EU GDPR - Expert Advice Community

Article 12 (3) general data protection

I would like to inquire the reasons why a time extension is required so that I can have access to my information for 3 months. I requested to view my records as a matter of urgency and understood this would take a month. Now it will take until 17th May 2020. Thank you for your help.

EU GDPR Data

Hi. What are the obligations for an entity given the regulations under GDPR with regard to:

• Usage, Collection, Processing, and Storage of CCTV Data
• Collection, Processing, and Storage of Biometric Data

Data Processing Agreement

I have a question about GDPR I hope you can help with.
We have some customers (data controllers) for which we are processing data, however, we have no Data Processing Agreement in place with the customer.
Is it our responsibility to approach the customer who is the data controller to ensure a DPA is in place and, if so, what is the best way to approach this?

Data Protection Regulations

The Data Protection (Charges and Information) Regulations 2018 requires every organisation or sole trader who processes personal information to pay a data protection fee to the ICO, unless they are exempt.

And the following comes up on the self assessment section to determine exemption status:
Answer ‘Yes’ if your organisation was established for not-for-profit making purposes and does not make a profit. Also answer ‘yes’ if your organisation makes a profit for its own purposes, as long as the profit is not used to enrich others. You must:

• only process information necessary to establish or maintain membership or support
• only process information necessary to provide or administer activities for people who are members of the organization or have regular contact with it;
• you only hold information about individuals whose data you need to process for this exempt purpose
• the personal data you process is restricted to personal information that is necessary for this exempt purpose

Can the word 'support' where it appears in the first bullet point above cover the situation where Charity A refers a person not otherwise known to Charity B for support. If so, how is the situation affected by the second bullet point?

Transferring data between two databases in two different companies.

DPO role

Does the DPO for a US company processing EU subject data have to be located in the EU?  Or can the DPO be the US company’s privacy officer? And when does the DPO have to register in the EU?

Data usage

I asked for my employer to cover the cost of an excursion and then I was accused of the exact number of days I was sick over 2.5 years and sent to three other people in the company. Question: Can he use this data at all to answer this request?
And who can get these sick days communicated?

Compliance checklist and mapping controls

Just need to ask about easily compliance checklist for GDPR, and it's mapping controls with PCI-DSS and ISO 27001

Parental information

We are a University and when prospective students signs up for an Open Day they can enter their parents contact information. When you click on the register on this link at the bottom you’ll see this message    
We want to use these parents email address for google display advertising to send them to our website. How can we do this? As they won’t necessarily be aware that their child has entered their email address.

Power of Attorney

Do you know about procedure of giving Power of Attorney from controller to processor, to transfer data outside EU on behalf of controller?