Every organisation, regardless of the their size or sector, established in the European Economic Area (EEA) or offering products or services to individuals in the EEA, processing personal data whether or not by automated means needs to comply with the GDPR. The GDPR applies to the automated processing of personal data and to processing operations carried out manually from the moment the paper files are organised in a systematic manner, e.g. ordered alphabetically in a filing cabinet.
Examples of processing operations include collecting, recording, organising, using, modifying, storing, disclosing, altering and erasing individuals’ personal data.
Nevertheless, the application of the GDPR is modulated according to the nature, context, purposes and risks of the processing operations carried out. For SMEs whose core business is not the processing of personal data, the obligations can be less strict than for a large company.
Τι είναι ο ΓΚΠΔ;
Ο ΓΚΠΔ ή ο Γενικός Κανονισμός για την Προστασία Δεδομένων δημιουργεί ένα εναρμονισμένο σύνολο κανόνων που εφαρμόζονται σε κάθε επεξεργασία προσωπικών δεδομένων από οργανισμούς (δημόσιους ή ιδιωτικούς, ανεξάρτητα από το μέγεθός τους) που είναι εγκατεστημένοι στον Ευρωπαϊκό Οικονομικό Χώρο (ΕΟΧ) ή στοχεύουν άτομα στην ΕΕ. Πρωταρχικός στόχος του ΓΚΠΔ είναι να διασφαλίσει ότι τα προσωπικά δεδομένα απολαύουν του ίδιου υψηλού επιπέδου προστασίας οπουδήποτε στον ΕΟΧ, αυξάνοντας την ασφάλεια δικαίου τόσο για τα φυσικά πρόσωπα όσο και για τους οργανισμούς που επεξεργάζονται δεδομένα και προσφέροντας υψηλό επίπεδο προστασίας στα φυσικά πρόσωπα.
Ο κανονισμός τέθηκε σε ισχύ στις 24 Μαΐου 2016 και εφαρμόζεται από τις 25 Μαΐου 2018.
Are EDPB documents available in all EU languages?
We are constantly working on the translation of our documents into the official EU languages. All static content, as well as press releases and documents officially adopted by the Board, such as Guidelines, will be made available in these languages.
This process takes time and various steps need to be completed in order to provide translations of the best quality.
Please note that documents undergoing public consultation are usually not translated. It is only after the public consultation has been concluded and a final version of the document has been adopted by the Board that these documents will be translated.
Do you think your data has been lost or stolen?
The GDPR puts in place clear procedures in case of a data breach. If a data breach poses a risk, companies and organisations holding your data have to inform the relevant data protection authority within 72 hours or without undue further delay. If the leak poses a high risk to you, then you must also be informed personally.
The European Data Protection Supervisor (EDPS) is a Member of the European Data Protection Board. In addition, the EDPS provides the EDPB Secretariat. The Secretariat offers administrative and logistic support to the EDPB, performs analytical work and contributes to the EDPB’s tasks.
Although staff at the Secretariat is employed by the EDPS, staff members only work under the instructions of the Chair of the EDPB.
How can I apply for the European Data Protection Seal?
Controllers should formally submit their EU-wide certification criteria to:
the competent data protection authority (DPA) in the EEA country where the scheme owners have their headquarters;
the competent data protection authority (DPA) in the EEA country where a certification body operating the certification mechanism have their headquarters, considering the member state in which the most certificates are likely to be issued.
How can my processing operations or my organisation become GDPR certified?
Under the GDPR, certification is conducted by national certification bodies or by the competent national data protection authorities (Art. 42(5) GDPR).
For further information, we recommend contacting the relevant national DPA for your organisation. You can find a overview of all EEA DPAs here.
How does cross-border cooperation work under the GDPR?
The General Data Protection Regulation (GDPR) requires the Data Protection Authority (DPA) of the European Economic Area (EEA) to cooperate closely - under the umbrella of the European Data Protection Board (EDPB) - to ensure the consistent application of the GDPR and the protection of individuals’ data protection rights across the EEA. One of their tasks is to coordinate decision-making in cross-border data processing cases. A processing is cross-border when:
data processing takes place in more than one country;
or it substantially affects or it is likely to substantially affect individuals in more than one country.
Under the so-called one-stop-shop mechanism Art. 60 GDPR, the Lead Supervisory Authority (LSA) acts as the main point of contact for the controller or processor for a given processing, while the Concerned Supervisory Authorities (CSAs) act as the main point of contact for individuals in the territory of their Member State. The LSA is the authority in charge of leading the cooperation process. It will share relevant information with the CSAs, carry out the investigations, prepare the draft decision relating to the case, and cooperate with the other CSAs in an endeavour to reach consensus on this draft decision.
Is the guidance adopted by the Article 29 Working Party (WP29) still relevant today?
The EDPB endorsed WP29 documents are available here.
As regards the other existing WP29 documents, they may remain relevant and helpful insofar as the EDPB has not adopted new documents on the topic and/or they are compatible with the GDPR. This amounts to a case-by-case assessment.
My organisation would like to become a certification body, how can we become accredited?
Certification bodies are accredited by the national data protection authorities (DPA) or by the national accreditation body (named in accordance with Regulation 17065/2012). For further information regarding certification bodies, we recommend contacting the national DPA in your country. You can find an overview of all EEA DPAs here.