5 myths you are likely to believe about the GDPR

5 GDPR Myths

The General Data Protection Regulation (GDPR) was introduced in 2018 with the aim of giving European citizens more control over their personal data. The regulation applies to any company that processes data from individuals in the EU, regardless of whether the company is based inside or outside the EU.

Although the GDPR has generally been well received, there are still many myths and misunderstandings about what it entails. In this blog post, we debunk some of the most common GDPR myths and help you better understand the regulation.

Myth #1: GDPR only applies to companies based in the EU

This is a widespread myth that is often discussed in the business world. Many mistakenly believe that the GDPR only applies to companies based in the European Union (EU). However, this is not true. As mentioned, the GDPR applies to any company that processes data from individuals in the EU, regardless of whether the company is based inside or outside the EU. So if your company has customers in Europe, you must comply with the GDPR.

This also applies to companies that do not have a presence in the EU but offer their products or services to EU citizens. It is important for companies worldwide to be aware of this and ensure that they meet GDPR requirements to avoid penalties and fines.

Myth #2: Only large companies are affected by fines

This is not entirely accurate. Under the GDPR, all organisations that collect, process, and store personal data face fines for non-compliance, regardless of their size or type. This includes small and medium-sized enterprises, charities, government agencies, and other entities that process personal data.

The GDPR provides for a tiered system of fines based on the severity of the violation, and the size and financial resources of the organization are taken into account when determining the amount of the fine. However, the GDPR makes it clear that fines are not the only penalty for non-compliance with the regulations. Supervisory authorities have a range of enforcement tools at their disposal, such as ordering organizations to cease data processing or delete personal data, and imposing a temporary or permanent ban on data processing activities.

Myth #3: GDPR means I can't send marketing emails without explicit consent from everyone on my mailing list

Fact! You can continue to send marketing emails after the GDPR, but you must have a lawful basis for doing so. One of the legal grounds for processing personal data is "legitimate interest." This means that in Germany, you can send marketing emails to people who are already customers, provided they had the opportunity to opt out of receiving such emails and other specific criteria set out in German competition law are met. You must also obtain explicit consent from individuals before sending them marketing emails if you do not have a basis for legitimate interest. For example, if someone has unsubscribed from your mailing list, you need their explicit consent before adding them back to your list. Even if someone has given their consent to receive marketing emails, they can revoke their consent at any time by using the "unsubscribe" link in your emails or contacting you directly.

Myth #4: Compliance with the GDPR is expensive and time-consuming

A common myth surrounding GDPR is that compliance with its regulations is expensive and time-consuming. While it is true that implementing the necessary measures requires some effort, the costs and time involved are usually manageable and can even lead to long-term savings.

Like any major compliance initiative, complying with GDPR requires an initial investment of time and money. However, once you have established guidelines and procedures for data protection and trained your employees accordingly - which can be facilitated by hiring an external data protection officer with expertise - complying with GDPR should not cause significant costs or time consumption.

A good way to save time and money is to rely on pre-made data protection tools like heyData. With heyData, you can quickly and easily take the necessary data protection measures and ensure GDPR compliance. The data protection software can, for example, help you automatically generate your privacy policy, conduct data protection impact assessments, log your data processing activities, and much more. This not only saves you time and money but also minimises the risk of fines and legal consequences. Therefore, the myth of expensive and time-consuming GDPR compliance is not necessarily true in reality.

Myth #5: All company data processing activities require the DPO's consent

Under GDPR, companies must ensure that they protect the personal data they process and ensure compliance with data protection laws. The most common question companies have is whether they need the consent of the Data Protection Officer (DPO) to carry out all their data processing activities.

The answer is no. If a company is not required to appoint a DPO, it is not necessary to obtain the DPO's consent for all data processing activities. However, the DPO is responsible for ensuring that the company complies with GDPR. Companies must also ensure that they have a suitable legal basis for processing personal data, such as obtaining the data subject's consent or fulfilling a contract. There are also certain data processing activities that can be carried out without consent, such as fulfilling legal obligations or pursuing legitimate interests.

Overall, companies do not need the DPO's consent for all data processing activities. Instead, they must ensure that they comply with GDPR and have a suitable legal basis for their data processing activities.


Even five years after the introduction of GDPR, there is still confusion surrounding GDPR. We hope that this blog post has helped dispel some of the myths surrounding the regulation. If you are still unsure how GDPR applies to your business or what steps you need to take to comply with its regulations, contact heyData's data protection experts – we are happy to help!

About the Author

More articles

Whistleblower Protection Act

Whistleblower Protection Act: New Obligations for Companies and a Milestone for Whistleblower Protection in Germany

On May 12, 2023, the Whistleblower Protection Act (HinSchG) was adopted by the Bundesrat, the upper house of the German parliament, after the Mediation Committee had previously reached an agreement. This law, which is based on the EU Whistleblower Directive, aims to improve the protection of whistleblowers in Germany and create a legal basis for dealing with whistleblowing. The implementation of these new regulations imposes additional obligations and information on companies with regard to the protection of whistleblowers. In this blog post, we will highlight the key aspects of the Whistleblower Protection Act and the Whistleblowing Directive and explain their significance for startups, companies and founders.

Learn more
What is double opt-in and why is it important

What is double opt-in and why is it important?

The General Data Protection Regulation (GDPR) necessitates the implementation of rules to safeguard digital data privacy within the EU. One crucial requirement is the adoption of the double opt-in process by companies collecting personal data. Double opt-in involves obtaining explicit consent before data collection and sending a confirmation email for consent validation. This process ensures compliance, enables individuals to reconfirm understanding and consent, verifies identities, and protects against unauthorized subscriptions or data breaches. By establishing secure consent protocols, the double opt-in process enhances trust, privacy, and customer protection. It not only complies with privacy laws but also demonstrates a commitment to data security. Using a Digital Object Identifier (DOI) minimizes the risk of emailing incorrect addresses, ensuring effective communication and preventing confusion.

Learn more
Opt-in and opt-out – How does the double opt-in work according to the GDPR?

Opt-in and Opt-out - How does Double-Opt-In work according to GDPR?

This blog post emphasizes the significance of permission marketing, particularly the double opt-in process in email marketing. It highlights legal implications, consent requirements, and the importance of adhering to privacy regulations. Seek guidance from data protection experts for compliant practices.

Learn more

Get to know our team today, with no obligations!

Contact us