EU GDPR - Expert Advice Community



Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Possible GDPR breach

    I asked a member of my voluntary organisation to email me her complaint about the conduct of other members of the organisation. She then sent me a file which contained potentially libellous allegations against a non-member. I forwarded the file to an another officer to be considered. In the meantime, the complainant has circulated that file without authorisation to other members of our organisation. Is the organisation or myself in breach of GDPR security, although I have only circulated the file to one other officer, whose advice was that we are not competent to consider the case of the person named in the file in connection with criminal misconduct (without any supportive evidence). Or is it only the complainant who may be guilty of a breach, for circulating her own personal and original copy of the file to others?

  • EU GDPR representative

    The client is a small company that is a staff of four or five. They are based in the US and provide neurologic brain testing for patients usually suffering from a stroke.  The tests are administered by a doctor or a health clinic.  Recently, there is a clinic in Italy that plans on using their software.  The number of patients, for the near future, may only be a few dozen.

    I have done some research but can't find an exact answer to these questions:

    1. Does the company need to have a formal EU Representative?

    2. Are there companies that provide EU Representation services?

    3. Does this representative need to keep the Record of Processing Activities?

    4. If there is one thing that must be focused on to be GDPR compliant, what would that be?


  • Joint controllers share of responsibilities in IoT

    I am interested in how to determine a share amount of responsibilities in IoT.
    Thank you in advance

  • GDPR Data Retention

    Hello, I am from the US. I found a link which referred me to a website that specializes in modding videogames. Without looking or reading up much on the site I signed up as I assumed I would be able to delete my account. I quickly found that I did not want to keep this account there. I emailed the administrator of the site for clarification on the policy, and they stated that they were legally obligated to retain my account for 7 years, and they then banned me from the site. I had emailed about the possibility of deletion, though I did not request it before they banned me. I did further research on this site and they stated vaguely that the GDPR requires them to maintain my account for 10 years, but they state 7 in the terms of service. They also referenced US Tax Laws and the Swiss Data Protection Act, but they referred to the GDPR as the law they had to follow regarding retention of my account. I did a few hours of searching but could not come up with anything that stated they had to retain this, which would prevent me from acting upon my right to delete the account. I was wondering if there was something I missed in my research regarding the retention period.

  • Collecting email addresses

    Afternoon, I run a company and we are trying to contact possible customers. Can I go on a website, contact us page, find the email address and email them directly some information about our company? I am looking into a mail chimp style of set up where they have they have the option to opt out and plan on sending newsletters, offers etc. Thank you for your time.

  • Ensuring proper resources are on board

    I just read the project plan for GDPR compliance.
    Sheet mitigation project risks mentions "ensuring proper resources are on board".
    Can you inform me which resources that are?

  • EU GDPR representative

    I am working with a small business (five people) and they have been asked to provide services to an Italian firm. I have been asked to explore what is required. The business is located in the US and is HIPAA compliant. I understand they need an EU representative. Is this accurate and can that be a person or a company? Thank you.

  • Toolkit content

    What documents of your Toolkit refer to the next issues:

    • Intragroup Data Transfer Agreement (IGDTA)
    • Technical and Organisational Measures (TOMS)
    • Newsletter Policy
  • Third party

    Please advise when third party disclose PII data only by visiting data processor premise and look at data at data processor premise noting that they don’t have remote access to this data , what is the nature of processing here and do we have to sign with them any agreement. And what is the case if they have remote access to this data
    Thank you

  • Fines issued in UK for non-compliance to GDRP

    Is there currently a list of organisations in UK who have been fined for non-compliance to GDPR and is this list available in the public domain?

Page 16 of 96 pages