Article 15(2) of the GDPR).

8.3. Right to rectification

The data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him/her (Article 16 of the GDPR). Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement (Article 16 of the GDPR).

8.4. Right to erasure

The data subject will have the right to obtain from the controller the erasure of personal data concerning him/her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies (Article 17(1) of the GDPR:

  • the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  • the data subject withdraws consent on which the processing is based according to Article 6(1)(a) of the GDPR, or Article 9(2)(a) of the GDPR, and where there is no other legal ground for the processing;
  • the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
  • the personal data have been unlawfully processed;
  • the personal data have to be erased for compliance with a legal obligation in EU or Member State law to which the controller is subject; or
  • the personal data have been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR.

Exceptions

This right shall not apply to the extent that processing is necessary:

  • for exercising the right of freedom of expression and information;
  • for compliance with a legal obligation which requires processing by EU or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  • for reasons of public interest in the area of public health in accordance with Articles 9 (2)(h) and (i) of the GDPR as well as Article 9 (3) of the GDPR;
  • for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in accordance with Article 89(1) insofar as the right Article 17(1) of the GDPR is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
  • for the establishment, exercise, or defence of legal claims.

8.5. Right to object/opt-out

The data subject has the right to object, on grounds relating to his/her particular situation, at any time to processing of personal data concerning him or her which is based (Article 21(1) of the GDPR):

  • the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller; or
  • the purposes of the legitimate interests pursued by the controller or by a third party. Including profiling based on those provisions.

In such cases, the controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject, or for the establishment, exercise, or defence of legal claims (Article 21(1) of the GDPR).

Direct marketing

Where personal data is processed for direct marketing purposes, the data subject has the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing (Article 21(2) of the GDPR).

Scientific or historical research purposes or statistical purposes

Where personal data is processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1) of the GDPR, the data subject, on grounds relating to his or her particular situation, has the right to object to processing of personal data concerning him/her, unless the processing is necessary for the performance of a task carried out for reasons of public interest (Article 21(6) of the GDPR).

8.6. Right to data portability

The data subject has the right to receive personal data concerning him/her, which he/she has provided to a controller, in a structured, commonly used, and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where (Article 20(1) of the GDPR):

  • the processing is based on consent pursuant to Article 6(1)(a), Article 9(2)(a);
  • performance of the contract pursuant to Article 6(1)(b) of the GDPR; and
  • the processing is carried out by automated means.

More specifically, in exercising his/her right to data portability pursuant to Article 20(1) of the GDPR, the data subject has the right to have their personal data transmitted directly from one controller to another, where technically feasible.

8.7. Right not to be subject to automated decision-making

The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her (Article 22(1) of the GDPR).

Exemptions

The above will not apply if the decision:

  • is necessary for entering into, or performance of, a contract between the data subject and a data controller;
  • is authorised by EU or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or
  • is based on the data subject's explicit consent.

8.8. Other rights

Right to restrict processing

The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies (Article 18(1) of the GDPR):

  • the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
  • the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
  • the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise, or defence of legal claims; or
  • the data subject has objected to processing pursuant to Article 21(1) of the GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject.

9. Penalties

General liabilities and penalties are outlined under Chapter 8 of the GDPR. Such liabilities and penalties that may be incurred by controllers or processors, include the right to compensation for data subjects, and the general conditions for imposing penalties.

Article 84 of the GDPR gives power to Member States to lay down the rules on other penalties applicable to infringements of the GDPR in particular for infringements which are not subject to administrative fines pursuant to Article 83, and shall take all measures necessary to ensure that they are implemented. Such penalties shall be effective, proportionate, and dissuasive.

In accordance with Article 83(2) of the GDPR, which establishes the criteria to be considered to ascertain the severity of a breach under the GDPR, infringements of the following provisions shall, be subject to administrative fines up to €10 million EUR, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher (Article 83(5) of the GDPR):

  • the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39 and 42 and 43 of the GDPR;
  • the obligations of the certification body pursuant to Articles 42 and 43 of the GDPR; or
  • the obligations of the monitoring body pursuant to Article 41(4) of the GDPR.

Infringements of the following provisions will, in accordance with Article 83(2) of the GDPR, be subject to administrative fines up to €20 million, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher (Article 83(5) of the GDPR):

  • the basic principles for processing, including conditions for consent, pursuant to Articles 5 to 7 and 9 of the GDPR;
  • the data subjects' rights pursuant to Articles 12 to 22 of the GDPR;
  • the transfers of personal data to a recipient in a third country or an international organisation pursuant to Articles 44 to 49 of the GDPR;
  • any obligations pursuant to Member State law adopted under Chapter 9 of the GDPR; or
  • non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority pursuant to Article 58(2) or failure to provide access in violation of Article 58(1) of the GDPR.

Non-compliance with an order by the supervisory authority as referred to in Article 58(2) of the GDPR will, in accordance with Article 83(2) of the GDPR, be subject to administrative fines up to €20 million, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

9.1 Enforcement decisions

For enforcement decisions at a Member State level, please refer to our Overview Guidance Notes under the Privacy Laws Comparison and the GDPR Implementation Comparison