My company software is used in the medical field. Our clients used it in the cloud (saas). They are mostly healthcare facilities and their patient's data is stored in our software/application. To comply with the GDPR, our company has just to ensure the security of the information system, correct? So data encryption, data access policies, etc ...?
GDPR: Right to be forgotten and backups
We have backups of our data. Some are manual and some are automatic. Some are kept securely in the cloud, and some are kept securely on tape in a bank vault. Deleting personal data from these backups will be virtually impossible. What is possible is for example to have a procedure that says that if we need to restore any backups, we will make sure that we don’t restore (or immediately delete) any personal data that would had been deleted in our production systems due to the ordinary data retention policy.
Our sites are looked after by Safenames, must the privacy statement show the actual owner and what if the owner is an individual or the company is owned by a Holding company? The other thing we are looking for is a simple statement for sites that do not collect any data of any kind.
Annex 3 - Supplier Data Processing Agreement
Does anyone know what annex 3 is used for?
Starting with the documentation
Can you please advise on the best way to get started? Is it to just start filling out the project plan and then go from there?
GDPR compliance for possible new start up business
I need to find out if I can legally start up a trade only database which will hold the names and addresses of individuals?
GDPR Article 27
GDPR Article 27 Representatives of controllers or processors not established in the Union. I looked through the list of documents in the GDPR toolkit we purchased and nothing is jumping out at me as to what document I utilize to document our Article 27 requirements… can you point me in the right direction?
Lead generation service
We use a lead generation service, who collect data of hot leads and send them to us. Would we be required to issue our privacy notice to the data subject when they have agreed to have their details sent to us or should the fact that the details are sent to us be in the privacy notice of the lead generators?
Consent under the EU GDPR
I have a doubt regarding Marketing activities and my database of clients. I have the consent under the DPA and the PERC. So that, not complaint with GDPR rules in many cases. Will be valid the solution of informing properly to my clients and then including and opt out option, or do I have to reconsent? In that case I will lost my portfolio of clients? Can you give me some advice or guideline on how do I have to approach this task to marketing departments?
Integrity, responsibility and security of the data systems
What tools do you recommend to implement to guarantee the integrity , responsibility and security of the data systems ?