Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
EU GDPR requirements
I also have one more question concerning one of the EU GDPR requirements for businesses based out of the EU but provide some goods or services for EU residents - EU representative in one of the Member States. I guess our Company falls under this requirement and we need to hire someone for this position. Our Company provides services for people from all EU Member States. The number of our users is quite dynamic, so today, for example, the most of them are from Germany and after a few weeks from Italy. Could you please advise us, in which Member State it is better to hire EU representative in our case? -
Cross border personal data transfer procedure
I am having a hard time understanding the requirements for the cross border personal data transfer procedure. If personal data is stored electronically, yet is only accessible within your organization, does that mean it falls under this policy? As an example, we have an HR system with information on UK employees. HR staff in the US can access this. However, the data is not being sent to a third party; it is all retained within our organization. Is this considered a cross border transfer, or not? -
Supplier Data Processing Agreements
If we purchase subscription licenses (such as Microsoft Office 365 or a hosted phone system) from our managed services provider who is acting as the reseller, would we still need to have a Supplier Data Processing Agreement with Microsoft/the phone system vendor or does that responsibility fall on our managed services provider/reseller only? -
Controller vs processor
My company has insurance coverage of our employees (Health insurance). I am wondering if the insurance company is to be considered a controller or processor? -
Contracts and compliance with GDPR requirements
1) Contracts are part of our business and we need to understand what to do with current active contracts. What will be the practical steps to bring contracts into compliance with GDPR requirements? Do we need to include data protection clauses into all contracts (including employment contracts with residents and non-residents of EU)? In which cases we may not include such clauses (if possible)? -
The GDPR “right to be forgotten”
Our company acts as data processor in the social care/health care sector in the UK/Ireland. Does the Data Privacy Act obligation of retention of data get overruled by the GDPR “right to be forgotten” – for example, if a social care services provider are retaining a person’s data for 10 years in line with the UK DPA 1988 and the person in June says they want to be forgotten, then what is the legal advice in the case of healthcare data for data controllers/data processors? -
Privacy Notices
Whilst I understand the need for a variety of privacy notices, is it not more practical to list ALL possible information that may be requested and state that only the minimum set of information, of the superset, will be requested for the specific interaction, contract or communication that is necessary to fulfill the obligations between the parties? -
Call recording policy
From what I am reading, if we are doing telephone call recording, we are required by law to have a call recording policy. I can not seem to see one in the pack. -
Indemnification clauses
What if our suppliers don’t perform their work in a compliant way? We think it should some penalties or liabilities if they didn’t perform their work in a compliant way. As you know, being a data controller, xxx is at the risk to be liable to pay the fine (Up to a maximum of €20 Million or 4% global revenue/turnover per infraction) in some way if our suppliers didn’t perform their work in a compliant way. So it is a must to have penalties or liabilities clauses somewhere on the suppliers. Am I right? -
Retention period
I have a question about retention periods in EU (Norway). Our firm has developed a virtual assistant where we store all the customer conversations. The chat encourages the user to not state any personal information but in the event that this happens we delete all the logs every 30 days. There is no way to track the user or identify their identity once it is saved. My question is after a chat with another specialist he told us that we have to store the chats for 12 months. But is it GDPR compliant to delete them every month instead? So we don't store more data then necessary. Or is there a part of the GDPR law that requires us to store it for 12 months in case any personal data would be included in one of the chat?