Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Retention period
I have a question about retention periods in EU (Norway). Our firm has developed a virtual assistant where we store all the customer conversations. The chat encourages the user to not state any personal information but in the event that this happens we delete all the logs every 30 days. There is no way to track the user or identify their identity once it is saved. My question is after a chat with another specialist he told us that we have to store the chats for 12 months. But is it GDPR compliant to delete them every month instead? So we don't store more data then necessary. Or is there a part of the GDPR law that requires us to store it for 12 months in case any personal data would be included in one of the chat? -
Standard Contractual Clauses
I have a question about what detail to include in the Appendix 2 in the Standard Contractual Clauses. How much detail is required when providing a “Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached)? -
Data processor
We are a data processor under the GDPR. Can you please advise how relevant your GDPR templates are for us as they appear to designed for Data Controllers? -
Privacy Notices
1. We are screen grabbing comments and sending to clients from Facebook, that includes names/comments of other Facebook users. We use these in our reports and send to clients. Are we able to still do this? -
Standard list of types of personal data
We were wondering if there was a standard list of types of personal data, we have a list from a customer that defines 9 types including “Financial Data” and “Employment Details” etc.? Also is there a standard list of Categories of Data Subject, again we have a list of 9 from a customer including “Agents and Contractors” and “Suppliers” etc? -
Process for changing purpose
Where a new, and formerly not envisaged purpose for using previously collected data defined, and where the original purpose was covered by a "blanket" legal ground, such as “legitimate interest" and so is the new purpose, is it still required to acquire consent from the data subjects. (as suggested in the template Privacy Policy). Or would an update to the Privacy notice for the particular processing activity be sufficient? -
Data processors
Is there a version of the GDPR document package, or additional documents that are intended for data processors? I purchased the original EU_GDPR_Documentation_Toolkit, but I really only see documents for data controllers. -
Company data
We have already resolved the question about customers in B2B environment, but why doesn't appear in the scope the "customers employees" category..? What the difference between “customers" and “suppliers" from this point of view of their employees..? -
DPIA
1. How to conduct PIA or DPIA? -
EU GDPR document
In document 6.2 the title reads "Standard contractual clauses for the transfer of personal data from the Community to third countries (controller to controller transfers)- “the community” would appear to need to be changed to “Company”. Please can you confirm.