Hello, I have a quick question about video surveillance in the workplace. My employer has installed 2 cameras on the area mentioned. No information was given to the employees in advance. When I asked, I got the following answer:
"The video material is not recorded and access is password protected and is only intended to support the fire brigade in the event of a fire alarm"
Is that enough justification?
I would be very happy about a short feedback.
Doubts about ODPR or GDPR
Would you like to know if the company has the right to have a list with all the passwords of the employees to access their computers?
If somewhere in the LOPD or the RGPD, it is indicated that the Data Protection Delegate must have said list to be able to access the equipment in the case of not being an employee.
What I comment below is my thought but not knowing all the obligations of the LOPD or the RGPD
I am the IT manager of the company and it is the first time that I come across this indication in my entire professional career. Knowing computer systems, I think that this goes against any computer security scheme and protocol, so it seems strange to me that this is the case.
I also find it strange because of the following:
A multinational like Repsol, if the users have to change the password every 6 months. That you have to communicate your password to the data protection officer….
If all the companies had to have that list, as I have been told, I don't think I know if there would be any company that complied with the LOP or the RGPD
Split between EU GDPR and UK GDPR
"I am considering purchasing a pack but given the split with EU GDPR and UK GDPR, I am questioning it. I also understand that there is not a lot of change in the UK GDPR against the EU GDPR so could do slight amendments accordingly eg reference to the UK GDPR legislation, what are you thoughts?
Change of GDPR document
I need to update my original GDPR documents from 2018. Do you have a cheat list of the changes or amendments please
Advisera docs Footer and Change record – do we have to keep the Advisera wording on all docs?
Client data – How long can we keep data? 6 years +1 from collection date or when client has left then 6+1
Confirm BtoB data is still governed the same way as BtoC – PII
Back Ups on Tape Drives and SAR requests – where do we stand?
If a client asks to see our policies can\should we hand them over? Incident log, do we have to show that if asked?
Clarify medical data in ***, we don’t collect it, but customer could upload it, what are the implications for us as Processor?
We are onboarding a new third party vendor tool which will store our EU customer's data in AWS US. The Vendor is refusing to sign DPA and SCCs with justification as the contract value is very less vendor's legal team won't sign the document. What should we do in this scenario?
Data Protection Addendum and Standard contractual clauses
I have the below queries when it comes to signing of DPA and SCCs
1. In which scenarios do we sign a Data protection addendum(DPA) and standard contractual clauses(SCC) with the vendor?
For e.g. there is a scenario where we will be sharing our European customer PII data with the vendor and the vendor will be storing that data in a non-EU region. In this case, we sign DPA and SCC with the vendor.
What are the other scenarios where we sign DPA and SCCs with vendors?
GDPR compliance for B2B software applications
Do you have any info for GDPR compliance for B2B software applications (where I think we are the processors and our clients are the controllers)? Most of what I find online is focused on compliance for marketing emails