GDPR FAQ

Regulation (EU) 2016/679 (EU General Data Protection Regulation) replaces the European Data Protection Directive from 1995 (Directive 95/46/EC) with the aim of harmonising and modernising European data protection law. It promotes the protection of data subjects with regard to the processing of personal data and the free movement of such data (Article 1(1) of the General Data Protection Regulation).

The Member States had implemented the Data Protection Directive, which was in force until 25 May 2018, in very different ways. This patchwork of member state regulations hindered cross-border data flows in the European Union. The General Data Protection Regulation creates a uniform and directly applicable legal framework that ensures the free movement of personal data in the European Union. This is an important prerequisite for the completion of the Digital Single Market and for a level playing field in the European Union. The European Data Protection Board, the association of supervisory authorities of all Member States at the level of the European Union, contributes to a uniform application of the law. In the future, it will make binding decisions on central issues of the General Data Protection Regulation. With the lead supervisory authority at the place of the main establishment, companies with cross-border data processing activities will in future have a central point of contact (so-called one-stop shop principle).

At the same time, European data protection law is modernised and the fundamental right to protection of personal data from Article 8 of the European Charter of Fundamental Rights is strengthened. Data subjects are given more control and transparency in data processing, also and especially in the digital age. The General Data Protection Regulation increases the requirements for legally effective consent of data subjects and expands their rights, especially to information and disclosure. The data protection authorities are given far-reaching remedial powers; in the event of violations of the General Data Protection Regulation, they can impose fines of up to €20 million or 4 per cent of global annual turnover. Companies outside the European Union are also subject to the General Data Protection Regulation if they offer goods or services in the European Union or observe the behaviour of persons in the European Union (so-called market place principle).

The General Data Protection Regulation applies in principle to all processing of personal data. The details are set out in Articles 2 and 3 of the General Data Protection Regulation.

Both public (public authorities, courts and other public bodies, regardless of their legal form) and non-public (natural and legal persons, companies and other associations of persons under private law) bodies must comply with the requirements of the General Data Protection Regulation when processing information relating to an identified or identifiable natural person.

Exceptions apply in particular to non-automated processing of personal data not stored or intended to be stored in a filing system - for example, files and collections of files not organised according to specific criteria; to natural persons processing personal data for the exercise of exclusively personal or family activities - for example, private correspondence, address books or the use of social networks and online activities in the context of personal or family purposes; for activities that fall outside the scope of Union law - in particular activities related to national security; for the processing of data for law enforcement and security purposes by competent authorities - this is governed by Directive (EU) 2016/680, adopted at the same time as the General Data Protection Regulation.

The General Data Protection Regulation applies to the processing of personal data insofar as this is carried out in the context of the activities of an establishment in the European Union or in connection with the offer of goods or services in the European Union (so-called place of market principle). This applies regardless of whether the processing takes place in the European Union. The General Data Protection Regulation also applies if the behaviour of data subjects in the European Union is to be monitored or the processing takes place in a place that is subject to the law of a member state of the European Union due to international law provisions. It does not matter whether the data processed concern a citizen of the European Union or not.

Article 4 of the General Data Protection Regulation contains the central definitions. In the future, the definitions of personal data, controller or processing will therefore be directly and conclusively found in the General Data Protection Regulation.

The General Data Protection Regulation continues the principles for data processing from the current EU Data Protection Directive 95/46/EC, such as purpose limitation, necessity and data economy, largely unchanged in Article 5.

The purpose limitation principle is complemented by Article 6(4), which specifies criteria for checking compatible purposes. If the original purpose of collection and the purpose of further processing by the same controller are compatible, the data may be further processed on the basis of the original legal basis.

With the new "accountability", the GDPR emphasises the responsibility of data controllers to comply with the principles and to demonstrate it (Article 5(2) GDPR).

Article 6 of the General Data Protection Regulation lists the admissibility criteria for the processing of personal data. It also largely corresponds to applicable European data protection law. As before, any processing of personal data requires a legitimising legal basis - regardless of whether the processing poses a high or low risk to the rights and freedoms of the data subjects. This "prohibition with reservation of consent" is based on Article 8 of the EU Charter of Fundamental Rights.

Processing of personal data shall only be lawful with the consent of the data subject or if the processing is necessary for the performance of a contract or for the implementation of pre-contractual measures, for the protection of the vital interests of the data subject or of another natural person, for the legitimate interests of the controller or of a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, for compliance with a legal obligation of the controller or for the performance of a task carried out in the public interest or in the exercise of official authority of the controller.

These admissibilities form a conclusive system; however, Member States are allowed to concretise and specify the requirements for the lawfulness of processing in some areas through national data protection law (Article 6(2) and (3) of the General Data Protection Regulation). Many legal bases, especially for the processing of personal data by public authorities, can therefore still be found in general or specific data protection law at national level.

Articles 7 and 8 contain concretising conditions for consent. For the time being, the German legislator has not made use of the possibility to regulate the age limit for a child's consent when using information society services in derogation of the Basic Data Protection Regulation (16 years).

According to Article 9 of the General Data Protection Regulation, the processing of particularly sensitive data is - as before - only permitted by way of exception. These "special categories of personal data" include, for example, data on ethnic origin, political opinions, religious beliefs or sexual orientation, genetic and biometric data and health data. In order to process these data, a legal basis under Article 6(1) is always required and, in addition, an exception to the prohibition on processing sensitive data. The exceptions can be found in Article 9(2) of the General Data Protection Regulation and in national data protection law (e.g. in Section 22 of the BDSG 2018 or in sector-specific federal law).

Article 10 of the General Data Protection Regulation provides special protection for personal data relating to criminal convictions and offences. They may only be processed under official supervision or if provided for by law.

Article 11 of the General Data Protection Regulation stipulates that data need not be stored for the sole purpose of being able to identify a person (e.g. to be able to provide information). This may mean, for example, that if a photograph of a building shows unknown persons, data such as name, address, etc. do not have to be collected in order to inform the person depicted.

According to Recital 171, Sentence 3 of the General Data Protection Regulation, consent continues to apply and no new consent is required if "the nature of the consent already given complies with the conditions of this Regulation". The conditions for the continued validity of previously granted consent under the General Data Protection Regulation have been specified by the federal and state supervisory authorities.

In order to create greater transparency in the handling of personal data, the General Data Protection Regulation expands the existing data subject rights in Chapter III and at the same time introduces new rights. Details are regulated in Articles 12 to 23.

Article 12 contains general procedural rules for communication with data subjects, processing deadlines and questions of remuneration. Requests from data subjects shall in principle be answered free of charge within one month in clear and plain language.

Articles 13 and 14 of the General Data Protection Regulation regulate the information obligations of the controller towards the data subjects. Compared to the previous legal situation, not only the scope but also the reason for the information is expanded. The data subjects must be informed about the listed aspects not only when the data is collected for the first time, but also whenever further processing for other purposes is intended. The controller must provide the information on its own initiative, i.e. without a request from the data subject. The demarcation of when data is collected from the data subject or not is not easy in individual cases. The view according to which Article 13 of the General Data Protection Regulation presupposes that the data subject must be aware of the collection of data seems preferable. This leads to practical results in the case of video recordings or photographs.

In addition to the information obligations, the data subject has a comprehensive right of access to the personal data concerning him or her under Article 15 of the General Data Protection Regulation. The right of access also includes the right to receive a copy of the processed data free of charge.

Under the conditions of Articles 16 to 18 of the General Data Protection Regulation, data subjects may request rectification, erasure and restriction of processing. The right to erasure also includes the so-called "right to be forgotten": If the controller has made the personal data publicly available and thus accessible to other controllers, the controller shall, in the event of an erasure obligation, take reasonable steps to inform the other controllers that a data subject requests the erasure of all links to or copies of that personal data.

Article 20 grants data subjects the right to data portability for the first time. Accordingly, data subjects have the right in certain cases to receive their data in a structured, common and machine-readable format in order to have it transferred from a controller to another (private) provider without hindrance. According to the standard, this concerns data that the data subject has "actively" provided and not also data that the data controller has first generated, such as location data. With regard to the claim, it should be noted that the rights and freedoms of other persons must not be affected when transferring the data from one controller to another. This may be the case, for example, if not only the data subject but also third parties are depicted in a photo.

Article 21 gives data subjects the right to object to (lawful) data processing on grounds relating to their particular situation. In addition, there is a right to object at any time to the processing of personal data for the purpose of direct marketing. The right to object shall be explicitly pointed out to the data subjects at the latest at the time of the first communication.

