EU GDPR - Expert Advice Community

GDPR Implementation Questions

I am *** Chief Technical architect from *** and I have a couple of questions about GDPR implementation in customers applications.

1. In order to be compliant with GDPR the user has some rights that should be available by the different systems such as the right to delete the personal data, the right to rectify, the right to get a copy of his personal data, and so on.

Are there any issues if these rights are implemented using defined processes with our customers and use database scripts to implement the required rights Instead of modifying each and every application to implement these rights?

These database scripts will be included in the application deliverables.

2. The right to be informed will be included in the cookies bar or a separate checkbox in the registration process or the consent signed by the employees using these applications, is that accepted?

3. Would you please confirm that securing the data at rest can be achieved by applying security measures on the database access either physically (access to the physical server) or logically (access to the database tables) if it is on-premise?

This is also applied on databases hosted on the cloud by the cloud providers and in this case we need a confirmation from the cloud provider that the servers are secured as required and confirm the required security measures.

4. Securing the data at transit can be implemented by securing the communication channel (i.e. using HTTPS protocol, or SFTP if the personal data included in files) and securing any media used to backup or transfer the data

5. Encryption of personal data in the databases is something that is recommended and it is not mandated by GDPR for securing user personal data at rest, please confirm

Handling data according to EU GDPR

If we are coordinating a European project, and the data we collect is basic personal data (name, phone, email) from different EU city employees who take part in that project, are we, as a coordinator, responsible for how other project partners handle this data? i.e. the project makes us ensure that many partners also view this data (it wouldn't serve a purpose if we anonymize it) and then how can we control what the partner organisations do with this data, whether they delete it on time, etc.? so far we had a project document called DP management, where we would write down procedures, including that the data needs to be deleted after the project ends and so on. Is this enough to show our accountability as coordinators?

Does a small Biotech company need to have a DPO?

I have a question for you. Does a small Biotech company need to have a DPO?

Thanking you in advance.

Dealing with employee records when retention requirements are 3 or 7 years

How does a business that keeps records and wants its employees to be held accountable deal with employee records when some contracts have retention requirements of 3 or 7 years?

Database tesi prova finale

Sono un docente di Conservatorio di musica. Assieme a un nutrito gruppo di colleghi vorremmo realizzare un database consultabile online sul portale di una rivista di settore. Il database dovrebbe contenere alcuni dati relativi alle tesi presentate per la Prova finale al termine di un corso accademico. In particolare: titolo della tesi, oggetto di interesse, eventuali nomi di diplomandi e di relatori, nome dell'istituzione in cui si è tenuta la Prova. Si tratta di una iniziativa facilmente realizzabile? Quali adempimenti saremmo tenuti in caso a rispettare? Grazie

GDPR Privacy querries

1. Having longitude and latitude i.e. G. location coordinates (and hence the home address t believe if I am not wrong) of some person be considered as Pll

2. Since Clouds like Amazon AWS have backups happening across the world to maintain a high availability and for BCP purposes, so I feel it's a fair assumption to thin, that AWS will he considering PrwacY laws Eke GDPR before sent. European resident Pll data to any other country outside Europe. Correct?

3. While doing assessment, Do I need to ask vendors to give me list of countries where the cloud is sending the backup data (containing PII) to, while thinking of pnvacy Logic being European resident data is going outside Europe ask if the cloud follow GDPR by having controls or not

4. Am I correct regarding applicability of GDPR in below practical life scenarios- a) European resident I not citizen) went to India and registered an account with Uber by giving his Pil and rode on cab So GDPR would NOT be applicable regarding handling of this European person. Correct, I think GDPR should be as law of land will prevail which is India in this case and not Europe.
Article 3 GDPR defines the territorial scope of GDPR and it is applicable to data processing taking place in the EU or from data controller located in the EU. Therefore, the EU citizen in India will not be under GDPR.
b) Indian resident went to Europe and registered an account with Uber Europe by giving PII and is currently doing a cab ride, so GDPR will be applicable as per what's written in the GDP. regulation. Correct?

5. Now the Indian resident has completed the trip and has gone back to India and left Europe. Will GDPR still protect his Pll data which is now residing in Europe?

6. Someone from India want to make a trip to Europe and thought of advance booking, so while sitting from India itself register an account by giving his PII on the website of some European tour operator with its data center in:  c.1) Europe - Will GDPR be applicable?  c.2) Outside Europe - Will GDPR be applicable?

7.  Will the time of the actual visit make any difference on GDPR applicability i.e. GDPR is ON only after the actual visit has happened and not before?

8. Since IP is a PII, so will even the Dynamic IP not static IP) be considered as PII? By the time the captured dynamic IP will. processed to find PII, the dynamic IP would have changed/expired

Requesting your guidance on these as I believe these will help me in understanding Privacy better

SAR

Hi, can I please have some advice on SAR regarding an employee and a grievance?

Privacy policy and GDPR docs

Hi, do i need to have privacy policy and GDPR docs on a website which is 'coming soon', just set up the landing page and getting users to register their interest by subscribing with just an email.

Question about LinkedIn and emails

My situation is that we are publishing a list of the top 25 UK figures in a specific technology. We would like to notify those figures that they've been chosen before we publish, but we have not been given their email addresses.

My questions are:
1) If we are able to obtain those email addresses from the public domain (but haven't been given explicit consent from the people to use those email addresses), is it admissible to email them in order to ask them if they want to be featured? Does this fall under 'legitimate interest'?
2) If we message these people on social media instead of emailing (i.e. LinkedIn and/or Twitter), but we are not currently 'connected' to them, is this admissible under GDPR?

EU GDPR compliance

1. will this help me make my websites (cookie bar, privacy policy, terms of service, shop, contact form and newsletter) form fully compliant?

2. Do I have full support in all the above steps or there is any limitation in terms of the times I can ask?

3. And since my websites are visited and used by people from all over the world, do I have to comply with other non-EU countries regulation too? Or is GDPR implementation enough to these countries?
I am asking this, because maybe there is need of another package to buy.