I've started reading thru the 27k/gdpr combined doc set. I noticed in A.13 CROSS BORDER PERSONAL DATA TRANSFER PROCEDURE in the body the document is referred to as "this policy" where the title is "...procedure". Is this a mistake or do you intend to use policy and procedure interchangeably?
Company data vs. personal data
Considering a company that does not work with end customers (B2B company), ie whose customers are other companies, I wanted to ask if the information becomes useless, as the customer data in this case are outside the perimeter of the GDPR, not being personal data of individuals?
EU GDPR obligations
My company software is used in the medical field. Our clients used it in the cloud (saas). They are mostly healthcare facilities and their patient's data is stored in our software/application. To comply with the GDPR, our company has just to ensure the security of the information system, correct? So data encryption, data access policies, etc ...?
GDPR: Right to be forgotten and backups
We have backups of our data. Some are manual and some are automatic. Some are kept securely in the cloud, and some are kept securely on tape in a bank vault. Deleting personal data from these backups will be virtually impossible. What is possible is for example to have a procedure that says that if we need to restore any backups, we will make sure that we don’t restore (or immediately delete) any personal data that would had been deleted in our production systems due to the ordinary data retention policy.
Our sites are looked after by Safenames, must the privacy statement show the actual owner and what if the owner is an individual or the company is owned by a Holding company? The other thing we are looking for is a simple statement for sites that do not collect any data of any kind.
Annex 3 - Supplier Data Processing Agreement
Does anyone know what annex 3 is used for?
Starting with the documentation
Can you please advise on the best way to get started? Is it to just start filling out the project plan and then go from there?
GDPR compliance for possible new start up business
I need to find out if I can legally start up a trade only database which will hold the names and addresses of individuals?
GDPR Article 27
GDPR Article 27 Representatives of controllers or processors not established in the Union. I looked through the list of documents in the GDPR toolkit we purchased and nothing is jumping out at me as to what document I utilize to document our Article 27 requirements… can you point me in the right direction?
Lead generation service
We use a lead generation service, who collect data of hot leads and send them to us. Would we be required to issue our privacy notice to the data subject when they have agreed to have their details sent to us or should the fact that the details are sent to us be in the privacy notice of the lead generators?