3. GDPR and Data Privacy


GDPR and Data Privacy

In an environment increasingly based on the processing of data, including personal data1, the GDPR is an essential tool to ensure data privacy. Data privacy in this context means empowering people (“natural persons”) to make their own decisions about who can process their personal data and for what purpose [1]. At the same time, the GDPR helps to foster trustworthy innovation, notably through its risk-based approach and principles such as privacy by design and by default2.

GDPR and the European Data Protection Board (EDPB)

The GDPR established the European Data Protection Board (EDPB) which is an independent European body, contributing to the consistent application of data protection rules throughout the European Union, and promotes cooperation between the EU’s data protection authorities. The EDPB is composed of representatives of the EU national data protection authorities (national Supervisory Authorities), and the European Data Protection Supervisor (EDPS).

Tasks and duties:

  • Providing general guidance (including guidelines, recommendations and best practices) to clarify the law and to promote a common understanding of EU data protection laws;
  • Adopting opinions addressed to the European Commission or to the national Supervisory Authorities:
      • to advise the European Commission on any issue related to the protection of personal data and new proposed legislation
      • to ensure consistency of the activities of national Supervisory Authorities on cross border matters
  • Adopting binding decisions addressed to the national Supervisory Authorities and aiming to settle disputes arising between them
  • Promote and support the cooperation among national Supervisory Authorities.

The EDPB does not enforce EU data protection laws and does not provide individual consultancy services. Individuals or organisations with questions related to data protection law should consult the website of the Supervisory Authority in the country where they are based.

Note 1: Art. 4 GDPR Definitions: ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. https://gdpr.eu/article-4-definitions/

Note 2: European Commission: Companies/organisations are encouraged to implement technical and organisational measures, at the earliest stages of the design, in such a way that safeguards privacy and data protection principles right from the start (‘data protection by design’). By default, companies/organisations should ensure that personal data is processed with the highest privacy protection (for example only the data necessary should be processed, short storage period, limited accessibility) so that by default personal data isn’t made accessible to an indefinite number of persons (‘data protection by default’). https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/obligations/what-does-data-protection-design-and-default-mean_en


[1] GDPR.EU Complete guide to GDPR compliance, here: A guide to GDPR data privacy requirements. https://gdpr.eu/data-privacy/