EU GDPR - Expert Advice Community

Sensitive data requested for refund processing

A company owes me a refund and in order for this to happen they are requesting the following:

"send a copy of the front of your debit card plus either a copy of your passport, driving license or Utility bill dated within the last 3 months.

Unfortunately our accounts team are unable to process the refund without these."

I am not happy providing any of this and do not think this is needed for a refund. Can you please advise?

Need of keeping data beyond each specific project

We are very small. We do not keep data beyond each specific project. Do we need to do this?

ISO standard and GDPR

1. How can ISO27701 (Privacy Information Management System) help comply with GDPR?

2. What are the similarities and differences in both of them?

GDPR vs. EU Dir 95/46/EC

I am trying to find out if EU Directive 95/46/EC still exists or if it has been formally replaced by GDPR.

Importance of data quality and data protection

1. Why are data quality and data protection important in the organization?
2. When considering information data management as a business resource that needs to be governed. What should this governance ensure?
3. Using data from your data lake what do you need to consider related to GDPR?

Using customer's data from the questionnaire

I am looking to do a questionnaire and from that ask people for their email address for further contact if they're happy with that. I would not use their email address for anything else other than the purposes set in my questionnaire. Under GDPR ruling, is this allowed?

IS Cross Border Personal Data Transfer Procedure actual according to GDPR?

In the process of the implementation of the Cross Border Personal Data Transfer Procedure, please clarify if the section below is still actual according to the GDPR and repealing Directive 95/46/EC.

2. Definitions
Data Importer - the Processor established in a third country who agrees to receive, from the data exporter, personal data intended for processing on the data exporter’s behalf after the transfer, in accordance with his instructions and the terms of applicable laws, and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

Has e-Privacy come into effect?

In "Module 13: Sustaining and improving compliance", in the "Keep Looking Forward" video, the lecturer says that:
the e-Privacy regulation is in the drafting stage and will soon set rules for privacy and security in the context of electronic communications.
My question is, has the e-Privacy already come into effect? and where can I find out more information about it?

GDPR - Breaking of Confidentiality

1. I have been in dispute with a care company over an invoice dating from late 2018. Basically the company was trying to charge my mother, who suffers from *** for appointments where they didn't turn up or left early to get to other appointments. I asked for some information under the "Freedom of Information Act 2000" several months back which the care company did not supply. Recently a Debt Recovery company contacted me reference the unpaid invoice. We have been in communication for a several weeks now. This week I received an email from the Debt Recovery company attached to the email was some of the information that I had requested from the care company. The attachments were a copy of my mothers contract with the care company, a copy of her Individual Care and Support Agreement and a copy of my Power of Attorney for my mothers finances.

Are the care company in breach of GDPR for sharing this information with a third party i.e. the Debt Recovery company?

2. What can I do about this breach of confidentiality?

3. Can I take the Care Company to court over this matter? As I am really not happy with them over this!

Are entities in certain countries still required to form binding corporate rules?

It's regarding Module 8: Data transfers and managing third parties in the DPO course
The lecturer explains that there are certain countries that need binding corporate rules between companies transferring to each other who are operating under the same parent company. He explains that there are countries identified as having an adequate level of data protection (i.e the EU member states) and then explains that certain countries were not yet recognized have adequate protection such as the United States was not recognized as having an adequate level of data protection. Is this list of countries still up to date? Are entities in these countries still required to form binding corporate rules?