Did we have to register somewhere?

No. In contrast with the EU Data Protection Directive of 1995, the GDPR does not require you to register your databases with the Data Protection Authority (DPA). However if you appoint a data protection officer in your company, you should send the DPA his or her contact details.

Under the GDPR, you need to appoint a data protection officer if:

  • you are a public body (e.g. ministry, school, public hospital);

  • your business involves regular and systemic monitoring of people’s data on a large scale (e.g. big tech companies, or companies that do credit scoring or video surveillance); or

  • you processes sensitive data on a large scale (e.g. hospitals).