EU GDPR - Expert Advice Community



Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Internal audit of management systems and GDPR

    I have an inquiry regarding the conduct of reporting internal management systems and the GDPR. In our internal audit reports of our management system, we include the names and position of the audit participants. Will this pose a breach in the GDPR? Also, part of the report, as an attachment, is the attendance list containing the names and positions. Is this also a breach as per GDPR?
  • Questions about CCTV in GDPR

    1. Is it correct if I mention in DPIA two data collection reasons for the CCTV: facility intrusion detection and labor discipline?
    2. What is the size of the CCTV sign inside the office and outside premises should be?
    3. There is CCTV in the office with no automated processing. Sometimes there are kids visiting the office. Do I need to mention about the kids' data in recordings?
  • Data Subject Access Request

    We have had a Subject Access Request from an ex-employee. I would like to know what data exactly I need to send and what do I need to dedact from the data that we send out? The user has only been with us for a few months, so mainly Teams messages and emails. There will be other usernames and Client names in the mix, do we need to dedact them all? I have the data from ***, but need to run through it now and send out by the end of the month.
  • GDPR applicability


    So if we are a non-EU based organization and offer products/services (not SAAS) to a few  EU based companies  (not all customers in EU) would GDPR apply to us ? 

    Especially if we maintain EU-customer information like email, address and phone number ? 

  • Question about privacy notification

    I want your help if you can help I will be a pleasure This is a detailed question  and it is not possible for me to find the answer by browsing the websites on the internet or I am not sure for to aplly them. I'm doing an internship right now. My question is: There are two companies A Company and B company A company uses B company's product/ service. B company has two websites: X website is a normal website - ever people can reach out it and a different interface is Y that is only for its users who log in with this page to use the service. For to log in and use the service , the two companies have to make a contract. Now,  B company has privacy policy on X website but does this privacy policy covers to Y interface ? or does the company has to put also on Y website privacy notification to login form? The functions of the visitor visiting a web page and the user are different. GDPR says inform everyone and get their consent, while it is possible to do this for visitors, what will be the method for users? Company A determines the people who will use the service of company B and it gives authorization. In this case, is company B obliged to separately inform the users authorized by company A? If yes,at where will it inform? Is it in the customer contract? Or will the privacy policy on the website suffice? I'm asking this because my manager is asking that there should be a notification on the page where user use their service log in? The source of this problem is: Even though companies have privacy policies on their websites, there is still a note on the collection and storage of information in the demo request form section. So, an information note is being considered again, is it necessary to apply this logic for the user as well? Sorry for taking so long to explain the question. I would be glad if you help.
  • DPO and GDPR flowchart

    1. Do you have a flowchart diagram for GDPR implementation similar to the one attached to this email (for ISO 27K1) ? 2. I am working for a firm which does not perform a lot of personal data processing and hence, does not need a DPO. In the toolkit what or who should I replace DPO with? as the DPO role is used all across the toolkit.
  • Use of SCCs and TOMs

    I have an EU customer requesting we add SCCs to our DPA. We are a company located in the US but have an EU instance on which all EU data is stored. None of the data in the application (email and IP address) is transferred across borders. EU data is stored on the GCP in ***. The customers is asking that we add SCCs as an appendix to our DPA (which is OK if it makes them feel better). However, they are asking us to also include a TOMs all of which is described in details in our SOC2 report and we are ISO 27701 certified. Is the TOM's mandatory since technically the SCCs are not since no data is transferred and we are just adding them SCCs to make this customer happy?
  • Data controllers

    My question is very specific about how to determine who is a 'data controller'. I have a project where some entities only receive questionnaires (containing personal data) from people who participate and then send them to other entities for evaluation. At first I had considered them 'data controllers', but since they only receive the questionnaires, without being able to see their content, nor do they dictate the reason for their processing or how it is done, I am not sure if I should consider them as such.
  • EU GDPR Status

    I purchased the Exam for GDPR DOP almost 7 months ago. I wish to restart the Training and write the exam this month. Please advise as to whether the Training is aligned with ALL of the Developments in EUGDPR over the Past 7 months. Can I restart the course from Module 1 with Assurance that it is current and Relevant?
  • EU - Representative

    Do you all have a group that would serve as a European Representative for a US company doing business in Europe as a GDPR Data Processor? Also, with the news on Friday that the US and EU have agreed to allowing data to be stored on US soil, does that mean that European patient data can be hosted on AWS platforms in USA, not needing an AWS platform in EU?
Page 5 of 96 pages