20Q&A – The latest CPC project


The 20Q&A project is intended to give the reader a quick overview and short summary of the most urgent questions regarding the General Data Protection Regulation (GDPR). It is intended to raise awareness especially of the changes and partly of what needs to be done before deadline-day, May 25th 2018.

The project was necessary, because the GDPR will for the first time fully regulate data privacy within the European Union. The GDPR is directly applicable and binding within the Union. No transformation into national law is necessary for the regulation to apply to the everyday work life concerning data privacy. Although there have been data protection laws before, the GDPR puts data protection on a new level. 

To create the 20Q&A a request was sent to all members of the CPC network to find the relevant questions. Twenty questions were selected out of the many that were sent. The project editor drafted answers to the questions and started a survey within the CPC network. There were two rounds of input until the final result. The 20Q&A is designed to point out the changes that go along with the GDPR.

The Content

Probably the biggest change comes with the extended jurisdiction of the GDPR, as it applies to all companies processing personal data of data subjects residing in the Union, regardless of the company’s location. Non-EU businesses that want to process personal data of data subjects residing in the Union will have to appoint a representative in the EU. On a material scope, the GDPR in general applies to natural and legal persons that process personal data by automated means. 

The GDPR states more requirements for processing, especially what has to be included in a contract. The GDPR also states more detailed requirements concerning the security measures that have to be implemented. And according to the GDPR all the requirements and implementations have to be documented.

New Principles

New principles and regulations are – to name a few – the obligation to notify whenever there is a personal data breach or the data protection impact assessment according to Art. 35 GDPR.

The GDPR states new rights of the data subject. New are the data subject’s right to be forgotten - also known as data erasure - and the right to data portability, meaning the right to transmit personal data from one controller to another.

Regarding the lawfulness of processing, the GDPR does not necessarily require consent by the data subject. The lawfulness can also result from a legal permissibility regulation, stated in Art. 6 Section 1 GDPR. Pre-existing consent does not have to be obtained anew as long as the consent conforms to the requirements of the GDPR. 

In most Member States, the records of processing activities are a new way to document the lawfulness of processing. The records are a register of all processing activities by the controller or – and this is also new – the processor. The records are upmost meant to make them aware of their processing activities. Their other purpose is to simplify control of the processing activities by the supervisory authority.

New Obligations

Controllers are obligated to notify the supervisory authority of a personal data breach when there is a risk to the rights and freedoms of natural persons. The data subject has to be notified when there is a high risk to the rights and freedoms of natural persons. 

Art. 37 GDPR states, when a Data Protection Officer (DPO) has to be designated. The Member States have the explicit right to define further circumstances, when a DPO has to be designated. The DPO can be a staff member or an external DPO, as long as the legal requirements stated in the GDPR are fulfilled.

A Data Protection Impact Assessment (DPIA) is supposed to help the controller to estimate risks regarding the protection of personal data. It has to be carried out if a type of processing is likely to result in a “high risk” to the rights and freedoms of natural persons. There are several models being developed to execute a DPIA, but the GDPR does not state how to proceed exactly.

In case of data infringements, the controller is directly liable to the data subject. But the processor is liable as well. Art. 82 Section 4 GDPR states that controller and processor can be jointly and severally liable. Although there are some restrictions, this is the main statement. The processor is not privileged or even free of liability, even though he does not control the processing of data.

25 May 2018

The GDPR as a whole will be directly applicable starting May 25th 2018. There will be no additional transition time or a grace period after May 25th. May 25th 2018 is the definitive final deadline for GDPR compliance.


The 20Q&A is a helpful overview of what has changed and what needs to be done before deadline day. It takes into account the current situation within the CPC network and is a great way to get started being GDPR compliant.


Article provided by: Dr. Jens Eckhardt and Nils Steffen (Derra, Meyer & Partner)


Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project

Director CPC project: Dr. Tobias Höllwarthtobias.hoellwarth@eurocloud.org


What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.