Last checked: 06/07/2022

Data protection under GDPR

The GDPR sets out detailed requirements for companies and organisations on collecting, storing and managing personal data. It applies both to European organisations that process personal data of individuals in the EU (In this case, the 27 EU member states), and to organisations outside the EU that target people living in the EU (In this case, the 27 EU member states).

When does the General Data Protection Regulation (GDPR) apply?

The GDPR applies if:

Non-EU based businesses processing EU citizen's data have to appoint a representative in the EU.

When does the General Data Protection Regulation (GDPR) not apply?

The GDPR does not apply if:

What is personal data?

Personal data is any information about an identified or identifiable person, also known as the data subject. Personal data includes information such as their:

Special categories of data

You may not process personal data about someone's:

Who processes the personal data?

During processing, personal data can pass through various different companies or organisations. Within this cycle there are two main profiles that deal with processing personal data:

Who monitors how personal data is processed within a company?

The Data Protection Officer (DPO), who may have been designated by the company, is responsible for monitoring how personal data is processed and to inform and advise employees who process personal data about their obligations. The DPO also cooperates with the Data Protection Authority (DPA), serving as a contact point towards the DPA and individuals.

When should you appoint a Data Protection Officer?

Your company is required to appoint a DPO when:

For example, if you process personal data to target advertising through search engines based on people's online behaviour, you are required to have a DPO. If, however, you only send your clients promotional material once a year, then you will not need a DPO. Likewise, if you are a doctor who collects data on patients' health, a DPO is probably not needed. But if you process personal data on genetics and health for a hospital, then a DPO will be required.

The DPO may be a staff member of your organisation or may be contracted externally on the basis of a service contact. A DPO can be an individual or part of an organisation.

Processing data for another company

A data controller can only use a data processor who offers sufficient guarantees, these should be included in a written contract between the parties involved. The contract must also contain a number of mandatory clauses, e.g. that the data processor will only process personal data when instructed to do so by the data controller.

Data transfer outside the EU

When personal data is transferred outside the EU (In this case, the 27 EU member states), the protection offered by the GDPR should travel with the data. This means that if you export data abroad, your company must ensure one of the following measures are adhered to:

When is data processing allowed?

EU data protection rules mean you should process data in a fair and lawful manner, for a specified and legitimate purpose and only process the data necessary to fulfil this purpose. You must ensure that you fulfil one of the following conditions to process the personal data; you:

Agreeing to data processing - consent

The GDPR applies strict rules for processing data based on consent. The purpose of these rules is to ensure that the individual understands what he or she is consenting to. This means that consent should be freely given, specific, informed and unambiguous by way of a request presented in clear and plain language. Consent should be given by an affirmative act, such as checking a box online or signing a form.

When someone consents to the processing of their personal data, you can only process the data for the purposes for which consent was given. You must also give them the opportunity to withdraw their consent.

Providing transparent information

You must clearly provide individuals with information on who is processing the personal data about them and why. The following should be included as a minimum:

In some cases, the information you provide must also state:

You should present this information in clear and plain language.

Specific rules for children

If you're collecting personal data from a child based on consent, for example using a social media account or a download account, you must get parental consent first, e.g. by sending a notification to a parent or guardian. The age until which someone is considered to be a child differs depending on where they live, but is between 13 and 16 years old.

Right to access and right to data portability

You must ensure that individuals have the right to access their personal data, free of charge. If you receive such a request you have to:

When the processing is based on consent or a contract, the individual can also ask for you to return their personal data to them or transmit it to another company. This is known as the right to data portability. You should provide the data in a commonly used and machine-readable format.

Right to correct and right to object

If an individual believes that their personal data is incorrect, incomplete or inaccurate, they have the right to have it rectified or completed without undue delay.

If this is the case, you should notify all data recipients if any of the personal data you shared with them has been changed or deleted. If any personal data you shared was incorrect, you may also have to inform anyone who has seen it that this was the case (unless this is deemed to require a disproportionate effort).

