Search every question across sub-FAQs

It can, but only through the Article 3 triggers. First, GDPR applies to processing carried out in the context of the activities of an establishment of a controller or processor in the Union, even if the processing itself takes place outside the Union.

Second, for a controller or processor not established in the Union, GDPR applies only where the processing relates to offering goods or services to data subjects in the Union or monitoring their behavior as far as that behavior takes place in the Union. The EDPB stresses that the Article 3 assessment is made for the particular processing activity, not by labeling the entire legal entity as globally in scope.

For Article 3(2)(a), the key question is whether the controller or processor appears to envisage offering goods or services to data subjects in one or more EU Member States. Payment is not required.

A website being reachable from the Union, listing an email address, or using a language generally used in the organization's own country is not enough by itself. Stronger evidence can include naming EU Member States in the offer, EU-directed advertising, EU delivery, EU customer references, EU languages or currencies tied to ordering, EU contact details, or an EU top-level domain.

Article 3(2)(b) applies where the processing relates to monitoring data subjects' behavior and that behavior takes place within the Union. The EDPB says monitoring requires attention to the controller's purpose, especially later behavioral analysis or profiling; not every collection or analysis of data from people in the Union is automatically monitoring.

Grounded examples of monitoring indicators include behavioral advertising, geolocation for marketing, online tracking through cookies or fingerprinting, personalized health or diet analytics, CCTV, individual-profile market studies, and monitoring or regular reporting on a person's health status.

Where Article 3(2) applies, a non-EU controller or processor must designate a representative in the Union unless an Article 27(2) exemption applies. The GDPR exemptions are narrow: certain occasional, low-risk processing without large-scale special-category or criminal-offence data, or processing by a public authority or body.

The representative must be established in one of the Member States where the relevant data subjects are located. The EDPB also says designation of a representative does not itself create an EU establishment under Article 3(1), and it does not remove the controller's or processor's own responsibility or liability.

Article 6(1) GDPR lists six lawful bases: consent for one or more specific purposes; necessity for a contract with the data subject or pre-contract steps requested by the data subject; necessity for a legal obligation that applies to the controller; necessity to protect vital interests; necessity for a public-interest task or official authority vested in the controller; and necessity for legitimate interests pursued by the controller or a third party, unless overridden by the data subject's interests or fundamental rights and freedoms.

Pick the basis for the specific purpose, not for the system as a whole. A product may rely on contract for account delivery, legal obligation for statutory records, consent for optional communications, and legitimate interests for a separate low-risk operational purpose if the balancing test supports it.

Consent must be freely given, specific, informed, and unambiguous, and Article 7 requires the controller to demonstrate consent. It must be as easy to withdraw as to give, and withdrawal does not invalidate processing that was lawful before withdrawal.

Consent is weak where the person has no real choice, the request is bundled into terms, the service is conditional on unnecessary processing, or there is a power imbalance. The EDPB guidance calls out public-authority and employment contexts as situations where consent will often be difficult to rely on because free choice may be limited.

Article 6(1)(f) is available where processing is necessary for legitimate interests pursued by the controller or a third party, unless those interests are overridden by the data subject's interests or fundamental rights and freedoms. The GDPR text specifically highlights protection of children in this balancing exercise.

A useful legitimate-interest record separates three questions: what legitimate interest is pursued, why the processing is necessary for that interest, and why the data subject's interests, rights, and freedoms do not override it. The record should also identify privacy notice text, objection handling, safeguards, and the review trigger.

Article 6(1)(c) covers processing necessary for compliance with a legal obligation to which the controller is subject. Article 6(1)(e) covers processing necessary for a public-interest task or official authority vested in the controller.

Both bases need a grounding legal basis in Union law or Member State law. Article 6(3) says that the purpose must be determined in that legal basis, or for public task must be necessary for the public-interest task or official authority, and that the law must meet an objective of public interest and be proportionate to the legitimate aim pursued.

Article 6 lawfulness is not the whole analysis when special-category data is involved. Article 9 separately prohibits processing data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data used to uniquely identify a person, health data, or data about a person's sex life or sexual orientation unless an Article 9(2) condition applies.

That means a controller processing special-category data usually needs both an Article 6 lawful basis and an Article 9 condition. Explicit consent under Article 9(2)(a) is one possible condition, but Article 9 includes other conditions and also notes that Union or Member State law may prevent the prohibition from being lifted by consent for specified cases.

