How-to guide: How to ensure compliance with the GDPR (EU)

Updated as of: 02 March 2025

Related contract templates:

Data Protection Impact Assessment (DPIA) Checklist (GDPR) Privacy By Design and By Default Checklist (GDPR) Compliance Audit Questionnaire (GDPR) View all

Introduction

This guide will assist in-house counsel and risk and compliance teams, as well as private practitioners advising their clients, on ensuring an organisation’s compliance with the key requirements of Regulation (EU) 2016/679 – General Data Protection Regulation (EU GDPR).

The guide is EU-focused and focuses on the requirements under the EU GDPR, in particular:

  • the general requirements under the EU GDPR; and
  • the European Data Protection Board (EDPB) and, where relevant, EU member states’ supervisory authorities’ interpretation of such EU GDPR requirements.

This guide does not address UK-specific data protection law requirements. However, it should be noted that that the UK retained the EU GDPR in domestic law following Brexit (commonly referred to as the ‘UK GDPR’), with necessary changes to accommodate domestic areas of UK law. Therefore, insofar as the supervisory authority of the UK (the Information Commissioner’s Office (ICO)) has published guidelines specific to the EU GDPR (prior to Brexit) and the UK GDPR (after Brexit), such guidelines can assist when providing a helpful overview of the subject matter in this guide.

The guide covers an organisation’s processing activities in respect of customer and user data and internal employee data. It follows the structure of the EU GDPR and takes you through the following areas:

  1. Principles and lawful processing
  2. Data subject rights
  3. Controller and processor
  4. Security and personal data breaches
  5. Data protection impact assessments and prior consultation
  6. Data protection officer
  7. Codes of conduct and certifications
  8. International data transfers

Different requirements will apply depending on whether the organisation is a controller or a processor. The checklist focuses on mandatory/key issues, but there may be additional measures that an organisation can take as a matter of good practice.

The guide covers the requirements under:

  • the EU GDPR; and
  • various EDPB (formerly the Article 29 Working Party) guidelines

Key definitions, such as ‘controller’, ‘processor’, ‘data subject’, ‘personal data’ and ‘processing’, are further explained in How-to guide: Understanding key data protection definitions.

The guide can be used in conjunction with Checklists: GDPR compliance self-assessment audit and Lawful processing of personal data under the GDPR.

Section 1 – Principles and lawful processing

1.1 Data protection principles

The data processing principles for controllers processing personal data are outlined in article 5, EU GDPR, as follows:

  • lawfulness, fairness and transparency – this means identifying a lawful basis to process personal data, not using data in contravention of other laws, using data fairly and being open with people about how you will use their data;
  • purpose limitation – this means collecting personal data only for specific purposes that you tell people about from the start and not using the data for other incompatible purposes;
  • data minimisation – this means only collecting and retaining the personal data you need to satisfy the stated purpose;
  • accuracy – this means ensuring the personal data you create or hold is accurate and up to date;
  • storage limitation – this means only retaining personal data for so long as you need to; and
  • integrity and confidentiality – this means putting in place appropriate security, including technical and organisational measures to protect the personal data you hold.

The controller must also be able to demonstrate ‘accountability’ (see Section 1.2).

1.2 Accountability and data protection governance

The controller is responsible for, and must be able to demonstrate compliance with, the data protection principles (see Section 1.1). This is known as ‘accountability’. The best way to do this is to be able to point to an established data protection governance framework, underpinned by effective policies, procedures and management structures. In particular, you should ensure the organisation has:

  • appropriate policies and procedures, in particular regarding data handling, transparency, information security and data breach response and data retention;
  • the required records (eg, records of processing activities (see Section 3.8) and data breach logs (see Sections 4.2 and 4.3));
  • a data protection officer, if required (see Section 6);
  • data protection impact assessments (DPIAs) for all high-risk processing (see Section 5);
  • contracts with all processors and joint controllers (see Section 3);
  • determined which data protection regulators have jurisdiction (see Section 3.9);
  • maintained all registrations with data protection regulators;
  • appointed a representative(s) where it needs to (see Section 3.4);
  • adhered to all codes of conduct and certifications that it has signed up to (see Sections 7.1 and 7.2); and
  • trained staff on data protection with regular refresher training.

1.3 Lawful bases

The controller must ensure that each processing activity has a valid lawful basis for processing under article 6, EU GDPR. Broadly, these are:

  • data subject consent;
  • where the processing is necessary for performance of or entering into a contract;
  • where the processing is necessary for compliance with a legal obligation;
  • where the processing is necessary for protection of vital interests;
  • where the processing is necessary for performance of a task in the public interest or in the exercise of official authority; and
  • where the processing is necessary to further the ‘legitimate interests’ of the controller or a third party – which requires identifying a legitimate interest, showing the processing is necessary to achieve it and carrying out a balancing test (to balance yours or the third party's interest against the individual’s rights, freedoms and interests) or a legitimate interests assessment.

Additional elements may need to be satisfied to be able to rely on each ground.

The lawful bases relied on by the controller to process personal data should be established by carrying out a lawful basis assessment. This means documenting your rationale for relying on particular lawful bases for accountability purposes.

These will then need to be set out in the controller’s privacy notice and records of processing activities. The controller may not process data inconsistently with what individuals have been told about use of their data.

Article 7, EU GDPR outlines further conditions applicable to consent. Article 8, EU GDPR sets out conditions concerning children’s consent for online services. Ireland’s supervisory authority, the Data Protection Commission (DPC) has published guidelines on the legal bases for processing personal data.

1.4 Special category data

‘Special categories of personal data’, under article 9, EU GDPR, means the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

This type of more sensitive data is given special protection under the EU GDPR and cannot be processed unless a relevant exemption or condition under article 9, EU GDPR is met. These exemptions include broadly:

  • explicit data subject consent;
  • obligations and rights of the controller or of the data subject related to employment and social security and social protection law;
  • where the processing is necessary for protection of vital interests;
  • processing of certain not-for-profit bodies that relates solely to its members or regular contacts;
  • processing relating to personal data manifestly made public by the data subject;
  • where processing is necessary in relation to legal claims or by courts acting in their judicial capacity;
  • where processing is necessary for reasons of substantial public interest;
  • where processing is necessary for the purposes of preventive or occupational medicine, to assess employee working capacity, medical diagnosis, providing health or social care or treatment or managing health or social care systems and services or pursuant to a contract with a health professional;
  • where processing is necessary for reasons of public interest in the area of public health; and
  • where processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

Additional elements may need to be satisfied to be able to rely on each ground.

The exemptions relied on by the controller to process special category data should be established by carrying out a lawful basis assessment. These will then need to be set out in the controller’s privacy notice and records of processing. The controller may not process data inconsistently with what individuals have been told about use of their data.

1.5 Criminal data processing

‘Criminal data’ describes ‘criminal convictions and offences or related security measures based on article 6(1)’ (article 10, EU GDPR).

Processing of criminal data must only be carried out under the control of an official authority or when authorised under laws that provide for appropriate safeguards for individuals’ rights and freedoms. A comprehensive register of criminal convictions can only be kept under the control of an official authority.

Details of criminal data processing should be set out in the controller’s privacy notice (unless an exemption applies) and records of processing.

1.6 De-identified/anonymous data

Under article 11, EU GDPR, if the purposes for which a controller is processing personal data no longer require them to identify an individual, the controller need no longer process that information in an identifiable format if their only reason for doing so is to comply with the EU GDPR. In those circumstances, the controller need not give effect to certain data subject rights (under articles 15 to 20, EU GDPR) unless the data subject provides additional information allowing themselves to be identified.

In line with the data minimisation principle, and as a matter of good data governance, you should aim to use anonymisation techniques wherever possible. This will reduce your regulatory compliance burden, as properly anonymous data is not ‘personal data’ and, as such, data protection laws do not apply to it. However, be aware that true anonymisation is difficult to achieve in practice. If anonymisation of the personal data is not possible or practical, then pseudonymisation techniques should be used, where possible as these will reduce the risk of harm to the data subjects, as well as enhance the security measures you take to protect the personal data.

Section 2 – Data subject rights

2.1 Privacy information/transparency

To fulfil the controller’s ‘transparency’ obligations, the information outlined in articles 13 and 14, EU GDPR must be provided to individuals whose data is processed. This is usually done in privacy notices. Consider providing external notices to customers, clients, website users, product or service users and other relevant individuals whose information you handle, and internal notices to staff.

2.2 Right of access

Under article 15, EU GDPR, if an individual requests access to their data being processed by the controller, the controller must:

  • confirm whether it is processing their personal data;
  • if so, provide access to a copy of the data; and
  • provide certain information about the data and how this is used – some of this information is the same as that required in the controller’s privacy notice (see Section 1.3 to 1.5).

Check that proper policies, processes and procedures are in place to ensure you can quickly:

  • identify subject access requests (SARs) and verify these as valid;
  • assess any exceptions or exemptions to disclosure;
  • pull the data you need to respond from your systems;
  • redact any information that should not be disclosed; and
  • provide any information you are required to disclose to the data subject in an appropriate format.

The request must be responded to within tight time frames (usually one month).

2.3 Right of rectification/correction

Under article 16, EU GDPR, if an individual requests rectification (correction) of their personal data, the controller must action this request by correcting inaccurate data or completing incomplete data without undue delay.

Check that proper policies, processes and procedures are in place to ensure you can quickly:

  • identify rectification requests and verify these as valid;
  • assess any exceptions or exemptions;
  • isolate the data you need to respond from your systems and make the necessary corrections; and
  • respond to the individual confirming that the correction has (or has not) been made.

The request must be responded to within tight time frames (usually one month).

2.4 Right to erasure/to be forgotten

Under article 17, EU GDPR, if an individual requests erasure of their personal data, the controller must do so without undue delay if any of the specified grounds have been met (eg, the data has been unlawfully processed).

Check that proper policies, processes and procedures are in place to ensure you can quickly:

  • identify erasure requests and verify these as valid;
  • assess any exceptions or exemptions;
  • isolate the data you need to respond from your systems and make the necessary deletions; and
  • respond to the individual confirming that the data has (or has not) been erased.

The request must be responded to within tight time frames (usually one month).

2.5 Right to restriction of processing

Under article 18, EU GDPR, if an individual requests restriction (or ‘blocking’) of the processing of their personal data, the controller must action this request if one of certain specified grounds applies. Restriction of processing is usually temporary.

Check that proper policies, processes and procedures are in place to ensure that you can quickly:

  • identify restriction requests and verify these as valid;
  • assess any exceptions or exemptions;
  • isolate the data you need to respond to from your systems and impose the necessary controls to restrict processing; and
  • respond to the individual confirming that the restriction has (or has not) been made, and let them know in advance of any restriction being lifted.

The request must be responded to within tight time frames (usually one month).

2.6 Communication of requests to third parties

Article 19, EU GDPR requires the controller to implement a process for communicating rectification, erasure and restriction requests to third parties that hold relevant data. The exceptions to this are where such communication proves impossible or involves disproportionate effort. (However, that is a high threshold to meet.) If the data subject requests rectification, erasure or restriction, the controller will inform them about those third-party recipients.

2.7 Right to data portability

Under article 20, EU GDPR, an individual may have a right to receive their personal data in a structured, commonly used and machine-readable format or to have that data transmitted to another controller (where technically feasible). This portability right only applies where:

  • the data is information that has been provided by the individual to the controller;
  • the processing is based on consent, explicit consent or performance of contract; and
  • the processing is automated.

Check that proper policies, processes and procedures are in place to ensure you can quickly:

  • identify portability requests and verify these as valid;
  • assess any exceptions or exemptions;
  • isolate the data you need to respond to from your systems and make the necessary transmission of data; and
  • respond to the individual confirming that the data has (or has not) been ported.

The request must be responded to within tight time frames (usually one month).

2.8 Right to object

Under article 21, EU GDPR, an individual may object to processing on certain grounds of personal data being processed for the performance of a task in the public interest or in the exercise of official authority or ‘legitimate interests’. If the individual objects to processing for direct marketing purposes (article 21(2) and 21(3), GDPR), the processing must stop (including any related profiling), unless  the controller can demonstrate that it can meet a balancing test to show compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or that processing is required for the establishment, exercise or defence of legal claims (article 21(1), EU GDPR). 

Under Article 21(6) GDPR, where the data subject personal data are processed for scientific or historical research purposes, he/she has the right to object on grounds; (i) relating to his/her particular situation; and (ii) where such processing concerns him/her, unless the controller can demonstrate that such processing is necessary for the performance of a task carried out for reasons of public interest.

Check that proper policies, processes and procedures are in place to ensure you can quickly:

  • identify objection requests and verify these as valid;
  • assess any exceptions or exemptions;
  • isolate the data you need to respond to from your systems;
  • restrict processing while the balancing test is being carried out;
  • make any necessary deletions if the objection is upheld; and
  • respond to the individual confirming that the objection has (or has not) been acted on.

The request must be responded to within tight time frames (usually one month).

2.9 Automated decision-making, including profiling

Under article 22, EU GDPR, individuals have the right to not be subject to decisions based solely on automated decision-making, including profiling, which produce legal or similarly significant effects for the individual. There are exceptions to this linked to the lawful basis that underpins the decision. If such processing is permitted, additional safeguards need to be put in place to protect individuals’ rights, namely the right for the individual to:

  • obtain human review by the controller; and
  • express their point of view and to contest the decision.

Even stricter controls apply to making solely automated decisions in respect of special category personal data and children’s data.

2.10 Technical and organisational measures by processors to support DSRs

When acting as a processor on behalf of a controller organisation, you are required to implement technical and organisational measures to support the controller in meeting its obligations to respond to data subject rights (DSRs) (article 28(3)(e), EU GDPR). This includes measures to:

  • identify DSRs; and
  • depending on the process agreed with the controller:
    • refer all DSRs to the controller as soon as possible; or
    • deal with DSRs as instructed by the controller, for example, to:
      • verify the DSRs as valid;
      • assess any exceptions or exemptions;
      • isolate the data needed to respond and action the request; and
      • respond to the individual and action the request or respond confirming that no action is required.

Section 3 - Controller and processor

3.1 Technical and organisational measures for compliance with the EU GDPR

The controller must implement and maintain appropriate technical and organisational measures to ensure and be able to demonstrate that processing is performed in accordance with the EU GDPR (article 24(1), EU GDPR). In doing so, the controller can consider ‘the nature, scope and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons’. Where proportionate in relation to processing activities, this includes the controller putting in place appropriate data protection policies. You need to review and update these measures, as required.

3.2 Data protection by design and by default

Under article 25(1), EU GDPR, the controller must implement appropriate technical and organisational measures (such as pseudonymisation), which are designed to implement data protection principles (such as data minimisation) effectively:

  • at the time of determining the means for processing; and
  • at the time of the processing itself.

The necessary safeguards must be integrated into the processing to comply with the EU GDPR and to protect individuals’ rights. This ‘data protection by design’ needs to consider the state of the art, cost of implementation and nature, scope, context and purposes of processing, and the risks to individuals posed by the processing.

The International Organisation for Standardisation (ISO) adopted a new ISO standard for privacy by design for consumer goods and services, ISO 31700, in February 2023. The privacy by design ISO standard includes detailed guidance and requirements on how to operate an undertaking in a manner compatible with individuals’ data protection and privacy rights. The ISO standard seeks to further incentivise companies to take a best practice approach when considering their obligations under applicable data legislation, by offering certification to companies that comply with the standard’s requirements.

In a similar vein, the controller must implement appropriate technical and organisational measures for ensuring that, by default, only personal data that is necessary for each specific processing purpose is used. This ‘data protection by default’ applies to the volume of personal data collected, the extent of the processing of that data, its storage period and its accessibility.

3.3 Joint controller arrangements

Under article 26, EU GDPR, arrangements between joint controllers need to be determined transparently and properly documented, in particular, as regards exercising rights of data subjects and provision of privacy information.

The essence of the relationship needs to be made available to data subjects. This is typically done in the privacy notice.

3.4 Representatives

Under article 27, EU GDPR, controllers and processors not established in the European Economic Area (EEA) but otherwise caught within the territorial scope provisions of the relevant legislation (ie, under article 3(2), EU GDPR), will need to appoint an EEA representative.

There are exemptions for occasional, low-risk processing. Public authorities or bodies do not need to appoint a representative.

3.5 Pre-contract due diligence on processors

It is not enough that a contract is in place when appointing a processor, as required by article 28(3), EU GDPR; article 28(1), EU GDPR also requires that controllers only appoint processors that give ‘sufficient guarantees’ to implement appropriate technical and organisational measures to ensure processing will comply with the EU GDPR and that data subjects’ rights are protected. In practice, this means that controllers must carry out pre-contract due diligence on all processors before entrusting them to process personal data.

In controller and processor guidance published by EU member states’ supervisory authorities (including Ireland’s DPC), factors are identified that controllers should take into account when assessing whether the processor provides ‘sufficient guarantees’, including:

  • the extent to which the processor complies with industry standards (if applicable);
  • whether the processor has sufficient technical expertise to provide the required assistance to the controller;
  • provision of relevant policy documentation regarding personal data handling and security; and
  • adherence to an approved code of conduct or a certification scheme (once available).

3.6 Processor contracts

Article 28, EU GDPR imposes certain requirements on the appointment of processors to process personal data on behalf of controllers. These include requirements regarding authorisation of sub-processors by the controller and the flow-down of data protection terms in the processor contract (article 28(2) and (4), EU GDPR).

There are also mandatory terms that need to be included in all processor contracts (article 28(3), EU GDPR), including:

  • the subject matter and duration of the processing, its nature and purpose, the type of personal data and categories of data subjects, and the obligations and rights of the controller; and
  • obligations that the processor:
    • processes the personal data only on documented instructions from the controller, including with regard to international data transfers; if there is a legal requirement that would require the processor to deviate from those instructions, the processor must inform the controller (unless that law precludes this on important public interest grounds);
    • ensures that persons authorised to process the personal data have committed to keep the data confidential;
    • takes all security measures required pursuant to article 32, EU GDPR;
    • complies with certain conditions when engaging another processor;
    • assists the controller by appropriate technical and organisational measures with the controller’s obligations to respond to data subject requests;
    • assists the controller to comply with the obligations relating to security (article 32, EU GDPR), notifying data breaches (articles 33 and 34, EU GDPR), DPIAs (article 35) and prior consultations (article 36, EU GDPR);
    • at the controller’s option, deletes or returns all personal data to the controller after ceasing to provide services and deletes existing copies; and
    • makes available to the controller all information necessary to demonstrate compliance with the obligations in article 28 and allows for and contributes to audits, including inspections, conducted by the controller or its auditors.

Controllers should monitor processors’ compliance with their contractual obligations and other obligations under data protection law regularly.

3.7 Controller’s instructions

A processor, or anyone under the authority of the controller or of the processor, who has access to personal data, must not deviate from the processing instructions given by the controller, unless applicable law requires them to do so (article 29, EU GDPR).

3.8 Records of processing

The controller and the processor must maintain records of processing containing certain mandatory information. For the controller, this is as set out in article 30(1), EU GDPR; for the processor this is as set out in article 30(2), EU GDPR. Some smaller organisations that only carry out lower-risk processing are exempt (article 30(5), EU GDPR). Ireland’s DPC has published guidance on recording or processing activities.

3.9 Cooperation with data protection regulator(s)

Article 31, EU GDPR requires the controller and the processor, and their representatives to cooperate on request with the relevant data protection regulator in the performance of their tasks. A lack of cooperation is an aggravating factor that can be taken into account when setting fines (article 83, EU GDPR).

Section 4 – Security and personal data breaches

4.1 Technical and organisational security measures

Article 32, EU GDPR sets out the requirements in relation to security. These apply to controllers and processors.

In particular, the organisation must implement appropriate technical and organisational measures in relation to personal data to ensure a level of security appropriate to the risk, including, as appropriate:

  • pseudonymisation and encryption;
  • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • the ability to restore the availability and access to data in a timely manner in the event of a physical or technical incident; and
  • a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational security measures.

The organisation can consider the state of the art (ie, the most advanced technology available at the time), costs of implementation, the nature, scope, context and purposes of processing, and the risks to individuals. In deciding the appropriate level of security, the risks of sustaining a personal data breach in particular should be considered. Ireland’s DPC has published guidance on different security practices.

4.2 Unresolved personal data breaches

A ‘personal data breach’ is defined as ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed’ (article 4(12), EU GDPR).

Check that there are no unresolved personal data breaches as these could result in regulatory, legal, and other risks for your organisation. You should also ensure that preventative measures are in place to guard against breaches recurring – breaches that are easily preventable, or of which the organisation has already been put on notice by the data protection regulators but failed to address, tend to attract higher fines.

Article 33(5), EU GDPR requires the controller to document any personal data breaches, including the relevant facts, its effects and the remedial action taken. This means maintaining a data breach log.

4.3 Reporting personal data breaches (controllers)

See the definition of ‘personal data breach’ in Section 4.2. Controllers and processors have different responsibilities in respect of breach reporting. (See also Section 4.4 for processor breach notification requirements.)

The controller must ‘without undue delay and, where feasible, not later than 72 hours after having become aware of a personal data breach’, notify the relevant data protection regulator(s) of the breach, unless it is unlikely to result in a risk to the rights and freedoms of individuals (article 33(1), EU GDPR). If the 72-hour time frame is not met, you must explain why. Certain prescribed information must be included in the notification and provision of this information may be phased, if necessary (article 33(1), (3) and (4), EU GDPR).

Article 33(5), EU GDPR requires the controller to document any personal data breaches, including the relevant facts, its effects and the remedial action taken. This means maintaining a data breach log.

The EDPB data breach examples guidance provides examples of when an organisation is and isn’t required to notify the data protection regulator.

4.4 Notifying breaches to controller when acting as a processor

The processor has to notify the controller ‘without undue delay after becoming aware of a personal data breach’ (article 33(2), EU GDPR). Controllers often seek to impose a time frame on this contractually.

4.5 Communicating personal data breaches to affected individuals

When a personal data breach is likely to result in a ‘high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay’ (article 34(1), EU GDPR).

The communication needs to be clear and disclose certain prescribed information and measures (article 34(2), EU GDPR). There are certain limited exceptions to making the communication, such as where the data that has been breached has been securely encrypted and is inaccessible to unauthorised persons (article 34(3), EU GDPR).

4.6 Assisting the controller with notifying breaches to regulators and affected individuals when acting as a processor

Article 28(3)(f), EU GDPR requires processors to assist controllers with notifying data breaches to data protection regulators and affected individuals.

Section 5 – Data protection impact assessments and prior consultation

5.1 DPIAs for high-risk processing

A data protection assessment (DPIA) is a risk assessment methodology to examine and mitigate the impact of processing operations on the protection of personal data. The controller must carry out a DPIA in advance of starting processing where ‘a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons’ (article 35(1), EU GDPR). The EU GDPR states that a DPIA is required in particular for:

  • a systematic and extensive evaluation of personal aspects relating to individuals that is based on automated processing, including profiling, and on which decisions are based that produce legal or similarly significant effects for individuals;
  • large-scale processing of special categories of data (article 9, EU GDPR) or criminal data (article 10, EU GDPR); or
  • a systematic monitoring of a publicly accessible area on a large scale (eg, CCTV or drones).

The Article 29 Working Party’s Guidelines on Data Protection Impact Assessment (DPIA) list criteria that may act as indicators of probable high-risk processing.

The European data protection regulators can issue further guidance on situations where processing is likely to be high-risk and therefore requires a DPIA. The UK ICO lists the following in its DPIA guidance:

  • innovative technology – a DPIA is required where this processing is combined with any criteria from the European guidelines;
  • denial of service – where based on automated decision-making (including profiling) or involving the processing of special category data;
  • large-scale profiling – any profiling of individuals on a large scale;
  • biometrics – where biometric data is processed, a DPIA is required where this processing is combined with any criteria from the European guidelines;
  • genetic data – (subject to an exception for direct healthcare by an individual GP or health professional) a DPIA is required where processing of genetic data is combined with any criteria from the European guidelines;
  • data matching – combining, comparing or matching personal data obtained from multiple sources;
  • invisible processing – where third-party personal data is processed and the controller considers giving a privacy notice which would be impossible or involve disproportionate effort, a DPIA is required where this processing is combined with any criteria from the European guidelines;
  • tracking – where processing involves tracking an individual’s geolocation or behaviour (online or offline), a DPIA is required where this processing is combined with any criteria from the European guidelines;
  • targeting of children or other vulnerable individuals – using the personal data of children or other vulnerable individuals for marketing, profiling or other automated decision-making, or if you intend to offer online services directly to children; and
  • risk of physical harm – where processing is such that a personal data breach could endanger the (physical) health or safety of individuals.

5.2 Processors supporting DPIAs

Processors must assist controllers in ensuring compliance with the controller’s obligations in relation to DPIAs (article 28(3)(f), EU GDPR). The level of assistance given can take into account the nature of the processing and the information available to the processor.

5.3 Prior consultation

Where a DPIA is carried out and ‘indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk’, the controller must consult with relevant data protection regulator(s) before data processing commences (article 36(1), EU GDPR). A detailed consultation process follows where the regulator decides whether the intended processing would infringe the EU GDPR, in particular where the controller has insufficiently identified or mitigated the risk (article 36(2) and (3), EU GDPR).

5.4 Processors supporting prior consultations

Processors must assist controllers in ensuring compliance with the controller’s obligations relating to prior consultations (article 28(3)(f), EU GDPR). The level of assistance can take into account the nature of the processing and the information available to the processor.

Section 6 – Data protection officer

Organisations meeting the specified criteria set out in article 37, EU GDPR must appoint a data protection officer (DPO). Where a statutory DPO is appointed, their appointment must fulfil the requirements in article 38, EU GDPR and they must fulfil the tasks listed in article 39, EU GDPR. Relevant data protection regulator(s) must be notified of their appointment and their details must be included in privacy notices.

Section 7 – Codes of conduct and certifications

7.1 Codes of conduct

Under article 40, EU GDPR, relevant data protection regulators and EU bodies encourage the drawing up of codes of conduct to contribute to the proper application of the EU GDPR, taking account of the specific features of the various processing sectors and the needs of micro, small and medium-sized enterprises. Trade associations and representative bodies take the lead on developing and monitoring compliance with codes of conduct. A specific approval process is involved, as set out in article 40.

Codes of conduct are voluntary sets of rules that assist members of that code with data protection compliance and accountability in specific sectors or relating to particular processing operations. Codes of conduct can either be ‘national codes’ (which cover processing activities in a particular jurisdiction) or ‘transnational codes’ (which cover processing activities in more than one member state). The EDPB and supervisory authorities encourage the creation of codes of conduct by actively engaging with sectors to encourage development and uptake of codes of conduct where the sector would benefit.

To date, a limited number of codes of conduct have been approved.

Adherence to codes of conduct can also be used as part of demonstrating compliance (articles 24(3) (technical and organisational measures) and 25(3) (data protection by design and by default), EU GDPR).

7.2 Certifications

Under article 41, EU GDPR, relevant data protection regulators and EU bodies encourage the establishment of data protection certification mechanisms and data protection seals and marks to demonstrate compliance with the EU GDPR of processing operations by controllers and processors. The specific needs of micro, small and medium-sized enterprises must be considered.

During 2022, the EDPB adopted an opinion on the approval of the Europrivacy certification criteria submitted by the Luxembourg data protection authority. This was the first such certification approved by the EDPB. Under the certification scheme, Europrivacy enables organisations to assess and certify the compliance of their data processing with the EU GDPR and complementary national data protection laws. Adherence to approved certification mechanisms can also be used as part of demonstrating compliance (articles 24(3) (technical and organisational measures) and 25(3) (data protection by design and by default), EU GDPR).

Section 8 – International data transfers

All countries located within the EEA (ie, EU members states, Iceland, Liechtenstein and Norway) are subject to the EU GDPR. By reason of having comparable standards of data protection, cross-border transfers between these countries can take place without restriction.

Generally speaking, transfers of personal data by a controller or processor to a country located outside of the EEA (a ‘third country’) or to an international organisation can only take place if the controller or processor has provided appropriate safeguards (article 46, EU GDPR). ‘Appropriate safeguards’ include standard contractual clauses with supplementary measures as appropriate, binding corporate rules and specific derogations.

However, the European Commission has to the power to determine whether a third country offers an adequate level of data protection (article 45, EU GDPR). Where a country is found by the European Commission to have an adequate level of data protection, transfers to third country can be made without any safeguard being required. The European Commission maintains a list of adequacy decisions, which is subject to review on a scheduled basis.

Where the transferring (exporting) of personal data to a third country is not identified as adequate by the European Commission, the use of European Commission-issued standard contract clauses (EU SCCs) is the most popular safeguard used by data exporters. During 2021, the European Commission issued updated EU SCCs that replaced versions that pre-dated the introduction of the EU GDPR. The updated EU SCCs provide for transfers from controllers or processors established in the EEA (or otherwise subject to the EU GDPR) to controllers or processors established outside the EEA (and not subject to the GDPR).

Additional requirements, including appropriate safeguards and transfer adequacy assessments, need to be met if personal data is to be transferred to a third country from the EEA if there is not an adequacy decision in place. ‘Appropriate safeguards’ include standard contractual clauses together with supplementary measures as appropriate, binding corporate rules and specific derogations. Such supplementary measures take into account the binding judgement of the European Court of Justice, in the case commonly referred to as Schrems II.

See also Checklist: GDPR compliance self-assessment audit for more information.

In the absence of an adequacy decision or of appropriate safeguards, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only on one of the conditions (derogations) set out in article 49.

The EDPB offers guidance on international transfers in accordance with the EU GDPR and recommendations on measures to supplement transfer tools. In addition, the European Commission has published a questions and answers document particular to the use of EU SCCs.

This is a fast-moving area, and it is advisable to check the EDPB website for the latest guidance.

Additional resources

Related Lexology Pro content

How-to guides:

Understanding key data protection definitions 
How to comply with data processing principles under the GDPR
How to establish a valid lawful basis for processing personal data under the GDPR
How to transfer personal data lawfully outside the European Economic Area 
How to reduce the risk of a GDPR data breach 
How to deal with a GDPR data breach 
How to deal with a supervisory authority dawn raid 

Checklists:

GDPR compliance self-assessment audit 
Assessing whether an organisation is a controller or processor under the GDPR 
Lawful processing of personal data under the GDPR 
Obtaining and managing consent under the GDPR 
Processor due diligence (data protection and cybersecurity) 
Making an international transfer of personal data under the GDPR 
Data subject access rights under the GDPR 
What to include in your organisation’s privacy notice 
When and how to appoint a data protection officer 
Complying with cookie requirements under the ePrivacy Directive and the GDPR 

Reliance on information posted:

While we use reasonable endeavours to provide up to date and relevant materials, the materials posted on our site are not intended to amount to advice on which reliance should be placed. They may not reflect recent changes in the law and are not intended to constitute a definitive or complete statement of the law. You may use them to stay up to date with legal developments but you should not use them for transactions or legal advice and you should carry out your own research. We therefore disclaim all liability and responsibility arising from any reliance placed on such materials by any visitor to our site, or by anyone who may be informed of any of its contents.

Filed under

Topics

Laws