By the way, from your experience, which of the policies and GDPR documentation’s in this toolkit need a Legal review once completed?
Data Transfer Agreement
We are a small- sized processing company based in Switzerland, using suppliers/co-processors in the EU. I am going through the GDPR for DPO's training and want to quickly check my understanding. Am I right to assume that for EU suppliers we do not need a change of contract (relating to data transfer), whereas if we had suppliers from the US for example, we would need to formalize data transfer in form of a contract?
Herramienta para calcular brecha con el RGPD
Me podrías comentar si disponeis de alguna herramienta que te calcule la brecha con la RGPD?
Combining DPO and ISO role
I am curious to know what is your opinion about combining Data Protection Officer and Information Security Officer roles in a small to medium companies? Is this a good idea, or not, and why?
CROSS BORDER PERSONAL DATA TRANSFER PROCEDURE
I've started reading thru the 27k/gdpr combined doc set. I noticed in A.13 CROSS BORDER PERSONAL DATA TRANSFER PROCEDURE in the body the document is referred to as "this policy" where the title is "...procedure". Is this a mistake or do you intend to use policy and procedure interchangeably?
Company data vs. personal data
Considering a company that does not work with end customers (B2B company), ie whose customers are other companies, I wanted to ask if the information becomes useless, as the customer data in this case are outside the perimeter of the GDPR, not being personal data of individuals?
EU GDPR obligations
My company software is used in the medical field. Our clients used it in the cloud (saas). They are mostly healthcare facilities and their patient's data is stored in our software/application. To comply with the GDPR, our company has just to ensure the security of the information system, correct? So data encryption, data access policies, etc ...?
GDPR: Right to be forgotten and backups
We have backups of our data. Some are manual and some are automatic. Some are kept securely in the cloud, and some are kept securely on tape in a bank vault. Deleting personal data from these backups will be virtually impossible. What is possible is for example to have a procedure that says that if we need to restore any backups, we will make sure that we don’t restore (or immediately delete) any personal data that would had been deleted in our production systems due to the ordinary data retention policy.
Privacy Statement
Our sites are looked after by Safenames, must the privacy statement show the actual owner and what if the owner is an individual or the company is owned by a Holding company? The other thing we are looking for is a simple statement for sites that do not collect any data of any kind.
Starting with the documentation
Can you please advise on the best way to get started? Is it to just start filling out the project plan and then go from there?