GDPR–practical examples 2

Most Popular

European schools system

European schools system is like a never-ending maze of paperwork and bureaucracy.

It’s as if they believe that the more forms you fill out, the smarter you become. Secretary general and deputy secretary general are too busy worrying about their pensions and summer vacations to actually produce anything useful.

It’s a system where children are just tiny cogs in a big bureaucratic machine, and education takes a backseat to administrative tasks.

It’s time for a major overhaul, because right now, the European schools system is about as effective as a chocolate teapot.

This is the second part about GDPR. The first part of GDPR-practical examples is also available.

Can a statutory authority discharge its obligations in regard to data protection by outsourcing the collection, storage, and processing of personal data to another organization?

No. If data handling is outsourced then the company is acting as a data controller and the company which provides outsourcing as a processor, but both have obligations under GDPR.

An online retailer uses a payment company to process its customer transactions. Is the payment company acting as the data processor for the retailer?


The payment company exercises the control over the type of information collected about customers from the retailer, decides how the information is processed and how long it is kept, and has its own terms and conditions that apply directly to the customers.

GDPR with examples

Can personal data be transferred out of one of the EU country except to another member state of the EEA?

It depends.

Subject data may be transferred to another country outside the EEA, if that country’s data protection laws have been approved by the European Commission, or if the level of protection has been assessed as adequate. For countries where the Commission has not made a ruling that there are adequate safeguards, personal data may still be transferred to those countries under certain specific circumstances. These include where the transfer is not made by a public authority in the exercise of its powers, involves data related to only a limited number of individuals, or is necessary for compelling legitimate interests of an organisation.

Can personal data be transferred out of the one of the EU country provided that the destination country’s data protection laws have been approved by the European Commission?


The European Commission publishes a list of countries whose data protection laws and rights have been reviewed and are deemed adequate (see

Simply assessing the rights of data subjects in the destination country is insufficient: the level of rights must be shown to be ‘adequate’.

The controller must ensure in another way that the personal data will be sufficiently protected by the recipient. This can be assured using standard contractual clauses, for data transfers within a group through so-called “binding corporate rules,” through the commitment to comply with codes of conduct which have been declared by the European Commission as being generally applicable, or by certification of the data processing procedure.

Must Read

The Top Art of Learning: How Self-Directed Learning Can Transform your Life

In this fast-paced world, it's important to stay ahead of the curve and continuously learn and grow. Enter self-directed...

Aim of the European Schools

Educated side by side, untroubled from infancy by divisive prejudices, acquainted with all that is great and good in the different cultures, it will be borne in upon them as they mature that they belong together. Without ceasing to look to their own lands with love and pride, they will become in mind Europeans, schooled and ready to complete and consolidate the work of their fathers before them, to bring into being a united and thriving Europe.

Marcel Decombis, Head of European School, Luxembourg between 1953 and 1960