Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Determining necessary security measures
1) From the role of DPO in a Spanish company (provider of Head Hunting and Personnel Search services) that has begun its adaptation to GDPR, how should the actions to be taken be planned in an orderly manner to determine the necessary security measures? , which guarantee the rights of users (candidates who apply for Internet searches and through forms/questionnaires to be completed on the institutional website of the Spanish company) and also the security of the information of their personal data (sensitive because they have health data)?
2) Would there be a document or article published on the Internet that has a mapping between what is required by GDPR and what is recommended by good practices: ISO 27001, ISO 27701, ISO 27002, ISO 27018?
-
GDPR applicability
Is GDPR applicable on companies that operates outside Europe for example KSA but the company might server European citizens resides there
-
Data Processing Questions
Firstly, do you offer a European Representative service? If yes, can you send me details of that please?
Secondly, I would like to clarify what is required on a Data Processor’s ‘Record of processing Activities’ form? I've been told by a few sources now that I have to include every client we provide processing services to, with Company Name, contact name, contact email and phone No… is this correct? We have thousands of customers!
If I must do that, then so be it, I will do it, I would just like to confidently confirm this is what I must do.
-
Email Marketing GDPR
I am looking for B2B partners and was wondering if it is permissible to email them.
-
GDPR Scope and applicability
We are a US based very small company (4-5 employees) and provide software for collecting data related to plant performance to plants based in US and EU both.
Now the only personal data we have in our cloud (365 office and outlook) are email id's and names of the employees of EU based plant workers. In some cases we have access to their offical phone numbers.
So yes we have what can categorize as personal data. But due to the limited customer information that we have would GDPR still apply to us ? and in this case would be act as a processor or controller of PI ?
-
General privacy policy/notice vs. entity-specific policy/notice
For a company that has subsidiaries with different processing, is it ideal for them to have a general privacy policy or notice or entity-specific ones?
-
GDPR intermediary
Hello. I have a question about Calendly type tools. These tools are intermediary software to make it possible to schedule an hour/a consultation of a client with a professional). The client reserves an hour through calendly leaving their name, email and other data. Calendly sends this data to the professional, but logically, it also saves it for its own reservation management. In this case, should calendly request express authorization from the client to store this data in its databases? Or should the professional be in charge of putting the fact that they share the data with calendly in their privacy policy? -
Laboratory space
Hello, I have a quick question about video surveillance in the workplace. My employer has installed 2 cameras on the area mentioned. No information was given to the employees in advance. When I asked, I got the following answer: "The video material is not recorded and access is password protected and is only intended to support the fire brigade in the event of a fire alarm" Is that enough justification? I would be very happy about a short feedback. -
Doubts about ODPR or GDPR
Would you like to know if the company has the right to have a list with all the passwords of the employees to access their computers? If somewhere in the LOPD or the RGPD, it is indicated that the Data Protection Delegate must have said list to be able to access the equipment in the case of not being an employee. What I comment below is my thought but not knowing all the obligations of the LOPD or the RGPD I am the IT manager of the company and it is the first time that I come across this indication in my entire professional career. Knowing computer systems, I think that this goes against any computer security scheme and protocol, so it seems strange to me that this is the case. I also find it strange because of the following: A multinational like Repsol, if the users have to change the password every 6 months. That you have to communicate your password to the data protection officer…. If all the companies had to have that list, as I have been told, I don't think I know if there would be any company that complied with the LOP or the RGPD -
Split between EU GDPR and UK GDPR
"I am considering purchasing a pack but given the split with EU GDPR and UK GDPR, I am questioning it. I also understand that there is not a lot of change in the UK GDPR against the EU GDPR so could do slight amendments accordingly eg reference to the UK GDPR legislation, what are you thoughts?