Does risk assessment and treatment according to ISO 27001 a Data Protection address Impact Assessment (DPIA) requirement? what is the difference between these two?
Right to Erasure
Hi, I work for a cloud hosting provider, and I have a question related to the right of erasure. Our users rent server space from us, and upload their own data to the servers to complete tasks. We do not directly collect this data from them, but we do take necessary measures to backup their data and to ensure they are protected against data loss while they are paying for the services. So we have two data stores: the customer's server account, and the backup of the customer's server account. Under the GDPR, are we obligated to erase this data if a customer requests it? We did not explicitly request this data from the customer, and we do not process it in any way, other than preserving the data on the server and backups.
1.Can DPO have another role in the company except this one?
2.Can a DPO be an external consultant/contactor
Available state statistics
Can State institutions make available statistics on small numbers of persons by nationality, if it is a small state and there is a risk of being identified?
Criteria to distinguish between deleting and not deleting data
We are a processor of personal data, some of this data are anonymized and some are not - if the controller forwards us a request to delete data of a particular data subject, do we also need to delete the anonymized data? What is the criteria to distinguish clearly between the data we need to delete and the data we do not need to delete?
Consulting clients who must be GDPR compliant.
We are a media advertising company located in U.S. Our clients are pharmaceutical companies marketing in both US and EU. We do not control or process EU citizen data, but our clients do. Therefore, they need to be GDPR compliant. What steps can WE take to best consult/advise our clients on GDPR issues? Appointing a Data "privacy" officer or GDPR manager seems like overkill.
Privacy by design and privacy by default
Although I have 25 years’ experience as a consultant, trainer and auditor in the field of ISO management systems, I have thoroughly enjoyed the above webinar; very clear texts and explanations meeting my expectations!
I have one question related to Privacy by design and privacy by default; this was already bothering me when I followed training regarding GDPR: although it may be my fault, it is still not yet clear what the exact difference(s) is/are between both approaches. Perhaps some example could highlight the differences.
Does Zoom need to be considered as a processor
If personal data is visible during a Zoom call (e.g. a screen is shared with personal data on the screen or personal data is mentioned verbally) however personal data is not copied and pasted as textual data in Zoom nor is the Zoom call recorded, does Zoom need to be considered as a processor?
EU GDPR questions
1. If a company is based in non-European country wants to transfer European data to non-European country, what are GDPR requirements2. Does a company need to create binding corporate rules if it has only one branch
3. Is there any available approved binding corporate rules approved by authorities to be followed
4. Who should create the data transfer impact assessment the controller or the processor
5. Is there any available Transfer impact assessment template for processor
6. Where can I find the updated version of the controller-processor SCCs.
For our small supermarket we would like to put out pre-order slips for the holidays. The name, phone number and email address of the customer are recorded on the slip and are only used to process the order.
What do we have to write on the slip regarding data protection?
Thank you very much in advance and best regards