EU GDPR - Expert Advice Community

Data breach

I have recently found out that due to a huge mistake with my tax submissions, my old employer had been sending to HMRC that they had issued my NI with 2 other colleagues, which now means I am paying a higher tax than I should. I am having difficulty both with my old employer and HMRC. Can this be seen as a Data Breach by my old employer? I am getting no help whatsoever with this and I am paying nearly £100 per week in tax because of this mistake!

Required documents

Hello, I am starting a web hosting company as a reseller for a company that is renting its servers from Google and other cloud providers. The company has the ability to log in and see my customer's information if they wanted, but they have told me and promised that they would never do that.

What documents will I need to write in order to be compliant with GDPR? I have heard about Data Processing Agreements, Privacy Policies, Cookie Policies, and many more, but I don't know which ones I will need.

I am also wondering if I have to write the name of the company that I am a reseller of, I don't want my customers to know that I am a reseller. Is it for example possible to write that we are often changing providers and that the client should contact us to get the correct information? In that way, I would minimize the risk of them finding out.

Data privacy

What are our data security and privacy responsibilities when we use multiple providers to connect for user WEB experience? Data collected from those partners will be owned by those partners but we store to share it with other partners based on that experience? Are we a controller, processor, or joint controller? Maybe can provide any links which would help us to understand more

GDPR - which mailing is allowed?

I would like to know how shocking I am when I send an email to a company (the one who represents the company)? The person writes me an email with the following content: "I ask you for information according to § 15 DSGVO in relation to my data processing. In particular, I ask you to inform me what legal basis you have for writing this e-mail to me."

- I would like to be able to answer him, for sure. Can you help me?

Existence of data processing

Our company, to provide access to a digital editorial publication, holds a list of usernames provided by a third party, which does not correspond to any name or other personal identifier. However, some of these usernames are completely anonymous, while others contain email addresses inside.
The question is: does having a list of email addresses without any correspondence with a name and surname constitute processing / storage of personal data?
Thanks for the clarification

In which case Canadian company needs EU representative? 

In which case does a Canadian company need to have an EU representative? 

Questions about sending resume, cover letter and contact info overseas.

I'm a *** citizen filling out an online employment application with an international company, for a position in the ***. Their website says “We are processing your personal data according to Art. 6 (1) (a) GDPR and Art. 88 GDPR.” It’s the first time I’ve heard about this…

The data in this case would be my resume and possibly a cover letter as well as personal contact information such as address, phone number and e-mail. I searched the company I intend applying to and found out that they have been bought by a multinational company.

I put Art. 6 (1) (a) GDPR and Art. 88 GDPR in my web browser’s search box and was directed to the Advisera website. I read Art. 6 (1) (a) GDPR from your website, which, as I understand it, says the information I supply will be used regarding an employment contract, which sounds reasonable to me.

I read Art. 88 GDPR from your website and I think item 2 says they can share the information I supply across their enterprise with dignity, and transparency. I presume this is on a need-to-know basis similar to how personnel records would be handled here in the United States, am I right?

To do with an application for employment, are there any other parts of the GDPR that I should read? Their website did say “We are processing your personal data according to Art. 6 (1) (a) GDPR and Art. 88 GDPR.” Are there other Articles of the GDPR that I will be bound by?

Art. 88 Item 3 gives the date 25 May 2018, so am I reading the most up to date version of GPR?

GDPR implementation

"A manpower company collects PII data and process visa through Gov. sites and bring the manpower to their company, now the supplier from *** is looking to have GDPR done, how to approach.

Privacy Notice Webinar - EU GDPR Premium Kit questions

1. Tudor Galos mentioned using a four column table in a privacy notice. I didn’t get the column details quickly enough. Were they “category of data subject”, “personal data to be processed”, “purpose”, “legal basis”?

 2. TG also referred to the kit containing granular privacy notice. Did he just mean that you provide different ones for e.g. employees, supplier employees, web users etc?

 3. Our privacy notice should give the supervisory authority a data subject can complain to. We are based in the UK so obviously we give the ICO for UK residents. We process the personal data of EU residents, mainly from Germany, France and Spain. We have appointed an EU Representative with an address in Germany as that is where the majority of the data subjects are. Which EU supervisory authority should be put in the privacy notice?

4. When dealing with a corporate client or supplier, we may well be given the personal data – usually contact details – of other staff members. How do deal with notifying them that we have their details. Commercially, it would be a bit odd if every time we emailed them direct. I could see us upsetting clients!"

Determining necessary security measures

1) From the role of DPO in a Spanish company (provider of Head Hunting and Personnel Search services) that has begun its adaptation to GDPR, how should the actions to be taken be planned in an orderly manner to determine the necessary security measures? , which guarantee the rights of users (candidates who apply for Internet searches and through forms/questionnaires to be completed on the institutional website of the Spanish company) and also the security of the information of their personal data (sensitive because they have health data)?

2) Would there be a document or article published on the Internet that has a mapping between what is required by GDPR and what is recommended by good practices: ISO 27001, ISO 27701, ISO 27002, ISO 27018?