Good morning, I have a question about the personal and sensitive data within the GDPR. We are using Contact information like Name, Surname, Email, Telephone Number, Business Number and Address for the Contract Creation in B2B CRM system. The question is that in the big system it is very important to have all the history about the sales in one place, and not to be deleted at all. Could this personal information be changed to clients id and in the future all the records will be stored just with the id without name and other data?
Collecting personal data
1) Is it acceptable to collect personal data from professional social networks like LinkedIn for Sales/Marketing purpose?
DPO and Data Management
1) first question is about the DPO contact details, which should be provided for the patient in the inform consent. Is this clearly regulated where those contact details should be listed? Can we add them in the text or should they be listed together with the Sponsor details ?
GDPR - processor to controller
What documents must we, acting as a data processor, supply to data controller so we can confirm our compliance with GDPR? And vice versa?
For the retention policy in the toolkit that is set to mandatory, can we change it to only apply to the retention period of personal information? Also the retention period for all this information is listed in the Inventory, will this be sufficient enough? Chapter 3.5 about routine disposal schedule, is it mandatory to keep this in the policy?
Data Breach Register
Where does the limit go for reporting to the authority about a data breach. For example if a document containing personal data is found opened in the office, but it is an internal matter, are we obligated to report this to the authority or can we just keep a log internally. Is there any defined limit for this matter?
DPO Module 5: Basic Rules for DSAR
In this module, at the 1:20 mark or so in the video, Tudor outlines that the controller/processor must respond to the data subject within 30 days of receiving their request. I am unable to find this specific timeline in the GDPR Articles. Can you send me to the link where is specifies '30 days'?
Right to Be Forgotten/Erasure
If a data subject request to be forgotten, however the retention period has been contractually defined between the processor and the controller as X years and the data subject consented to X years, do they have the right to be forgotten or simply to not be processed anymore based on withdrawal of their consent?
I have a question regarding the legitimate purposes and principals practice exam. There is a question that is as follows:
GDPR DPO Job Description
Regarding the conflict of interest clause in the DPO Job Description document, what options are there if the DPO holds another role at the company that does require him to determine the purposes or means of processing personal data? Would it satisfy GDPR requirements for him to sign an additional agreement ensuring that the responsibilities of that other function do not affect the carrying out of the DPO role?