Article 12(3) requires the controller to provide information on action taken without undue delay and in any event within one month of receiving the request. The controller may extend that period by two further months only where necessary, taking into account the complexity and number of requests.

The extension is not automatic. The controller must tell the data subject within one month of receipt that it is extending the response period and must give the reasons for the delay.

A controller may request additional information only where it has reasonable doubts about the identity of the person making the request. The additional information must be necessary to confirm identity, not a routine barrier to exercising rights.

If the controller cannot identify the data subject in Article 11 circumstances, Article 12 says the controller does not have to act unless the data subject provides additional information enabling identification. The identity check should be proportionate to the data and risk involved.

Article 12(5) starts from a free-of-charge rule. A controller may charge a reasonable fee or refuse to act only where the request is manifestly unfounded or excessive, in particular because of its repetitive character. The controller bears the burden of demonstrating that condition.

EDPB guidance says these concepts must be interpreted narrowly and assessed case by case. Lack of reasons, inconvenience, large internal effort, or the possibility that the requester may use the data in a dispute does not by itself make the request excessive.

Article 15(4) says the right to obtain a copy must not adversely affect the rights and freedoms of others. That is not a general permission to reject the whole DSAR. The controller should assess the concrete conflict and provide access in an adjusted form where reconciliation is possible.

Typical handling is to leave out or render illegible the parts that would adversely affect others, while still providing the data subject's accessible personal data and Article 15 information where the GDPR allows it.

The record should show that the controller started from the right of access and applied only the grounded limit needed for the specific request. It should be usable by privacy, legal, support, and product teams without adding unsupported national derogations or authority-specific procedures.

Where a controller relies on Union or Member State restrictions under Article 23, keep the legal basis and conditions separate from the GDPR-level Article 12 and 15 analysis. The grounding here supports only the GDPR framework and EDPB caution, not a country-by-country derogation list.

Handle it as a transfer-specific Article 46 check, not as a generic privacy review. First map the transfer: exporter, importer, roles, destination country, onward transfers, categories and format of personal data, processing purpose, transfer route, storage location, recipient type, economic sector, and processing-chain length.

Then confirm the transfer tool. If a valid European Commission adequacy decision covers the country, territory, sector, or organisation for the transfer, the SCC transfer impact assessment is not the route for that transfer, although the adequacy decision should still be monitored. If no adequacy decision applies and SCCs are used, select the correct SCC module, complete the annexes, and assess whether destination-country laws and practices could prevent the importer from complying with the clauses.

The record should be specific enough to show why the SCCs work for this transfer. Under Clause 14, the parties take due account of the transfer's circumstances, relevant destination-country laws and practices, and safeguards that supplement the clauses. The importer should provide relevant information and continue cooperating with the exporter.

The evidence file should also preserve the operational result: whether the transfer can proceed, which supplementary safeguards were adopted, which public-authority request notices or transparency limits apply, and what event will reopen the assessment.

Supplementary measures are needed when the Clause 14 assessment is negative or shows that the SCCs alone may not ensure the required protection. The measures can be contractual, technical, or organisational, but they must actually address the identified gap for the specific transfer.

If the exporter receives an importer notice, learns that the importer can no longer comply, or concludes that no appropriate safeguards can be ensured, the transfer should be suspended. The SCCs also provide termination and return-or-delete mechanics when compliance is not restored.

A controller is the party that determines why personal data is processed and the essential means of that processing. A processor is a separate party that processes personal data on behalf of the controller and must not use the data for its own purposes outside the controller's instructions.

The EDPB treats the concepts as functional: the analysis should follow the actual role each party plays in the specific processing operation. Contract wording helps, but it is not enough if the operational facts show that a party decides purposes or essential means.

Article 28 applies when processing is carried out on behalf of a controller. The controller must use only processors that provide sufficient guarantees for appropriate technical and organisational measures, and the processing must be governed by a binding contract or other legal act.

The Article 28 record should not be a generic data-processing addendum only. It should identify the subject matter, duration, nature, purpose, personal-data types, data-subject categories, obligations and rights of the controller, and the concrete processor duties that make the instructions operational.

Joint controllership exists where two or more parties jointly determine the purposes and means of the same processing. The EDPB explains that joint participation may come from a common decision or from converging decisions that complement each other and are necessary for the processing in a way that has a tangible impact on purposes and means.

Article 26 requires joint controllers to transparently determine their respective GDPR responsibilities by arrangement, especially for data-subject rights and Articles 13 and 14 information duties. The essence of that arrangement must be made available to data subjects, and data subjects may exercise their rights against each joint controller.