Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
GDPR Questions
- Advisera docs Footer and Change record – do we have to keep the Advisera wording on all docs?
- Client data – How long can we keep data? 6 years +1 from collection date or when client has left then 6+1
- Confirm BtoB data is still governed the same way as BtoC – PII
- Back Ups on Tape Drives and SAR requests – where do we stand?
- If a client asks to see our policies can\should we hand them over? Incident log, do we have to show that if asked?
- Clarify medical data in ***, we don’t collect it, but customer could upload it, what are the implications for us as Processor?
-
GDPR Query
We are onboarding a new third party vendor tool which will store our EU customer's data in AWS US. The Vendor is refusing to sign DPA and SCCs with justification as the contract value is very less vendor's legal team won't sign the document. What should we do in this scenario? -
Data Protection Addendum and Standard contractual clauses
Hi Everyone, I have the below queries when it comes to signing of DPA and SCCs 1. In which scenarios do we sign a Data protection addendum(DPA) and standard contractual clauses(SCC) with the vendor? For e.g. there is a scenario where we will be sharing our European customer PII data with the vendor and the vendor will be storing that data in a non-EU region. In this case, we sign DPA and SCC with the vendor. What are the other scenarios where we sign DPA and SCCs with vendors? -
GDPR compliance for B2B software applications
Do you have any info for GDPR compliance for B2B software applications (where I think we are the processors and our clients are the controllers)? Most of what I find online is focused on compliance for marketing emails -
Internal audit of management systems and GDPR
I have an inquiry regarding the conduct of reporting internal management systems and the GDPR. In our internal audit reports of our management system, we include the names and position of the audit participants. Will this pose a breach in the GDPR? Also, part of the report, as an attachment, is the attendance list containing the names and positions. Is this also a breach as per GDPR? -
Questions about CCTV in GDPR
- Is it correct if I mention in DPIA two data collection reasons for the CCTV: facility intrusion detection and labor discipline?
- What is the size of the CCTV sign inside the office and outside premises should be?
- There is CCTV in the office with no automated processing. Sometimes there are kids visiting the office. Do I need to mention about the kids' data in recordings?
-
Data Subject Access Request
We have had a Subject Access Request from an ex-employee. I would like to know what data exactly I need to send and what do I need to dedact from the data that we send out? The user has only been with us for a few months, so mainly Teams messages and emails. There will be other usernames and Client names in the mix, do we need to dedact them all? I have the data from ***, but need to run through it now and send out by the end of the month. -
GDPR applicability
Hey,
So if we are a non-EU based organization and offer products/services (not SAAS) to a few EU based companies (not all customers in EU) would GDPR apply to us ?
Especially if we maintain EU-customer information like email, address and phone number ?
-
Question about privacy notification
I want your help if you can help I will be a pleasure This is a detailed question and it is not possible for me to find the answer by browsing the websites on the internet or I am not sure for to aplly them. I'm doing an internship right now. My question is: There are two companies A Company and B company A company uses B company's product/ service. B company has two websites: X website is a normal website - ever people can reach out it and a different interface is Y that is only for its users who log in with this page to use the service. For to log in and use the service , the two companies have to make a contract. Now, B company has privacy policy on X website but does this privacy policy covers to Y interface ? or does the company has to put also on Y website privacy notification to login form? The functions of the visitor visiting a web page and the user are different. GDPR says inform everyone and get their consent, while it is possible to do this for visitors, what will be the method for users? Company A determines the people who will use the service of company B and it gives authorization. In this case, is company B obliged to separately inform the users authorized by company A? If yes,at where will it inform? Is it in the customer contract? Or will the privacy policy on the website suffice? I'm asking this because my manager is asking that there should be a notification on the page where user use their service log in? The source of this problem is: Even though companies have privacy policies on their websites, there is still a note on the collection and storage of information in the demo request form section. So, an information note is being considered again, is it necessary to apply this logic for the user as well? Sorry for taking so long to explain the question. I would be glad if you help. -
DPO and GDPR flowchart
1. Do you have a flowchart diagram for GDPR implementation similar to the one attached to this email (for ISO 27K1) ? 2. I am working for a firm which does not perform a lot of personal data processing and hence, does not need a DPO. In the toolkit what or who should I replace DPO with? as the DPO role is used all across the toolkit.