Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Inventory of processing activities
In 05.1 Guidelines for Data Inventory and Processing Activities the Inventory of processing activities is mentioned a lot. Document 05.2 the Appendix Inventory of Processing activities mentions that this inventory is for Controllers: -
Lawful grounds for processing employee biometric data
I am struggling with selecting and documenting a lawful basis for a special category of data that we capture. Your advice/input would be greatly appreciated. We have a clock in / clock out system that uses fingerprint recognition. This is linked to the payroll system. This system has been in operation for years so was introduced before GDPR. As this is biometric data and is classified as special data it needs a lawful basis for processing under article 6 and article 9 (2). However the more I read about biometrics in the workplace the more of a grey area is seems to be. The lawful basis for capturing special data (Article 9 (2)) seems difficult to pinpoint to biometrics in the workplace. Consent does not seem to be an option as employees have the right to object and would need an alternative method to fingerprint log in. Another lawful basis would need to be selected but I do not see the other options covering this. Perhaps 9 (2) (b) suits the best "obligations and to exercise your rights or our rights under employment law, social security and social protection law;" but again I am unsure. Any assistance/clarity you could give on this would be of great help. -
How to comply with EU GDPR as a data processor
I would like to know how to comply with EU GDPR as a data processor and all processing takes place in AWS Cloud. We are using AWS storage services e.g. S3, EBS and RDS and processing takes place in EC2 instance. -
Managing personal data
Last week I have been at customer site to start the GDPR consultancy. I have collected some information from the customer, for example the process each department does and how they manage personal data. Anyway I have 2 questions: -
Transfers of coded (pseudonymized) data from EU to US
GDPR considers pseudonymized data as personal data, Privacy Shield is an accepted safeguard for data transfers to the US, but Privacy Shield states "A transfer from the EU to the United States of data coded in this way would not constitute a transfer of personal data that would be subject to the Privacy Shield Principles." I am not sure how to understand that. -
Personal medical record
I have requested my personal medical record more than a month ago from an NHS Trust hospital. Till today I haven’t received my medical records. I have also paid £50 access fee to release my documents. What rights can I exercise in this situation? Is it true the trust should release all my health records within 30 days of request? -
Transfers of personal data
1. If the controller (pharmaceutical company) is located in the US, and the joint-controller (hospital) is in the EU sending health data (samples) to a lab (processor) in the US, who should exactly ensure safeguards for data transfers? In this case specifically, the Controller signs contract with the joint controller and with the processor, however the joint controller is sending data directly to the processor. -
Data processing agreement
We are a company recruiting seafarers that we could use to supply a vessel that is required by our customers. We have a customers who's giving us information what position we need to fill in. In this case, there is a scenario where we share information of the seafarers to our customers and we don't know if they are also sharing those info outside their company for whatever purposes. Our question is, do we need a data processing agreement with our customers or we should be treated as two independent controllers or what agreement should we use? -
Checking the EU citizenship on a website
A website that I have a user on is requesting my full name, physical address, and a government issued ID to verify that I am a EU citizen just so they can adhere to my request of deleting the account that i haven't used for a long time and won't even use anymore. I was already sending the request from the email address that is associated with the user. Can they really ask for more personal info and an ID? -
Outside the EU
I live in the U.S. I'm a very small affiliate marketer. I have no intention of targeting any citizen or subject of the EU in my marketing efforts. Do I need to worry about implementing GDPR? There is so much conflicting information.