Take the ISO 27001 course exam and get the
EU GDPR course exam for free

EU GDPR - Expert Advice Community



Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Data Protection Legislation

    DPO need for a start up. Do we need an external DPO for our business and a DPIA? We are setting up as a private COVID testing center

  • Processore / Controllore

    In seguito alla lettura dell’articolo: https://advisera.com/eugdpracademy/it/knowledgebase/il-gdpr-dellue-controllori-a-confronto-con-processori-quali-sono-le-differenze/ ho una domanda:
     Il titolare aziendale che analizza e riceve i dati da solo e non si affida a nessuna organizzazione esterna, può fare sia il Controllore che il Processore?
    Nel caso in cui i dati, tipo e-mail vengono letti dai dipendenti, deve nominare un processore e il controllore?

  • Need for consent

    I have attended few of your webinars over GDPR. I have a question for you hope you will help me. GDPR says consent is not required is a contract is signed. If a Bank says Account Opening form, filled by customer is a legal contract with Bank, so they dont need customer consent to control and process data. Is it correct? As per my understanding consent is different from AoF. Can you please guide me with GDPR references that still Bank need consent.

  • Are Microsoft Office 365 and Dynamics 365 GDPR compliant?

    One question for you - Is Microsoft Office 365 and Dynamics 365 GDPR compliant?

  • GDPR con 2 Ragioni Sociali

    per fare in modo che due ragioni sociali possano entrambe utilizzare i contatti raccolti in un form, basta specificarlo nelle preferenze della privacy del form di contatto?
    Grazie anticipatamente.

  • Assistance with the toolkit

    I have bought the EU GDPR Website toolkit and would need some help to go through it.

    Anyway, I am now working at the Privacy Policy, and here are my questions. I hope you can answer them.

    1) In the Privacy Policy template, I have found it difficult to understand the following side notes. Could you, please, explain in simple words?
    You state there are 3 ways to use the Privacy Policy/Privacy notes.
    First of all, it would be good to understand what you mean with Privacy Notices. Are they those numbered sections that I can see in the Privacy Policy template?

    And to make things easier, could you, please, let me know which of the three options I should choose, based on my situation?

    I live and work in the UK but with my website I aim to offer my services to the entire world.
    I already have made a Privacy Policy, which I have published on my website, but I need to review it to be sure it is compliant (that's why I also bought this toolkit). However, since my website will be accessed from any part of the world, I would need to comply with CCPA and the other privacy legislations too.

    2) Instead of having a dedicated page to the Cookie Policy and linking to it from the Privacy Policy, can I just include it in the Privacy Policy?

    3) Once ready, can I simply link to my website Privacy Policy from a Google survey I have created, rather than writing a new, specific Privacy Policy for that purpose?
    Similarly, should I place this link in all the emails I send to my leads and clients?

    4) In the Privacy Policy side notes you wrote: "If you do not have a Data Protection Officer, you can specify another person who is in charge of personal data protection." Since I am self-employed (not a company), so I am on my own and using my name there, too, would not look very professional, would it be fine if instead of writing my name there I just use the more generic "us"? The context makes the visitor understand that "us" refers to the name+surname written at the beginning of the Privacy Policy. Similarly at 1c: "You can contact us" instead of "You can contact our Data Protection Officer".

    5) Under section 2 (Processing of Personal Data during Your Use of Our Website), could you please explain the following terms in simple words?
    - access control
    - segregation of duties
    - internal audit
    Also, is encryption to be listed here if I only have a SSL certificate? (I do not know whether there are other ways to do encryption.

    6) What should I write in "Confidentiality level" at the top right corner of the Privacy Policy?
    And am I supposed to keep the footer, including the version number of the privacy policy and the license agreement for the template?

    7) I have Wordpress. Can you confirm that it is GDPR compliant? And, if so, is there a way to know which cookies WordPress sets without plugins installed?
    I have read that it sets cookies to allow visitors comments, posts and for admins; should I mention them in the cookie policy, and how to find all information about them?

    8) Considering that my Wordpress website does not allow comments and posts, and that the users have not to login to visit it, which cookies should I list in my cookie policy of those set by Wordpress?
    They all are listed under "WordPress Users Cookie" and "WordPress Commenters Cookie" at https://www.cookielawinfo.com/wordp************************************

    Thanks in advance for your help.

  • Questions regarding GDPR

    I have two questions:

    1. Are there GDPR awareness training videos available? I am looking for a 30-1hr video for our employees which explains the guiding principles and responsibilities on organizations and their personnel.
    2. In the paragraph below taken from the GDPR regulations. It refers to (commercial organisations). Could you elaborate on the intended definition of commercial organisation?

    The effect of such a decision is that personal data can flow from the EU (and Norway, Liechtenstein and Iceland) to that third country without any further safeguard being necessary. In others words, transfers to the country in question will be assimilated to intra-EU transmissions of data.The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay as providing adequate protection.

  • Data transfers to third countries under BCR umbrella

    I would have a question related to data transfers to third countries under the BCR umbrella.

    Are the BCR’s approved under Directive ’95 considered as a valid mechanism for transfers to 3rd countries?

    According to WP29 it is stated that while in accordance with article 46-5 of the GDPR, authorisations by a Member State or supervisory authority made on the basis of Article 26(2) of Directive 95/46/EC will remain valid until amended, replaced or repealed, if necessary, by that supervisory authority, groups with approved BCRs should, in preparing to the GDPR, bring their BCRs in line with GDPR requirements.

    However, how can a controller verify that BCR approved before 2018 has been brought in line with GDPR?  Art.47 does not specify procedure for updates to BCR’s as far as I can tell..

    I am currently dealing with a supplier who refuses to proceed with SCC claiming that there BCR approved by the European Commission under Directive’95 are legitimate safeguard for the transfer.

    Any advice or further considerations would be much appreciated.

  • ROPA applicability

    So it is stated in GDPR that if an organization has to maintain ROPA if
    1. it has more than 250 employees
    2. It performs processing that is not occasional

    We act as both a
    1. data processor for customers where we are processing personal data on a daily basis
    2. data controller for our own employee data, marketing, and sales data

    My question is are we still bound to maintain ROPA?

  • Complying with retention rules when using pseudonymized personal data

    If we use personal data that was pseudonymized, do we still have to comply with retention rules from GDPR?

Page 11 of 95 pages