Under the pre GDPR legislation in relation to a financial institution, data of a financial nature was defined as any name, account number, credit card number, that could be used to identify an individual, and any unauthorized disclosure was deemed to be a reportable breach. That same definition is omitted from 2018 GDPR legislation. Is such a breach no longer deemed to be reportable? Many thanks for your time and expertise.
Register of Data Subject Access Requests
Please let me know for how long we should keep it the Register of Data Subject Access Requests?
Consent
Is consent the only lawful basis we can use regarding mailing lists? Do they have to have the option to opt in to receive emails?
Laws and regulations
In the documents, I see repeated reference to the below. Please provide us with this information for the Netherlands in English. Many thanks!
Most important documentation
What are the most important documentation that a school should have in compliance to GDPR?
School mailing list
Is it necessary to have an opt out option for parents from the mailing lists we have as a school?
Keeping data in hard copy
At the moment we store all our data in hard copy, then all this hard copy documentation is scanned to make a electronic backup. The question is do people have to store hard copy paper documents to comply with GDPR or can we have to electronic storage facilities and destroy the original hard copy?
GDPR processor compliance
My question is as a data processor, what specific steps do we need to take in order to be GDPR compliant? Is it as simple as a privacy policy that addresses what we store, how long, and how to have us remove the data?
Sending marketing emails
Can we consider the sending of digital newsletters for marketing purposes as legitimate interests of hoteliers?
Cross Border Data Transfers
While we don't deal with companies outside the UK in the general sense, we do have employee personal data stored in places such as online accounting systems (Xero), online HR system (PeopleHR) etc. Having checked the Privacy Policies on their websites I can see that our data may be processed in the likes of New Zealand and the US. Does this qualify under the Cross Border Data Transfers and if so how do we proceed in terms of agreements? Do we need to get them to sign a data transfer agreement?