The data subject rights do not apply if the General Data Protection Regulation provides for direct exceptions or the Member States have provided for restrictions of the data subject rights via Article 23 of the General Data Protection Regulation. The Federal Data Protection Act 2018 (BDSG 2018), which will apply from 25 May 2018, contains further specific restrictions on data subjects' rights in sections 32-37 for both the public and non-public sectors.

In addition to compliance with the principles for the processing of personal data (Chapter II) and the guarantee of data subjects' rights (Chapter III), Chapter IV of the General Data Protection Regulation contains central provisions for the obligations of data processing bodies. In future, these will result directly from the General Data Protection Regulation. In contrast to the old legal situation, the Federal Data Protection Act, which will apply from 25 May 2018, therefore contains only very few statements on processor obligations.

Many processor obligations are conceptually comparable to the previous legal situation in Germany, but nevertheless require adjustments in official and operational practice.

The essential obligations in data processing are:

• Ensuring appropriate technical and organisational measures to ensure data protection and data security, Articles 24, 25 and 32
• Requirements for commissioned processing, Article 28
• Keeping a register of processing activities, Article 30
• Notification of personal data breaches to the supervisory authority and notification of data subjects, Articles 33 and 34
• Carrying out a data protection impact assessment and prior consultation of supervisory authorities, Articles 35 and 36
• Appointment of a data protection officer, Articles 37 to 39

The obligations to be fulfilled by data controllers are characterised by the concept of risk adequacy: the more likely or severe the risk posed by the data processing, the more extensive and higher the obligations of the data controller. This flexible approach particularly addresses the concerns of small and medium-sized enterprises that process non-risky data. Thus, the technical and organisational measures to ensure data protection and data security must take into account, among other things, the probability of occurrence and severity of the risk posed by the data processing to the data subjects in each individual case.

Companies with fewer than 250 employees are exempt from the obligation to keep a processing register, among other things, if the data processing does not pose a risk to the rights and freedoms of the data subjects.

In the case of security incidents (personal data breaches), the obligation to notify the supervisory authority does not apply if the breach is unlikely to result in a risk to the rights and freedoms of data subjects; there is only an obligation to notify data subjects of an incident if the breach is likely to result in a high risk to data subjects.

The obligation to carry out a data protection impact assessment also only exists where the processing is likely to result in a high risk to the rights and freedoms of natural persons by virtue of the nature, scope, context and purposes of the processing. However, if a data protection impact assessment confirms that the processing would result in such a high risk, there is an obligation to consult the competent data protection supervisory authority in advance.

a) Technical and organisational measures, Articles 24, 25 and 32

Technical and organisational measures serve the purpose of ensuring compliance with the General Data Protection Regulation and being able to demonstrate this in order to fulfil the accountability obligation of Article 5(2) of the General Data Protection Regulation (Article 24(1)). In particular, technical and organisational measures - such as pseudonymisation and encryption as well as measures to ensure the protection goals of IT security - play an important role in ensuring data protection through technology design and data protection-friendly default settings (Article 25) as well as data security (Article 32).

Not all data processing requires the same level of protection. The measures must be suitable in each individual case to ensure a level of protection appropriate to the risk involved (Article 32(1)). In this context, the state of the art, the implementation costs and the nature, scope, circumstances and purposes of the processing, the probability of occurrence and severity of the risk must be taken into account.

b) Commissioned processing, Article 28

With Article 28, the General Data Protection Regulation creates uniform requirements for commissioned processing throughout Europe for the first time. Commissioned processing may only take place if the processor provides sufficient guarantees that the processing will be carried out in accordance with the requirements of the General Data Protection Regulation. In addition, the stipulations mentioned in paragraph 3 must be made between the controller and the processor. This relates in particular to the processor being bound by instructions, the guarantee of confidentiality, compliance with appropriate technical and organisational measures and the support of the controller in fulfilling the rights of the data subject.

§ Section 11 BDSG a.F., which previously determined the requirements for commissioned data processing in German law, was repealed due to the direct applicability of Article 28 of the General Data Protection Regulation and is no longer found in the BDSG 2018.

(c) list of processing activities, Article 30

Article 30 replaces the previous obligation to notify with the obligation of the controller and the processor to keep a register of processing activities with the information mentioned in paragraph 1 and paragraph 2. An exception applies to companies with less than 250 employees under the conditions specified in Article 30(3). The directory serves as an important building block for demonstrating compliance with the General Data Protection Regulation and must be made available to the competent supervisory authority upon request. The processing directory replaces the procedural directory previously required under Section 4g (2) of the old version of the BDSG.

d) Reporting of security incidents, Articles 33 and 34

Security incidents can lead to serious economic and social harm to data subjects, such as financial damage, identity theft, damage to reputation or disclosure of professional secrets. Such a "personal data breach" is defined by the GDPR as any breach of security leading to the destruction, loss, alteration or unauthorised disclosure of, or access to, personal data (Article 4(12) GDPR). 

Security incidents must be documented by the controller in accordance with Articles 33 and 34 of the General Data Protection Regulation and reported, including the likely consequences of the incident and the remedial measures taken or proposed, to the competent supervisory authority and the data subjects without undue delay as a matter of principle. If the notification to the supervisory authority cannot be made within 72 hours, the reasons for the delay shall be provided. Information may be provided progressively without undue further delay.

The notification obligation does not apply if the personal data breach is not likely to result in a risk to the rights and freedoms of natural persons. Moreover, notification to data subjects must only be made if the incident is likely to result in a high risk for the data subjects. The supervisory authority may order the controller to notify the data subjects.

The system of notification of breaches of the protection of personal data replaces the obligation to inform in the case of unlawful acquisition of knowledge of personal data previously provided for in Section 42a BDSG a.F. and some specialised laws. Under the General Data Protection Regulation, public bodies are now also subject to the notification obligations in the event of security incidents. As before, however, a notification of security incidents may not be used in criminal proceedings against the controller (Section 42(4) BDSG 2018).

e) Data protection impact assessment and consultation obligation, Articles 35 and 36

Processing operations likely to result in a high risk to the rights and freedoms of natural persons by virtue of their nature, their scope, their circumstances and their purposes shall be subject to prior impact assessment by the controller in accordance with Article 35 of the General Data Protection Regulation. If the data protection impact assessment confirms that the processing would result in a high risk, the controller shall consult the competent supervisory authority prior to the start of the processing in accordance with Article 36.

The data protection impact assessment shall include a systematic description of the envisaged processing operations and purposes of the processing as well as an assessment of the necessity and proportionality of the purposes of the processing and the risks for the data subjects. Finally, it identifies the mitigating measures, safeguards, security measures and procedures envisaged to address the risks and ensure that data protection concerns are met. The company or authority data protection officer shall be involved in this process. Where appropriate, the views of the data subjects or their stakeholders shall be sought.

The need for a data protection impact assessment shall be considered in particular when new technologies are used and in the case of large-scale processing operations involving large amounts of personal data or affecting a large number of individuals. The systematic and comprehensive assessment of personal aspects of natural persons on the basis of profiling, the large-scale processing of special categories of personal data within the meaning of Article 9(1) or data relating to criminal convictions and offences pursuant to Article 10, as well as the systematic large-scale monitoring of publicly accessible areas - in particular by means of video surveillance - shall also always be subject to an impact assessment under the conditions of paragraph 3. Supervisory authorities may determine further processing operations for which a data protection impact assessment shall be carried out or for which there is no obligation to carry out an impact assessment.

In future, the data protection impact assessment will replace the prior checking of automated processing operations that pose particular risks to the rights and freedoms of data subjects, which was previously prescribed in Section 4d (5) BDSG old version. It pursues a similar objective as the prior check, but is more structured and is no longer the task of the company or official data protection officer.

Likewise, the data protection impact assessment replaces the obligation to notify the competent supervisory authority of any processing of personal data as provided for by the Data Protection Directive 95/46/EC (formerly § 4d and § 4e BDSG old version). The elimination of the obligation to notify reduces the bureaucratic and financial burden on data controllers. At the same time, focusing on processing operations that are likely to pose a high risk to the data subjects makes the protection of personal data more effective than an indiscriminate, formal obligation to notify the competent supervisory authority.

f) Appointment of company/office data protection officers, Articles 37 to 39

The appointment of company and public authority data protection officers has been provided for in Germany for a long time and has proven its worth. Data protection officers provide public and non-public bodies with internal contact persons for data protection who are familiar with the organisation's data processing operations and procedures and serve as a central point of contact for data controllers, their employees, data subjects and supervisory authorities. 

The General Data Protection Regulation now introduces the institution of the data protection officer throughout the EU. The requirements for the appointment, the legal status and the tasks of the data protection officers according to Articles 37 to 39 of the General Data Protection Regulation are largely comparable to the previous legal situation in Germany.

As before, public bodies must always appoint a data protection officer. Non-public bodies are subject to an appointment requirement under Article 37(1) of the General Data Protection Regulation if their core activity consists of processing operations which require regular and systematic monitoring of data subjects on a large scale, or consists of large-scale processing of special categories of personal data or of data relating to criminal convictions and offences.

In addition, Section 38 BDSG 2018 stipulates that non-public bodies must also appoint a data protection officer if they usually employ at least ten persons on a permanent basis for the automated processing of personal data, carry out processing operations that are subject to a data protection impact assessment pursuant to Article 35 of Regulation (EU) 2016/679 or process personal data on a business basis for the purpose of transmission, anonymised transmission or for the purpose of market or opinion research.

The existing legal situation regarding the appointment of company data protection officers is hereby continued.

Data protection officers must have the necessary expertise to perform their duties. Both the appointment of own employees and the appointment of an external person are permissible. It is also possible to appoint joint data protection officers for a group of companies or several authorities.

The tasks of the data protection officers are laid down in Article 39 of the General Data Protection Regulation: Data protection officers shall inform and advise controllers and their employees on matters relating to data protection law, in particular in carrying out the data protection impact assessment referred to in Article 35. They shall monitor compliance with data protection law and the controller's policies for the protection of personal data, including the allocation of responsibilities, awareness-raising and training of staff involved in processing operations. They shall cooperate with and act as a point of contact for the competent supervisory authorities on issues related to data processing.

The controller shall fully support the data protection officer in the performance of his or her activities. He or she shall, in accordance with Article 38, in particular ensure that the data protection officers are properly involved at an early stage in all matters relating to the protection of personal data, have the resources necessary for the performance of their tasks and access to personal data and processing operations, as well as the resources necessary to maintain his or her expertise, and are not subject to instructions in the performance of their tasks.

§ Section 6 (3) to (6) in conjunction with Section 38 BDSG 2018. § Section 38 BDSG 2018 further secures the position of the data protection officer in continuation of the previous legal situation. In order to guarantee their independence, data protection officers may not be disadvantaged because of the performance of their duties. As before, they are subject to special protection against dismissal and removal from office, a comprehensive duty of confidentiality and a right to refuse to testify.

Harmonisation offers enormous opportunities for business, especially for companies operating across borders, as the same rules apply throughout the European Union; however, the high degree of abstraction of the General Data Protection Regulation also presents business with legal uncertainty.

The mechanisms that enable the business community to contribute to the implementation of the General Data Protection Regulation on its own initiative are therefore of great importance. The instruments of codes of conduct and data protection certification are strengthened by the General Data Protection Regulation and serve as an important means of creating legal certainty. They are an important aspect of demonstrating data protection compliance and thereby creating trust. The supervisory authorities are closely involved in the development of rules of conduct and certification criteria and approve them, so that they are instruments of "regulated" self-regulation. Approved codes of conduct and certification mechanisms may be part of appropriate safeguards for data transfers to third countries (Article 46(2)(e) and (f) GDPR).

Through the instrument of codes of conduct (Article 40 of the General Data Protection Regulation), associations and other organisations can clarify the application of the General Data Protection Regulation to specific processing sectors or industries, taking into account in particular the needs of small and medium-sized enterprises. The codes of conduct shall be approved and published by the competent national supervisory authority or the European Data Protection Board. The European Commission may declare the codes of conduct approved by the European Data Protection Board to be generally applicable throughout the EU. The supervision of the codes of conduct may be entrusted to an independent body accredited by the supervisory authorities in accordance with Article 41 of the General Data Protection Regulation. The tasks and powers of the supervisory authorities remain unaffected.

Data protection-specific certification procedures (Article 42 of the General Data Protection Regulation) allow controllers and processors to demonstrate compliance with the General Data Protection Regulation in the certified processing operations. Certification is carried out on the basis of certification criteria approved by national supervisory authorities or, in the case of an EU-wide European Privacy Seal, by the European Data Protection Board (Article 42(5)). The bodies carrying out the certification (certification bodies) must be accredited by the German Accreditation Body (DAkkS) with the involvement of the supervisory authorities (Article 43 General Data Protection Regulation in conjunction with Section 39 BDSG 2018).

