12 common GDPR myths

12 common GDPR myths

There is an ample number of articles and presentations on the internet regarding GDPR. It is clear: there are some typical and repeating misinformation, and common misbeliefs. In this post, I have listed some of the most common untrue myths.

1. The Data Protection Officer (DPO) can not be an employee of the controller or processor

Not true. It is explicitly stated in the regulation:
“The data protection officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract.”

See Article 37 (6).

Moreover, the WP29 provided a more detailed guideline regarding DPOs, in which the legislator  provide a concrete example for the case, when the DPO is internal and what the conflict of interests could be:
“As a rule of thumb, conflicting positions within the organisation may include senior management positions (such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments) but also other roles lower down in the organisational structure if such positions or roles lead to the determination of purposes and means of processing.”


2. If an organization has more than 250 employees it is mandatory to have a data protection officer (DPO)

Not true. There is no relation between the DPO and the number of employees.

The need for a DPO is exclusively connected to the type and data you are processing and whether processing is carried out by a public authority or body, except for courts acting in their judicial capacity.

See Article 37 (1).


3. We have to use checkboxes and consents everywhere

Not true. To legally process personal data the consent is only 1 of the 6 types of the lawfulness of processing. You can process data if at least one of the following applies (the first is the consent):

  1. the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
  2. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  3. processing is necessary for compliance with a legal obligation to which the controller is subject;
  4. processing is necessary in order to protect the vital interests of the data subject or of another natural person;
  5. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  6. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

See Article 6 (1).


4. We still have time, our government has yet to adopt GDPR

Not true. The Regulation shall apply from 25 May 2018 and it shall be binding in its entirety and directly applicable in all Member States.

See Article 99 (2). 


5. The max penalty is 20 million EUR

Not true. The administrative fines are up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.

See Article 82 (5).


6. Even if I have messed up something minor, the given authority would have to give me penalty

Not true. When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following:...

See Article 83 (2). 

"In a case of a minor infringement or if the fine likely to be imposed would constitute a disproportionate burden to a natural person, a reprimand may be issued instead of a fine."

See Recital (148).


7. We have to maintain “compatible” IT systems from which we can export the data for users

Not true. The data subject's right to transmit or receive personal data concerning him or her should not create an obligation for the controllers to adopt or maintain processing systems which are technically compatible.

See Recital (68).


8. I’m only a data processor, I can not get a penalty

Not true. Regardless of whether or not you are a controller or a processor you have the responsibilities to ensure that personal data of the individuals is protected effectively and both controller and processor can be penalised.

See Article 83.

See Guidelines on the application and setting of administrative fines (wp253).


9. I’m an individual person, not a company; therefore I can not get a penalty

Not true. The Regulation applies to natural persons also in the course of not purely personal or household activity and thus with any connection to a professional or commercial activity.

See Recital (18).

See Guidelines on the application and setting of administrative fines (wp253). III. Assessment criteria in article 83 (2).

"Recital 148 opens up the same possibility to replace a fine by a reprimand , where the data controller is a natural person and the fine likely to be imposed would constitute a disproportionate burden."


10. Companies in less wealthy countries will get lower penalties than companies located wealthier countries

Not true. “In order to ensure a consistent level of protection for natural persons throughout the Union and to prevent divergences hampering the free movement of personal data within the internal market, a Regulation is necessary to provide legal certainty and transparency for economic operators, including micro, small and medium-sized enterprises, and to provide natural persons in all Member States with the same level of legally enforceable rights and obligations and responsibilities for controllers and processors, to ensure consistent monitoring of the processing of personal data, and equivalent sanctions in all Member States as well as effective cooperation between the supervisory authorities of different Member States.”

See Recital (13).


11. I paid the penalty already; I don’t have to pay anymore

Not true. There is right to compensation and liability independently from the administrative fines.

See Article 82.


12. The authority can start the investigation solely based on a complaint

Not true. “A supervisory authority might become aware about the infringement as a result of investigation, complaints, articles in the press, anonymous tips or notification by the data controller.

See Guidelines on the application and setting of administrative fines (wp253).


And there are more and more...

In my previous article, I suggested to verify your sources and for the easier verification I created a list of the official GDPR sources. Please let me know, if during your verifications you find a typical untrue GDPR myth and please also send me the reference to the relevant part of the Regulation. I’m pretty sure you will face more misinformation such as what I’ve gathered for this blogpost, let’s broaden the list and unveil the untrue GDPR myths together.


This article has been reviewed and validated from legal perspective by GDPR specialist privacy lawyer dr. Szilvia Gecser.

Do you have a Drupal website and you want it to be GDPR compliant?

Do you have any questions?

Balázs Kántor
Published at:

Related tags: