Five common misconceptions about GDPR
- 09/07/2025
- GDPR
- Written by the participant of Privacy Laboratory, Tatsiana Pryhodko.
Although the GDPR has been in force for more than six years, its provisions are still surrounded by myths. Let us tell you about some of them.
Myth 1: “I live in a GDPR-enforced country and should be guided by GDPR if I want to exchange my hairdresser's number with my friend.”
Status: false.
GDPR does not apply when a person uses personal data for purely personal or household activities, like writing letters or keeping a list of friends’ addresses and phone numbers and sharing such data with friends and relatives.
However, if someone uses social media and shares personal data publicly (i.e. access to personal data is provided to all participants of such a network) or uses social media accounts for business, politics, or charity, GDPR rules apply. This is because the data is no longer used only for personal or household activities.
For example, if you post your hairdresser’s contact information on a social media platform for business purposes (e.g. as an advertisement), GDPR might apply. However, sharing it privately with friends does not fall under GDPR.
Even if GDPR is not applied for processing personal data, individuals can still be held responsible under other national laws, like civil or criminal laws (e.g. for defamation etc.).
Conclusion: GDPR rules do not apply when personal data is processed only for personal or household activities. However, processing personal data on social media platforms publicly or for business, politics or charity purposes falls under GDPR as such processing is no longer carried out for personal or household purposes.
Myth 2. “Our company is the controller while processing the data of customers who purchase goods on our website. Since we are the controller, we cannot be the processor in any way.”
Status: false.
A single entity can act as both a data controller and a data processor, though not for the same processing activity. The data controller determines the purposes and means of processing personal data. The data processor processes data on behalf of the controller, following the controllers’ instructions.
To illustrate this we can use the following example. Cloud providers store data of their clients but at the same time have got their own employees. For the purpose of storing the data of their clients a cloud provider acts as a processor. This cloud provider does not determine the purposes and means of processing personal data, it acts according to the terms of the agreement concluded with their clients. However, for the purpose of processing personal data of their employees the same cloud provider acts as a controller. In this case the cloud controller determines what personal data of its employees it is obliged to collect and how to process it.
Conclusion: the role of a legal entity in the processing of personal data is determined by the functions it performs with regard to personal data. Performing the role of a controller in relation to a certain processing activity does not exclude the possibility of performing the role of a processor in relation to another processing activity.
Myth 3. “Our company has obtained the user's consent to process personal data, and now we can do anything we want with this personal data.”
Status: false.
Consent is given according to the principle: one purpose — one consent. If it is necessary to process personal data on the basis of consent for different purposes, consent must be obtained for each purpose. Information about why data is being processed and for which purpose consent should be given must be clear and easy to understand, without any confusion.
There is another common misconception related to consent: a consent is the only legal basis for processing our customers’ personal data. Actually, consent is one of the six legal grounds for processing personal data. The remaining five grounds include contract, legal obligation, vital interest, public interest, legitimate interest.
In fact, obtaining consent is not the easiest way to process personal data. Consent as a legal basis for processing personal data should be considered when none of the other grounds can be applied. This is because consent can be withdrawn by the data subject at any time. Upon withdrawal of consent, the company is obliged to stop processing the personal data for which such consent was given and without undue delay erase such personal data if there are no other legal grounds for processing the same data.
Conclusion: consent is one of six ways to legally use personal data. Consent must be given for each purpose of processing personal data. Consent should only be used when other options don’t work because it can be withdrawn by an individual.
Myth 4. “Our company processes neither sensitive nor a large amount of data of the users of our service, but we are still required to appoint a DPO.”
Status: false.
A DPO must be appointed if the company is a public authority (except for courts) or engages in large-scale processing of personal or sensitive data. If a company doesn’t meet these criteria, it is not mandatory under GDPR to appoint a DPO. But if a company is not required to appoint a DPO, it can also do so. If a company decides to appoint a DPO voluntarily, it must fulfill all the requirements of GDPR regarding the appointment, position and tasks of a DPO.
Conclusion: a company is not required to have a DPO if it is not a public authority or handles a lot of personal or sensitive data.
Myth 5. All biometric data is a special category of personal data. We can only process such data if we fall within the exemptions in Article 9(2) GDPR.
Status: false.
Biometric data is data that is obtained through special technical processing, relates to physical, physiological or behavioral traits of an individual and allows uniquely to identify a natural person. Examples of biometric data are iris scanning, voice recognition, keystroke analysis.
All biometric data are personal data, but not all biometric data belong to the special category of personal data.
Biometric data belongs to the special category only when it is used to uniquely identify a natural person. For instance, we can look at the following example. The employer wants to give to some of its employees access to the restricted areas. For this purpose all these employees are fingerprinted, their biometric templates are created and uploaded to a system. When one of these employees is attempting to enter the restricted areas, the system compares the employee’s biometric sample with the samples already stored in it to confirm identity. In this case, fingerprints would be categorized as a special category of personal data, implying special rules for their processing.
But the use of such data as analyzing mouse and keystroke dynamics to distinguish a person from a blog-bot application does not fall into the category of special biometric data and such data will be processed under the general rules of GDPR.
Conclusion: all biometric data are personal data. But biometric data falls into a special category of personal data only when it is used to uniquely identify a natural person.
Contact us
Fill in the form and we will contact you as soon as possible!
