General Data Protection Regulation

This section is designed to provide general information about the reform of the data protection legislation.

Guidelines adopted by the Article 29 Working Party

The WP29 has embarked on a process to adopt guidelines on the various provisions of the GDPR, specifically intended to provide the necessary information on the collective interpretation of such requirements in anticipation of the coming into application of the GDPR.

You may also click on this link​ to access other guidelines which are subject to a public consultation process before being finally adopted by the EDPB.

Abolishment of the notification requirement as from 25 May 2018

One of the changes contemplated in the GDPR, which was specifically designed to simplify compliance measures and reduce bureaucracy, is the abolishment of the obligation on data controllers to submit a notification of processing operations to national data protection authorities.

This notwithstanding, Article 30 of the GDPR which places an obligation on both data controllers and data processors to, inter alia, keep an internal record of processing activities.  As a minimum, such record is similar to the information previously notified to the Commissioner in the notification form. The requirement to retain such record shall apply to organisations employing 250 persons or more; or when the processing involves special categories of data (e.g. health or biometric data) or is likely to involve risks for data subjects. Following the entry into application of the GDPR, such records shall be made available to the Commissioner upon request.​

Appointment of a DPO

rticle 37 of the GDPR imposes an obligation on a data controller and a data processor to designate a data protection officer where:

1. the processing is carried out by a public authority or body, except for court acting in their judicial capacity;

2.  the core activities of the controller or processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or

3. the core activities of the controller or processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.

If your activities fall within the parameters of one of the criteria listed above, you must appoint a DPO, publish his or her details and communicate such details to this Office on   The details should include the following:

Data Controller, Name of DPO, Position, Mailing Address, Email Address, Contact Number, Nature of Business, Date of Appointment and whether the DPO is fulfilling this role for other data controllers.​

You may click on this link for guidelines on DPOs​

GDPR readiness tool

A GDPR readiness tool created by the Bavarian DPA aimed at enabling data controllers and processors to a self-check, by answering a series of questions, whether they are 'on the right track' with their preparations for the GDPR.  The tool is accessible at:  ​

Guidelines on the GDPR published by the European Commission​

The European Commission published guidelines to facilitate a direct and smooth implementation of the new data protection rules across the EU.  The Commission also launched an online tool dedicated to SMEs.  You may access more information and the relevant documents by clicking on this link pointing to the press release issued by the European Commission​ on 24 January 2018.