GDPR–practical examples 2

Most Popular

COVID-19 Statistics

All countries
Total confirmed cases
Updated on 26/09/2023 10:07 pm

This is the second part about GDPR. The first part of GDPR-practical examples is also available.

Can a statutory authority discharge its obligations in regard to data protection by outsourcing the collection, storage, and processing of personal data to another organization?

No. If data handling is outsourced then the company is acting as a data controller and the company which provides outsourcing as a processor, but both have obligations under GDPR.

An online retailer uses a payment company to process its customer transactions. Is the payment company acting as the data processor for the retailer?


The payment company exercises the control over the type of information collected about customers from the retailer, decides how the information is processed and how long it is kept, and has its own terms and conditions that apply directly to the customers.

GDPR with examples

Can personal data be transferred out of one of the EU country except to another member state of the EEA?

It depends.

Subject data may be transferred to another country outside the EEA, if that country’s data protection laws have been approved by the European Commission, or if the level of protection has been assessed as adequate. For countries where the Commission has not made a ruling that there are adequate safeguards, personal data may still be transferred to those countries under certain specific circumstances. These include where the transfer is not made by a public authority in the exercise of its powers, involves data related to only a limited number of individuals, or is necessary for compelling legitimate interests of an organisation.

Can personal data be transferred out of the one of the EU country provided that the destination country’s data protection laws have been approved by the European Commission?


The European Commission publishes a list of countries whose data protection laws and rights have been reviewed and are deemed adequate (see

Simply assessing the rights of data subjects in the destination country is insufficient: the level of rights must be shown to be ‘adequate’.

The controller must ensure in another way that the personal data will be sufficiently protected by the recipient. This can be assured using standard contractual clauses, for data transfers within a group through so-called “binding corporate rules,” through the commitment to comply with codes of conduct which have been declared by the European Commission as being generally applicable, or by certification of the data processing procedure.

Must Read

70 years of distracted European school Luxembourg

The European School Luxembourg is a unique and prestigious institution that offers a high-quality education to students from all...

Aim of the European Schools

Educated side by side, untroubled from infancy by divisive prejudices, acquainted with all that is great and good in the different cultures, it will be borne in upon them as they mature that they belong together. Without ceasing to look to their own lands with love and pride, they will become in mind Europeans, schooled and ready to complete and consolidate the work of their fathers before them, to bring into being a united and thriving Europe.

Marcel Decombis, Head of European School, Luxembourg between 1953 and 1960