An individual may also object - at any time - to the processing of their personal data for a particular use when your company processes it on the basis of your legitimate interest, or for a task in the public interest. Unless you have a legitimate interest that overrides the interest of the individual, you must stop processing the personal data.

Likewise, an individual can ask to have the processing of their personal data restricted while it is determined whether or not your legitimate interest overrides their interest. However, in the case of direct marketing, you are always obliged to stop processing the personal data if requested by the individual.

Right to erasure (right to be forgotten)

In some circumstances, an individual can ask the data controller to erase their personal data, for example if the data is no longer needed to fulfil the processing purpose. However, your company is not obliged to do so if:

Automated decision-making and profiling

Individuals have the right not to be subject to a decision that is based solely on automated processing. However, there are some exceptions to this rule, such as when they have given their explicit consent to the automated decision. Except where the automated decision is based on a law, your company must:

For example, if a bank automates its decision of whether or not to grant a loan to a certain individual, that individual should be informed of the automated decision and given the opportunity to contest the decision and request human intervention.

Data breaches – providing proper notification

A data breach is when the personal data you are responsible for is disclosed, either accidentally or unlawfully, to unauthorised recipients or is made temporarily unavailable or is altered.

If a data breach does occur and the breach poses a risk to individual rights and freedoms, you should notify your Data Protection Authority within 72 hours after becoming aware of the breach.

Depending on whether or not the data breach poses a high risk to those affected, your company may also be required to inform all individuals affected.

Responding to requests

If your company receives a request from an individual who wants to exercise their rights, you should respond to this request without undue delay and in any case within 1 month of receiving the request. This response time may be extended by 2 months for complex or multiple requests, as long as the individual is informed about the extension. Requests should be dealt with free of charge.

If a request is rejected, then you must inform the individual of the reasons for doing so and of their right to file a complaint with the Data Protection Authority.

Impact assessments

Conducting a Data Protection Impact Assessment (DPIA) is mandatory whenever the intended processing would pose a high risk to the rights and freedoms of individuals, e.g. when new technologies are used.

There is such a high risk when:

Note: Data Protection Authorities may also consider other categories of data processing as high risk.

If the measures indicated in the DPIA fail to remove all the identified high risks, the Data Protection Authority must be consulted before the intended data processing takes place.

Keeping a record

You must be able to prove that your company acts in accordance with the GDPR and fulfils all applicable obligations — particularly upon request or inspection from the Data Protection Authority.

One way to do this is to keep detailed records on such things as the:

Your company should also keep — and regularly update — written procedures and guidelines and make them known to your employees.


If your company is an SMEOpen as an external link or smaller, you do not need to keep records of your processing activities as long as they:

  • are not done regularly
  • they do not affect the rights or freedoms of the individuals involved
  • do not deal with sensitive data or criminal records

Data protection by design and default

Data protection by design means that your company should take data protection into account at the early stages of planning a new way of processing personal data. In accordance with this principle, a data controller must take all necessary technical and organisational steps to implement the data protection principles and protect the rights of individuals. These steps could include, for example, using pseudonymisation.

Data protection by default means that your company should always make the most privacy friendly setting the default setting. For example, if two privacy settings are possible and one of the settings prevents personal data from being accessed by others, this should be used as the default setting.

Infringement of the rules and penalties

Failure to comply with the GDPR may result in significant fines of up to EUR 20 million or 4 % of your company's global turnover for certain breaches. The Data Protection Authority may impose additional corrective measures, such as ordering you to stop processing personal data.

FAQs - Data protection and online privacyOpen as an external link

EU legislation

Need support from assistance services?

Get in touch with specialised assistance services

Do you have questions on operating a business cross-border, for example exporting or expanding to another EU country? If so, the Enterprise Europe Network can give you free advice.

You can also use the assistance service finder to find the right help for you.

Share this page: