GDPR Frequently Asked Questions
Comprehensive GDPR FAQ
This FAQ section addresses the most common questions encountered by Data Protection Officers, CISOs, compliance officers, and legal teams after more than eight years of GDPR enforcement. The answers reflect current regulatory guidance from the European Data Protection Board (EDPB), significant case law from the Court of Justice of the European Union (CJEU), and enforcement trends across EU/EEA supervisory authorities.
The GDPR has matured significantly since its application on 25 May 2018. Initial enforcement focused on establishing precedent and clarifying interpretive questions. By 2026, the enforcement landscape is characterised by substantial fines, detailed EDPB guidelines on nearly every aspect of the Regulation, landmark CJEU rulings on consent, legitimate interests, and the right of access, and increasing coordination between national DPAs through the consistency mechanism. Organisations that invested in GDPR compliance programmes in 2018 must now ensure those programmes remain current with evolving guidance and enforcement expectations.
Frequently Asked Questions
What is the GDPR?
The General Data Protection Regulation (GDPR) is Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016. It is the EU's comprehensive data protection law, directly applicable in all 27 EU member states since 25 May 2018. The GDPR establishes harmonised rules for the processing of personal data, rights for data subjects, obligations for controllers and processors, and enforcement powers for independent supervisory authorities. It replaced Directive 95/46/EC and is supplemented by national implementing legislation under its opening clauses.
Who does the GDPR apply to?
The GDPR applies to any organisation that processes personal data of individuals who are in the EU/EEA, regardless of the organisation's location. Under Article 3, it applies to: (1) controllers and processors established in the EU, regardless of where processing occurs; (2) non-EU organisations that offer goods or services to individuals in the EU; and (3) non-EU organisations that monitor the behaviour of individuals in the EU. This extraterritorial reach means the GDPR applies globally to any organisation with EU-facing data processing activities. Non-EU organisations subject to the GDPR must designate a representative in the EU under Article 27.
What are the maximum GDPR penalties?
The GDPR establishes a two-tier administrative fine system. The lower tier (Article 83(4)) provides for fines of up to EUR 10 million or 2% of total worldwide annual turnover of the preceding financial year, whichever is higher — applicable to infringements of controller/processor obligations including security measures, breach notification, DPIAs, and DPO requirements. The upper tier (Article 83(5)) provides for fines of up to EUR 20 million or 4% of total worldwide annual turnover — applicable to infringements of the basic principles, conditions for consent, data subject rights, and international transfer rules. Turnover is calculated at the group level for undertakings within the same corporate group.
What is a lawful basis for processing personal data?
Article 6(1) provides six exhaustive lawful bases for processing: (a) consent — freely given, specific, informed, and unambiguous; (b) contractual necessity — processing necessary for performance of a contract with the data subject; (c) legal obligation — processing necessary for compliance with an EU or member state legal obligation; (d) vital interests — processing necessary to protect the vital interests of the data subject or another person; (e) public interest — processing necessary for a task in the public interest or exercise of official authority; and (f) legitimate interests — processing necessary for legitimate interests of the controller or third party, unless overridden by the data subject's interests, rights, or freedoms. The lawful basis must be determined and documented before processing begins.
What is the difference between a controller and a processor?
A controller (Article 4(7)) determines the purposes and means of processing personal data — the 'why' and 'how.' A processor (Article 4(8)) processes personal data on behalf of the controller, acting only on the controller's documented instructions. The distinction determines the allocation of GDPR obligations: controllers bear primary responsibility for compliance with the principles, lawful basis, data subject rights, and accountability. Processors have direct obligations for security (Article 32), records of processing (Article 30(2)), breach notification to the controller (Article 33(2)), and DPO appointment where required (Article 37). A written contract under Article 28 is mandatory between controller and processor.
What is a Data Protection Impact Assessment (DPIA)?
A DPIA (Article 35) is a structured assessment that must be carried out prior to processing that is likely to result in a high risk to the rights and freedoms of natural persons. DPIAs are mandatory for: (a) systematic and extensive evaluation of personal aspects based on automated processing including profiling with legal or significant effects; (b) large-scale processing of special categories of data or criminal conviction data; and (c) systematic monitoring of a publicly accessible area on a large scale. A DPIA must contain: a systematic description of the processing operations and purposes; an assessment of necessity and proportionality; an assessment of risks to data subjects' rights and freedoms; and the measures envisaged to address risks. If residual risk remains high, prior consultation with the supervisory authority under Article 36 is required.
What are the rules for international data transfers under the GDPR?
Chapter V (Articles 44-49) restricts transfers of personal data to third countries (outside the EU/EEA) unless adequate safeguards exist. The primary mechanisms are: (1) adequacy decisions by the European Commission under Article 45 — recognising that a third country provides an essentially equivalent level of data protection (currently covering Andorra, Argentina, Canada (commercial), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, UK, Uruguay, and the EU-US Data Privacy Framework); (2) appropriate safeguards under Article 46 — primarily Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs); and (3) derogations under Article 49 for specific situations including explicit consent, contractual necessity, and compelling legitimate interests. Following the CJEU's Schrems II ruling (C-311/18), organisations relying on SCCs must conduct transfer impact assessments to evaluate whether the destination country's legal framework undermines the protection provided by the safeguards.
What is consent under the GDPR?
Consent under GDPR (Article 4(11), Article 7) must be freely given, specific, informed, and unambiguous. It requires a clear affirmative action — pre-ticked boxes, silence, or inactivity do not constitute valid consent. Consent must be as easy to withdraw as to give (Article 7(3)). Controllers must be able to demonstrate that consent was given (Article 7(1)). Consent is not considered freely given where there is a clear imbalance between the controller and data subject (e.g., employer-employee relationships), where consent is bundled as a condition of service for unrelated processing, or where the data subject has no genuine choice. For children, Article 8 requires parental consent for information society services where the child is below the age specified by member state law (between 13 and 16 years). For special categories of data, explicit consent under Article 9(2)(a) requires a particularly clear and express statement.
What are special categories of personal data?
Article 9(1) identifies special categories that receive heightened protection: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership; genetic data; biometric data processed for the purpose of uniquely identifying a natural person; data concerning health; and data concerning a person's sex life or sexual orientation. Processing of these categories is generally prohibited unless one of the exceptions in Article 9(2) applies, including: explicit consent; employment/social security law; vital interests; legitimate activities of foundations, associations, or not-for-profit bodies; data manifestly made public by the data subject; legal claims; substantial public interest; preventive or occupational medicine; public health; and archiving/research/statistics.
How long can we keep personal data?
The storage limitation principle (Article 5(1)(e)) requires that personal data be kept in identifiable form for no longer than is necessary for the purposes for which it is processed. There is no single prescribed retention period — controllers must determine appropriate retention periods based on the processing purpose, legal retention requirements (e.g., tax, employment, anti-money laundering legislation), statute of limitations for potential legal claims, and sector-specific regulatory expectations. Controllers must establish and enforce data retention policies, implement automated deletion or anonymisation at the end of retention periods, and conduct periodic reviews. Data may be kept longer solely for archiving in the public interest, scientific or historical research, or statistical purposes under Article 89(1), subject to appropriate safeguards.
What is the right to be forgotten?
The right to erasure, or 'right to be forgotten' (Article 17), entitles data subjects to obtain erasure of their personal data where: the data is no longer necessary for its original purpose; consent is withdrawn and no other lawful basis exists; the data subject successfully objects under Article 21; the data has been unlawfully processed; erasure is required by EU or member state law; or the data was collected in relation to information society services offered to a child. The right is not absolute — Article 17(3) provides exceptions for freedom of expression, legal obligations, public health, archiving/research in the public interest, and legal claims. Where the controller has made data public, it must take reasonable steps to inform other controllers processing that data of the erasure request.
Do we need a Data Protection Officer?
Under Article 37(1), a DPO is mandatory in three cases: (a) the processing is carried out by a public authority or body (except courts acting judicially); (b) the core activities of the controller or processor require regular and systematic monitoring of data subjects on a large scale; or (c) the core activities consist of large-scale processing of special categories of data or criminal conviction data. Even where not mandatory, the EDPB recommends voluntary appointment. The DPO must have expert knowledge of data protection law, must be independent (no instructions regarding tasks, no dismissal for performing duties), and may be internal or external (service contract). The DPO's contact details must be published and communicated to the supervisory authority.
How does the GDPR relate to NIS2?
The GDPR and NIS2 are complementary EU regulations with overlapping cybersecurity obligations. GDPR Article 32 requires controllers and processors to implement appropriate technical and organisational security measures — this aligns with NIS2 Article 21, which imposes detailed cybersecurity risk management measures on essential and important entities. Organisations subject to both must ensure their security programmes satisfy both frameworks. Key distinctions: GDPR focuses on protection of personal data, while NIS2 focuses on network and information system security for critical sectors. GDPR breach notification (72 hours to DPA) and NIS2 incident reporting (24-hour early warning, 72-hour notification, one-month final report to CSIRT) are separate obligations with different thresholds, timelines, and authorities — both must be complied with independently when an incident triggers both.
What about the ePrivacy Regulation?
The proposed ePrivacy Regulation is intended to replace the current ePrivacy Directive (Directive 2002/58/EC) and serve as lex specialis to the GDPR for the electronic communications sector. It covers the confidentiality of electronic communications, the processing of traffic and location data, cookies and similar tracking technologies, and direct marketing. As of 2026, the ePrivacy Regulation remains in the EU legislative process following protracted Council negotiations. In the interim, the existing ePrivacy Directive (as amended by Directive 2009/136/EC) continues to apply, as transposed into member state law. The GDPR applies as the general data protection framework, with the ePrivacy Directive providing sector-specific rules for electronic communications.
How should we prepare for a GDPR audit by a supervisory authority?
Preparation for a GDPR audit should include maintaining current and complete records of processing activities (Article 30); documented Data Protection Impact Assessments for high-risk processing (Article 35); a comprehensive breach register documenting all personal data breaches, including risk assessments and notification decisions (Article 33(5)); evidence of DPO appointment, independence, and task performance where applicable (Articles 37-39); executed data processing agreements with all processors (Article 28); consent records with timestamps, scope, and withdrawal mechanisms where consent is the lawful basis (Article 7); published and up-to-date privacy notices (Articles 13-14); records of data subject requests and responses with timelines (Articles 15-22); staff training records and awareness programmes; international transfer mechanisms and transfer impact assessments (Chapter V); data protection by design and by default documentation (Article 25); and evidence of regular compliance reviews and security testing (Article 32). Maintaining these records as ongoing operational documentation, rather than preparing them for an audit, is the essence of the accountability principle.
This content is for informational purposes only and does not constitute legal advice. Consult qualified legal counsel for compliance decisions.
Automate GDPR Compliance with FortisEU
Turn regulatory obligations into actionable controls with evidence workflows, real-time dashboards, and EU-sovereign AI assistance.