Get a 20% discount on the first year of the Company Training Academy annual plan.
Limited-time offer – ends April 24, 2025
Use promo code:
CTA20

EU GDPR - Expert Advice Community

Home / EU GDPR

Discussions

Top Contributors

Expert

Rhand Leal

4151
Discussions
Expert

Carlos Pereira da Cruz

1915
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit ISO 9001 Risk Assessment Product: ISO 13485 Documentation Toolkit ISMS Internal Audit register of requirements Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit Product: ISO 27001/Risk Assessment Table ISO 9001:2015 ISO27001
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Cross border processing

    Document 04.2 paragraph deals with establishing a lead supervisory authority. If a client from another country uses our server that is located in the Netherlands (in a facility of our supplier) to run the software they have a subscription for from us, that can be deemed a processing activity because the database contains personnel and clients (of clients) data. We do not manipulate data other than updating our software.

  • Inventory of processing activities

    In 05.1 Guidelines for Data Inventory and Processing Activities the Inventory of processing activities is mentioned a lot. Document 05.2 the Appendix Inventory of Processing activities mentions that this inventory is for Controllers:

  • Lawful grounds for processing employee biometric data

    I am struggling with selecting and documenting a lawful basis for a special category of data that we capture. Your advice/input would be greatly appreciated. We have a clock in / clock out system that uses fingerprint recognition. This is linked to the payroll system. This system has been in operation for years so was introduced before GDPR. As this is biometric data and is classified as special data it needs a lawful basis for processing under article 6 and article 9 (2). However the more I read about biometrics in the workplace the more of a grey area is seems to be. The lawful basis for capturing special data (Article 9 (2)) seems difficult to pinpoint to biometrics in the workplace. Consent does not seem to be an option as employees have the right to object and would need an alternative method to fingerprint log in. Another lawful basis would need to be selected but I do not see the other options covering this. Perhaps 9 (2) (b) suits the best "obligations and to exercise your rights or our rights under employment law, social security and social protection law;" but again I am unsure. Any assistance/clarity you could give on this would be of great help.

  • How to comply with EU GDPR as a data processor

    I would like to know how to comply with EU GDPR as a data processor and all processing takes place in AWS Cloud. We are using AWS storage services e.g. S3, EBS and RDS and processing takes place in EC2 instance.

  • Managing personal data

    Last week I have been at customer site to start the GDPR consultancy. I have collected some information from the customer, for example the process each department does and how they manage personal data. Anyway I have 2 questions:

  • Transfers of coded (pseudonymized) data from EU to US

    GDPR considers pseudonymized data as personal data, Privacy Shield is an accepted safeguard for data transfers to the US, but Privacy Shield states "A transfer from the EU to the United States of data coded in this way would not constitute a transfer of personal data that would be subject to the Privacy Shield Principles." I am not sure how to understand that.

  • Personal medical record

    I have requested my personal medical record more than a month ago from an NHS Trust hospital. Till today I haven’t received my medical records. I have also paid £50 access fee to release my documents. What rights can I exercise in this situation? Is it true the trust should release all my health records within 30 days of request?

  • Transfers of personal data

    1. If the controller (pharmaceutical company) is located in the US, and the joint-controller (hospital) is in the EU sending health data (samples) to a lab (processor) in the US, who should exactly ensure safeguards for data transfers? In this case specifically, the Controller signs contract with the joint controller and with the processor, however the joint controller is sending data directly to the processor.

  • Data processing agreement

    We are a company recruiting seafarers that we could use to supply a vessel that is required by our customers. We have a customers who's giving us information what position we need to fill in. In this case, there is a scenario where we share information of the seafarers to our customers and we don't know if they are also sharing those info outside their company for whatever purposes. Our question is, do we need a data processing agreement with our customers or we should be treated as two independent controllers or what agreement should we use?

  • Checking the EU citizenship on a website

    A website that I have a user on is requesting my full name, physical address, and a government issued ID to verify that I am a EU citizen just so they can adhere to my request of deleting the account that i haven't used for a long time and won't even use anymore. I was already sending the request from the email address that is associated with the user. Can they really ask for more personal info and an ID?
Page 54 of 97 pages