For the area of commissioned processing within the framework of cloud computing, which is very important in practice, the Trusted Cloud Data Protection Profile for Cloud Services (TCDP) provides a certification standard based on the applicable Federal Data Protection Act, from which providers and users of cloud services benefit equally. The testing standard was developed as part of the technology programme "Trusted Cloud" of the Federal Ministry for Economic Affairs and Energy and is administered by the Data Protection Foundation. The AUDITOR research project funded by the Federal Ministry for Economic Affairs and Energy is currently adapting and further developing the standard to the General Data Protection Regulation. The aim of the project is in particular the creation of a catalogue of criteria for certification approved by the European Data Protection Board in accordance with Article 42(5) of the General Data Protection Regulation and the development of a testing and certification procedure.

While data transfers to other Member States of the European Union are not subject to any restrictions and an impediment to the free movement of data is inadmissible for reasons of data protection (cf. Art. 1(3) of the General Data Protection Regulation), a transfer of personal data to countries outside the European Union or the European Economic Area (third countries) is only permissible under the conditions of Chapter V.

The purpose of the rules on international data transfers is to ensure comprehensive protection of the fundamental right to data protection (Article 8 of the EU Charter of Fundamental Rights): the high standard of data protection guaranteed within the European Union and the European Economic Area should not be undermined by the fact that personal data can be transferred to third countries without adequate safeguards.

For a third country transfer, the general rules of the General Data Protection Regulation must first be complied with (Article 44 General Data Protection Regulation). In particular, there must be a legal basis for the data transfer in the General Data Protection Regulation or in national data protection law.

In addition, one of the following conditions must be met for a data transfer to a third country:

• Existence of an adequacy decision by the European Commission according to Article 45 of the General Data Protection Regulation. Decisions of the European Commission on an adequate level of protection exist, for example, for Argentina, Switzerland, Canada, New Zealand and Uruguay. One such adequacy decision is the EU-US Privacy Shield of 12 July 2016, according to which personal data from the European Union can be transferred to organisations in the USA that have made a binding commitment to comply with the data protection principles of the Privacy Shield and are listed on the "Privacy Shield List".
• Existence of appropriate safeguards (Article 46 of the General Data Protection Regulation), in particular in the form of Binding Corporate Rules, standard data protection clauses or approved codes of conduct or an approved certification mechanism.
• Existence of an exception under Article 49 of the General Data Protection Regulation, in particular:

§ where the data subject has given his or her express consent,

§ to protect the vital interests of the data subject,

§ if necessary for the performance of the contract,

§ for important reasons of public interest,

§ to pursue legal claims or

§ to safeguard compelling legitimate interests of the controller.

Compliance with the General Data Protection Regulation and national data protection legislation is monitored and enforced by independent supervisory authorities in all Member States.

In Germany, these are the Federal Commissioner for Data Protection and Freedom of Information (BfDI) and the supervisory authorities of the federal states. The BfDI is responsible for supervising the public agencies of the federal government, the joint institutions under the Social Code II (Job Centres) and the companies that provide telecommunications or postal services; otherwise, the supervisory authorities of the Länder are responsible.

An overview of the supervisory authorities and their contact details can be found on the BfDI website.

The supervisory authorities have the extensive powers of investigation, redress and authorisation under Article 58 of the General Data Protection Regulation. In particular, they can issue prohibitions or orders against the controller and impose fines. They also advise national parliaments and governments and investigate complaints from data subjects. In the performance of their tasks, the supervisory authorities are completely independent; in particular, they are not subject to any legal or technical supervision.

The supervisory authorities of the Member States cooperate closely in monitoring and enforcing the General Data Protection Regulation. They provide each other with mutual assistance and can carry out joint measures. Important questions of interpretation and application, especially those with cross-border relevance, are discussed and bindingly decided in the European Data Protection Board, the association of all supervisory authorities of the Member States at EU level. With this consistency procedure, the European Data Protection Board contributes to a uniform application of the General Data Protection Regulation throughout the EU.

The supervisory authority at the place of the main establishment or the only establishment of a company in the European Union acts as the lead supervisory authority in the coordination processes with the supervisory authorities of the other Member States. It is the single point of contact for the controller for issues relating to cross-border data processing (Article 56 of the General Data Protection Regulation). This "One Stop Shop Principle" results in a considerable simplification for data processing companies.