EU GDPR - Expert Advice Community



Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Erasure request refusal

    Hello, I have contacted a company that manages a messaging app I used in the past to request information about exercising my right to erasure (Article 17(1) GDPR), since they say they're GDPR compliant. In particular, my question to them was about having my messages/posts (private and public) deleted when they close my account. They say they would refuse to delete these messages, since they argue that would interfere with other users' right to free expression and information (Article 17(3)(a)), as there would be gaps in the conversations potentially leading to misinterpretations or the lack of important context. My questions to you are: 1. are the messages and posts I sent through the app considered personal data under GDPR to the extent that the app would have to delete them under request? 2. is the exception in Article 17(3)(a) a valid ground for refusing this request in this case? Thank you very much for your attention.
  • GDPR and drones

    Hi! I am interested on the rules regulating GDPR and drones usage. I am a researcher working with European projects. Are there any documentrs uoy could suggest? Thank you very much.
  • Transfer impact assessment

    Appreciate your support to answer below questions related to transfer impact assessment 1. Who should create the data transfer impact assessment the controller or the processor 2. Is there any available Transfer impact assessment template for the processor 3. Where can I find the updated version of the controller-processor SCCs
  • Binding Corporate rules

    Appreciate your support to answer below questions 1. If a company is based in non-European country wants to transfer European data to non-European country, what are GDPR requirements 2. Does a company need to create binding corporate rules if it has only one branch 3. Is there any available approved binding corporate rules approved by authorities to be followed
  • Cold Email

    Hello, is it GDPR compliant to send someone a cold email despite not having their consent to email them, if it is for a legitimate reason?
  • Appointing a representative

    I am the sole proprietor of a US company (data controller) providing freelance translation services to customers in a few EU States. I was informed by a GDPR representative company that I needn't appoint a representative. However, as I understand it, if there is a breach involving the data of a data subject located in the EU, I must contact the supervisory authority. Must I contact the authority only in the state where the breach occured, or do I have to contact every member state in which I operate?
  • Appendix 1 – List of Legal, Regulatory, Contractual and Other Requirements

    As SaaS provider located in Europe, the main regulation we have to comply with is GDPR. In the table listing all requirements, does it mean that : 1) I have to add a specific line based on our customers locations or is it based on our SaaS infrastructure location(s) ? 2) I have to add a specific line per GDPR topic (like each specific users' right) ? If this is the case, I suppose your GDPR toolkit would help me fill in this document ?
  • Proactively applying for GDPR compliance

    Do we have to proactively apply for GDPR compliance by proving that we are compliant or we should make our product compliant without showing to any authority.

    In short is it enough if I follow the guidelines and make the changes or will I have to apply/show it to some authority

  • Questions for DPIA

    1) Do we have to perform DPIA for all our processing activities, or only for some of them? If only for some of them, what is the criteria to distinguish for which activities to perform the DPIA? Is this covered in some of the documents in your GDPR Toolkit? 2) If we have a data breach, do we have to report each data breach to the supervisory authority? If not, what is the criteria to distinguish between the breaches we need and do not need to report? Is this covered in some of the documents in your GDPR Toolkit?
  • Questions for GDPR

    I'm wondering if you could help me out with a couple of questions related to GDPR and controllers? Our company has clients who have personal data that our system collects from their employees and visitors to their premises. The clients have access to the data that our system collects. We (the company) determine the why and how data is collected, however the clients can see the data and even create reports from the personal data. Is this considered a controller to controller relationship, or would it be a controller to processor relationship? (i.e. is the client a controller because they are collecting personal data from employees and visitors?) A second question we have is related to standard contractual clauses. Personal data that our clients collect is transferred to our servers located in Canada. Are SCCs required for the transfer of personal data from the EU/EEA to us for processing?
Page 8 of 96 pages