Does the GDPR Really Say That? Clearing Up Common Misunderstandings

Tracy Boyes

Compliance Success Manager and DPO | Data Protection and Privacy Attorney


The General Data Protection Regulation (GDPR) is a comprehensive data privacy law enacted by the European Union (EU) to protect the personal data of EU citizens and residents. Despite its significance and the extensive information available about it, many misconceptions still persist. Let’s break down some of the common misconceptions. 

Public Personal Data Still Needs Protection

One common misunderstanding is that personal data found in the public domain does not require protection under the GDPR. This is incorrect. The GDPR applies to any personal data, regardless of its source, including data that is publicly accessible. A good example would be social media data. Think about social media profiles. Even though people voluntarily share a lot of personal data on platforms like Facebook or LinkedIn, this data still qualifies as personal data under the GDPR. It is not advisable to freely take personal data from these websites and use it for your own commercial benefits. You must still handle such information with the same care and respect as with any other personal data. This means being cautious against further processing, ensuring data security, and respecting the individual’s rights regarding their data. 

Transatlantic Data Transfers and the EU-US Data Privacy Framework

Another misconception is that personal data cannot be safely processed in the United States as they lack robust privacy laws in many states. In 2023, the European Commission approved its adequacy decision for the EU-U.S. Data Privacy Framework. This decision confirms that the United States provides a level of personal data protection comparable to that of the EU for data transferred from the EU to the U.S. By being an active participant in this framework a company in the US can lawfully receive and process EU citizen’s data under the GDPR. A top tip when choosing processors in the US would be to first check if they are active participants in the framework, before allowing any data processing to take place. 

Employer and Employee Relationships

In the context of employment, a common misunderstanding is about the roles of employers and employees regarding data control and ownership. The GDPR defines the employer as the data controller and the employee as the data subject. This distinction is crucial for understanding responsibilities and rights in data processing.

As the data controller, the employer is responsible for determining the purposes and means of processing employee personal data. This includes collecting, storing, and using data for employment-related purposes, such as payroll, performance evaluation, and legal compliance. Sometimes, even special categories of personal data need to be processed by the employer as they are under a legal obligation to do so. The employer must ensure that all data processing activities comply with the GDPR principles.

The employee, as the data subject, retains rights over their personal data. These rights include access to their data, rectification of inaccurate data, erasure of data under certain conditions, restriction of processing, data portability, and the right to object to certain processing activities. Employers must respect these rights and establish mechanisms to facilitate their exercise. However, the employer still retains ownership over an employee’s email and work cellphone numbers if they are issued by the employer themselves. The employer remains the controller over this type of data. 

Data Protection Impact Assessments

Under the GDPR, a Data Protection Impact Assessment (DPIA) is not required for every data processing activity, but only in specific circumstances where the processing is likely to result in a high risk to the rights and freedoms of individuals. These circumstances include systematic and extensive profiling with significant effects, large-scale processing of special categories of data or personal data relating to criminal convictions and offenses, and large-scale systematic monitoring of publicly accessible areas. Additionally, DPIAs are necessary when using new technologies that might affect individuals’ privacy significantly. Only in these high-risk instances is a DPIA required and an assessment should first be done to see if your processing meets these requirements before a DPIA needs to be conducted. 

Lawful Bases for Processing Personal Data

Another misconception about the GDPR is that you need consent from the data subject to process their personal data. In reality, the GDPR outlines six lawful bases for data processing, each suitable for different circumstances. By mapping your activities you will be able to determine which lawful basis is most appropriate in each circumstance. 

The Six Lawful Bases are:

  1. Consent: Obtaining explicit, informed, and freely given consent from the data subject. This basis is appropriate when individuals voluntarily agree to specific data processing activities, like direct marketing. Consent is not an appropriate legal basis in the employer-employee relationship due to the relationship’s inherent power imbalance. 
  1. Contract: Processing necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject before entering into a contract. This basis is commonly used in employment and service provision contexts.
  1. Legal Obligation: Processing necessary for compliance with a legal obligation to which the controller is subject. This includes obligations such as tax reporting, health and safety regulations, and employment law compliance.
  1. Vital Interests: Processing necessary to protect the vital interests of the data subject or another natural person. This basis applies in life-threatening situations where data processing is essential to save lives.
  1. Public Task: Processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. This basis is relevant for public authorities and organizations performing public functions.
  1. Legitimate Interests: Processing necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the data subject’s interests or fundamental rights and freedoms. This basis requires a careful balancing test to ensure that data processing is justified and does not harm the data subject’s rights. This test is called a legitimate interest assessment or LIA. 


The GDPR is a complex and comprehensive regulation designed to protect personal data and uphold individuals’ privacy rights. Common misconceptions about a law which is principle-based are to be expected, however, by understanding and addressing these misunderstandings, organizations can better navigate the GDPR’s requirements and ensure better data protection practices. Always remember that protecting personal data is not just a legal obligation, but also a crucial component of maintaining trust and brand integrity in the digital age.

Share this article

A CTO’s Roadmap to Security Compliance: Your Go-To Handbook for Attaining SOC 2 and ISO 27001

Security Compliance for CTOs