EU GDPR - Expert Advice Community

Privacy Shield being invalidated

Hi there - I'm *** from ***, a US-based company that acts as a data processor. We used your excellent GDPR toolkit to be compliant when GDPR first came out (May 2018). Recently, as I'm sure you know, Privacy Shield was invalidated. What advice can you provide on how to retain GDPR compliance going forward?

Does GDPR applies just for European people?

"I have a doubt, in the company which I work, we have clients of LATAM and all of their employees aren´t European people but our hosting is in Spain. If I understand very well GDPR applies just for European people, this is right?

Key technical security safeguards

What are the key technical security safeguards that are mandatory to achieve compliance?

Compliance check: Controller with no establishment and/or representative in EEA - Data and processing happens within EEA

Our company established in Australia is planning to run a global online classifieds website. We will also be servicing to data subjects in EEA in addition to data subjects outside EEA.

We have no representatives or establishments in EEA. The data will be stored in Ireland and all of our servers will be in Ireland. We use a cloud hosting provider. We will never transfer data from Ireland to any third country.

Will we still be compliant? If not, what should we do to be compliant?

GDPR queries

1) What is the prime difference between ROPA & PIA?

2) While assessing a vendor, once I am done with Information Risk Assessment Questionnaire, how would I be able to identify if i have to proceed with ROPA or PIA?

3) I have created ROPA and PIa questionnaires and added below sections; do these makes sense or am I missing out on something?
ROPA
Contact Information
Basic information on processing and responsibility
Data Collection
Purpose and legal basis of data processing
Data transfers and recipients
Standard period for data erasure
Means of processing
Groups with access authorization (simplified authorization concept)
Technical and organizational measures (Art. 32 GDPR)
Data portability

PIA
Business / Project Information
General Information
Attributes of the Data (use and accuracy)
Sharing Practices
Notice to Individuals to Decline/Consent Use
Data sharing
Access to Data (administrative and technological controls)
Privacy Analysis
Retention and Deletion

DPO, e-mail and transfer of data to third countries

We are a German technology startup company approaching 20 employees spread over the world (Europe, Asia, Australia).

Actually, I have three questions:
1) I hear that if you have 20 employees with regular data processing activities, in Germany you are obliged to have a data protection officer. Is that right?

2) To have an employee considered having regular data processing activities, it is sufficient to have access and work with MS Outlook, is that right?

3) Following the ruling regarding the invalidation of Decision 2016/1250, I am very much confused with the requirements. Reading some of the publication of the edpb, it seems to me hardly feasible anymore to manage GDPR across a small multinational company. Any suggestions?

Recommendations regarding EU-US Privacy Shield

What recommendations would you suggest for a small / Medium sized business in light of the recent decision by the ECJ regarding the EU-US Privacy Shield?

Data Protection Matrix

I am to develop Data Protection Matrix for my organization. How do I go about it?

Cookies and pixels under EU GDPR

Personal vs. Generic emails regarding B2B email marketing

I was curious to the similarities or differences there might be between the UK and Germany regarding privacy laws on the topic of email marketing in a B2B setting, specifically on what is considered a "generic" email address versus a "personal" email address in Germany and how those are handled in business to business email marketing.