FAQ
Answers to the most common GDPR and data protection questions.
These are the questions we hear most often. The answers are general information only — for advice specific to your situation, contact us directly.
- Does the GDPR apply to my business?
- Yes, if you process personal data of people in the EU — regardless of where your business is located. Personal data includes names, email addresses, IP addresses, location data, and much more. Almost every business that has customers, employees, or a website processes personal data.
- Do I need to appoint a Data Protection Officer (DPO)?
- Under Art. 37 GDPR, a DPO is mandatory for public authorities, organizations that carry out large-scale systematic monitoring of individuals, and organizations that process special categories of data on a large scale. In Germany, the BDSG also requires a DPO if at least 20 persons are regularly involved in automated processing of personal data. Even if not mandatory, appointing an external DPO is often a sensible choice.
- What is a lawful basis for data processing?
- Every processing of personal data must have a lawful basis under Art. 6 GDPR. The six bases are: consent, performance of a contract, compliance with a legal obligation, protection of vital interests, performance of a public task, and legitimate interests. Consent is often not the best choice — it must be freely given and can be withdrawn at any time.
- What must a GDPR-compliant privacy policy include?
- Under Art. 13 GDPR, your privacy policy must include: the identity and contact details of the controller and DPO, the purposes and legal bases of processing, recipients of data, any transfers outside the EU/EEA, retention periods, and information about data subject rights (access, rectification, erasure, restriction, portability, objection, and the right to lodge a complaint with a supervisory authority).
- What is a Data Processing Agreement (DPA) and when do I need one?
- A DPA is a contract required under Art. 28 GDPR whenever you engage a third-party service provider who processes personal data on your behalf. This includes cloud providers (Microsoft 365, Google Workspace), CRM systems, payroll providers, email marketing tools, and IT support providers. The DPA must be in place before any personal data is shared with the processor.
- What do I do if I discover a data breach?
- First, contain the breach and assess its scope and risk. If the breach is likely to result in a risk to individuals, you must notify your supervisory authority within 72 hours (Art. 33 GDPR). If the risk is high, you must also notify affected individuals (Art. 34 GDPR). All breaches — even those not requiring notification — must be documented in your internal breach register (Art. 33(5) GDPR).
- Do I need consent for cookies?
- Consent is required for any non-essential cookies — including analytics, tracking, and marketing cookies. Essential cookies (those strictly necessary for the website to function) do not require consent. Your cookie banner must allow users to decline non-essential cookies as easily as accepting them, and must not use dark patterns to nudge users toward accepting.
- How long can I keep personal data?
- Under the storage limitation principle (Art. 5(1)(e) GDPR), personal data must not be kept longer than necessary for the purpose for which it was collected. There is no single universal retention period — it depends on the purpose and any applicable legal retention obligations (e.g., tax records in Germany: 10 years). You should document retention periods for each category of data in your Records of Processing Activities (RoPA).
- Can I transfer personal data outside the EU?
- Transfers outside the EU/EEA are only permitted if the destination country provides an adequate level of data protection (adequacy decision, e.g., UK, Switzerland) or appropriate safeguards are in place — most commonly Standard Contractual Clauses (SCCs) adopted by the European Commission. Since the Schrems II ruling, a Transfer Impact Assessment (TIA) is also recommended to assess the practical protection in the destination country.
- What are the fines for GDPR violations?
- GDPR fines are tiered. Less severe violations can result in fines of up to €10 million or 2% of global annual turnover (whichever is higher). More serious violations — including breaches of the core principles, unlawful processing, and violations of data subject rights — can result in fines of up to €20 million or 4% of global annual turnover. Supervisory authorities also regularly issue warnings, reprimands, and processing bans.
Have a question that is not answered here?
We are happy to answer specific questions about your organization — free and without obligation.
Ask your question