Please select user.
There are no topics yet.
Google Analytics – if we use this service for website monitoring/usage (high level statistics - we do not drill down to personal data level) and have signed a DPA (attached from Google that includes SCC) and note in our privacy notice – are we in breach and why?
Are the SCC you can download (cfr your latest newsletter of yesterday) according to the old SCC or already the draft new version ?
I would like to express my appreciation towards you continual help regarding GDPR and other regulatory requirements. I find all of them very helpful and insightful.
We manufacture medical devices and some of them are adapted in order to meet customers` needs. To do so, we require minimal health information, just to help us design and manufacture the device. There is a form that is filled in with the information required either by customers (most of the time) or by us and reviewed by customers. This forms never leave the offices and they are saved in password protected folders. Also, when we process this information we do not assign a full name, but a number representing the specific customer or their initials.
Would we need explicit consent request to be added to the forms that contain brief health related information or could this be covered by the Contract lawful basis?
Thank you in anticipation. Any help will be very much appreciated.
Hello - I work for a US multi-national corporation. We have offices in many countries including the EU and EEA as well as in many other countries. Would the GDPR apply to those countries outside the EU / EEA? I work out of the Canadian office. Would the GDPR apply?
We are a US-based Disabled Veteran Owned Small Business and recently picked up a chance to provide our services to a UK company. Our primary questions are:
1) We only keep employee name and employee email, and vendor name and email and IP address for same. Currently, we do not encrypt any of that data but only use it within our software.
2) We use Rackspace's standard security setup for our servers and biometric physical access.
Where are the gaps?
I am a software engineer and I am building a software product referring to hotels. The main goal is to allow hotel customers to checkin prior to their physical presence on the hotel from their mobile device.
From a bussiness point of view this is a three-step process:
1. The user takes a photograph of their personal ID or their passport.
2. The user fills out a form with all the details of the hotel's terms of service.
3. This user digitally signs for all the above.
There is no technical issue on performing these operations. However questions arise concerning GDPR restrictions on how to forward the files to the hotel stuff.
Should I store these files on the server then send them with an email to the hotel stuff and then delete them?
Is there any other recommended way of doing this proceess?
I am currently doing my own business as a sole proprietorship with IT services. It is interesting for me to know when I need a declaration of consent / AV contract and what exactly has to be in it.
Specifically, it is about issuing invoices, but also storing customer data in an administrative interface, i.e. personal data, and I think that consent is required, necessary passwords for the customer (WiFi, user accounts) as well as license keys and Device specifications.
I am in an ongoing complaint procedure with my employer which is not based on this point but it has been discussed.
I sent a lengthy email to my Union requesting legal aid because my employer was protracting my return to work process following a long period of sick leave. When chasing up the Union I was informed by a rep not dealing with the case directly that another Union rep was speaking to HR about my return to work.
My reaction was confused as I had not asked for this. I wished to be consulted about legal recourse as per my email to them. I reluctantly replied by text "Ok that's good", as to acknowledge at least they were doing something. But my genuine feeling was annoyance as they had acted outside of their remit. I had not expressly asked them to speak to my employer.
I queried the HR manager as to whether he and the Union had discussed my situation in accordance with GDPR. When pressed he stated yes. My main complaint with my employer is not weighted on this point but I am annoyed that matters were discussed that have had influence on proceedings without me present and no documentation to prove/disprove what was said.
Just to reiterate I made no explicit request for the Union to speak to HR and the notification of it happening was made by text on the notion that it was in motion or happening soon. I felt hijacked.
I hope this isn't too long winded or vague. I just want a rough idea of whether or not this is worth getting professional clarification and pursuing.
In terms of appointing a LSA - what if the company (UK based) primarily delivered digital services online and didn't deal with any specific EU country; would it be acceptable to appoint an LSA of any EU country (as there is no physical base outside the UK)?
1. Binding Corporate rules - are these the only way to transfer data from inside the EU to outside the EU (to UK and EU)
2. Which EU region has the toughest interpretation of GDPR?