Our company acts as data processor in the social care/health care sector in the UK/Ireland. Does the Data Privacy Act obligation of retention of data get overruled by the GDPR “right to be forgotten” – for example, if a social care services provider are retaining a person’s data for 10 years in line with the UK DPA 1988 and the person in June says they want to be forgotten, then what is the legal advice in the case of healthcare data for data controllers/data processors?
Whilst I understand the need for a variety of privacy notices, is it not more practical to list ALL possible information that may be requested and state that only the minimum set of information, of the superset, will be requested for the specific interaction, contract or communication that is necessary to fulfill the obligations between the parties?
Call recording policy
From what I am reading, if we are doing telephone call recording, we are required by law to have a call recording policy. I can not seem to see one in the pack.
What if our suppliers don’t perform their work in a compliant way? We think it should some penalties or liabilities if they didn’t perform their work in a compliant way. As you know, being a data controller, xxx is at the risk to be liable to pay the fine (Up to a maximum of €20 Million or 4% global revenue/turnover per infraction) in some way if our suppliers didn’t perform their work in a compliant way. So it is a must to have penalties or liabilities clauses somewhere on the suppliers. Am I right?
I have a question about retention periods in EU (Norway). Our firm has developed a virtual assistant where we store all the customer conversations. The chat encourages the user to not state any personal information but in the event that this happens we delete all the logs every 30 days. There is no way to track the user or identify their identity once it is saved. My question is after a chat with another specialist he told us that we have to store the chats for 12 months. But is it GDPR compliant to delete them every month instead? So we don't store more data then necessary. Or is there a part of the GDPR law that requires us to store it for 12 months in case any personal data would be included in one of the chat?
Standard Contractual Clauses
I have a question about what detail to include in the Appendix 2 in the Standard Contractual Clauses. How much detail is required when providing a “Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached)?
We are a data processor under the GDPR. Can you please advise how relevant your GDPR templates are for us as they appear to designed for Data Controllers?
1. We are screen grabbing comments and sending to clients from Facebook, that includes names/comments of other Facebook users. We use these in our reports and send to clients. Are we able to still do this?
Standard list of types of personal data
We were wondering if there was a standard list of types of personal data, we have a list from a customer that defines 9 types including “Financial Data” and “Employment Details” etc.? Also is there a standard list of Categories of Data Subject, again we have a list of 9 from a customer including “Agents and Contractors” and “Suppliers” etc?
Process for changing purpose