EU GDPR - Expert Advice Community



Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Data transfers to third countries under BCR umbrella

    I would have a question related to data transfers to third countries under the BCR umbrella.

    Are the BCR’s approved under Directive ’95 considered as a valid mechanism for transfers to 3rd countries?

    According to WP29 it is stated that while in accordance with article 46-5 of the GDPR, authorisations by a Member State or supervisory authority made on the basis of Article 26(2) of Directive 95/46/EC will remain valid until amended, replaced or repealed, if necessary, by that supervisory authority, groups with approved BCRs should, in preparing to the GDPR, bring their BCRs in line with GDPR requirements.

    However, how can a controller verify that BCR approved before 2018 has been brought in line with GDPR?  Art.47 does not specify procedure for updates to BCR’s as far as I can tell..

    I am currently dealing with a supplier who refuses to proceed with SCC claiming that there BCR approved by the European Commission under Directive’95 are legitimate safeguard for the transfer.

    Any advice or further considerations would be much appreciated.

  • ROPA applicability

    So it is stated in GDPR that if an organization has to maintain ROPA if
    1. it has more than 250 employees
    2. It performs processing that is not occasional

    We act as both a
    1. data processor for customers where we are processing personal data on a daily basis
    2. data controller for our own employee data, marketing, and sales data

    My question is are we still bound to maintain ROPA?

  • Complying with retention rules when using pseudonymized personal data

    If we use personal data that was pseudonymized, do we still have to comply with retention rules from GDPR?

  • GDPR and DPA Genome/Sensitive data

    Yes, can you tell me who one has to report to if the data subject decides that it doesn't want its genome material in a database anymore

  • Scope as a data controller

    Hi, so I want to ask that we are a UK based company with office in asia, who provide saas solutions. Now in terms of the products that we offer we shall be a data processor. I am still not clear on our responsibility of data where we would be acting as a data controller, for example we would be acting as DC for
    1. our employee data
    2. any data we gather through cookies
    3. contact information gathered through contact us forms on our website
    4. supplier data (if any is based in uk or EEA)
    5. customer data in regard to sales and contracts (incase we have european or uk based customers)

    Is this correct ?

  • È necessario il DPO?

    Salve, sono un ragazzo che sta portando avanti lo sviluppo di un software che fa web scraping. Ovvero, si tratta di un sistema che tabularizza
    Se vogliamo aprire il sito a degli utenti (con email e password) per fargli vedere questi dati raccolti, c'è l'obbligo di un DPO? Riferendomi a questo sito non mi sembra ricadiamo nei 3 punti di obbligatorietà


  • NPS form - GDPR Rules

    My company wants to send an NPS form (created through a survey tool like SurveyMoneky) to some of our fortune 500 customers via emai. I have read that if we don't collect any personal data and conduct the survey anonymously then it would be ok to rely on a completely unmistakable notice along the lines of “by submitting this form you agree that we will process your data in line with our privacy policy. Is this correct? If we do decide to collect identifiable data, would the be enough for us to ask their consent via a pop-up where they can 'agree' or 'refuse' ? Of course with a link to said privacy policy to which they would agree or refuse? Could you please advise on the best practice for sending these type of NPS surveys via email to our customers in accordance to GDPR rules?
  • How does German law GDPR apply to online surveys?

    How does German law GDPR apply to online surveys?
    Where survery users may be requested to submit their email address in order to take the survey.

  • Wordage to make the below (EU GDPR) into the UK GDPR equivalent

    Can you suggest the wordage to make the below (EU GDPR) into the UK GDPR equivalent? Many thanks, Robert

    EU GDPR 2016/679 (Regulation (EU) 2016/679 of the European Parliament and of the Council  of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC)

  • Need of explicit consent

    I work with the events industry and wanted to find out that what if one of my sales agent received a contact list from one of his client. are we legally allowed to get in touch with those contacts as they might all be relevant to the events we host? So basically under legitimate interest? Or we would need explicit consent from the contacts to contact them?

Page 14 of 97 pages