EU GDPR - Expert Advice Community

Giving consent

Let's say a contact registers for my event wherein, while they register i have clearly given them option to "opt out" of any communication that goes out through me. If they do not "opt out", then does that give me the consent to contact them? Is not opting out, considered as giving consent to contact or do we need to add in "opt in" options like how we have "opt out" options?

GDPR Best legal basis for data sharing

I am looking for clarification on the GDPR process for legal basis for collection of personal information.

Holding Personal Information

I would like to know a how long I should hold on to personal details, for example. Financial and Health Declarations.
 

Digital consent registration

How does your documentation help with digital consent registration (for example, a user accepts the cookies on my website or subscribes to a newsletter)? Since the consent needs to be stored or registered somewhere, but I don’t see it anywhere in your documentation. 

Data obtained from partners

I would like to know more about what it looks like when a partner company obtains personal data for its own company.
I am initially assuming that the partner will then be responsible for data protection? And or how exactly does this have to be contractually clarified or formulated?

I would be very happy to receive a feedback.

Can I save my customers information and email them about the event they purchased a ticket for?

I am selling tickets to my online event. Can I save my customers information in my CRM and email them about the event they purchased a ticket for?

Email won't respond unless I give certain info in order to be GDPR-compliant - is this GDPR-relevant?

I sent an email to my company's HR about some issues, who said they wish to know who I am (i.e., whether I am an employee, customer, relation to an employee etc.) in order to keep their response GDPR compliant. Is this in any way GDPR-relevant, and would it not risk being less compliant by asking for more personal detail where it is most likely irrelevant to do so?

Confirmation for Erasure of Data

I did get the file and extracted it.

It has the additional files you mentioned, but there is not one for a Data erasure requests, only the confirmation of erasure.  My question for you, is what should we use to confirm that someone has asked us to delete their data?

Should we use a combination of :

07.10_Confirmation_of_Data_Subject_Rights_Request_Premium_EN

07.6_Data_Subject_Access_Request_Form_Premium_EN

Possible GDPR breach

I asked a member of my voluntary organisation to email me her complaint about the conduct of other members of the organisation. She then sent me a file which contained potentially libellous allegations against a non-member. I forwarded the file to an another officer to be considered. In the meantime, the complainant has circulated that file without authorisation to other members of our organisation. Is the organisation or myself in breach of GDPR security, although I have only circulated the file to one other officer, whose advice was that we are not competent to consider the case of the person named in the file in connection with criminal misconduct (without any supportive evidence). Or is it only the complainant who may be guilty of a breach, for circulating her own personal and original copy of the file to others?

EU GDPR representative

The client is a small company that is a staff of four or five. They are based in the US and provide neurologic brain testing for patients usually suffering from a stroke.  The tests are administered by a doctor or a health clinic.  Recently, there is a clinic in Italy that plans on using their software.  The number of patients, for the near future, may only be a few dozen.

I have done some research but can't find an exact answer to these questions:

1. Does the company need to have a formal EU Representative?

2. Are there companies that provide EU Representation services?

3. Does this representative need to keep the Record of Processing Activities?

4. If there is one thing that must be focused on to be GDPR compliant, what would that be?