EU GDPR - Expert Advice Community

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Appointing a representative

    I am the sole proprietor of a US company (data controller) providing freelance translation services to customers in a few EU States. I was informed by a GDPR representative company that I needn't appoint a representative. However, as I understand it, if there is a breach involving the data of a data subject located in the EU, I must contact the supervisory authority. Must I contact the authority only in the state where the breach occured, or do I have to contact every member state in which I operate?
  • Appendix 1 – List of Legal, Regulatory, Contractual and Other Requirements

    As SaaS provider located in Europe, the main regulation we have to comply with is GDPR. In the table listing all requirements, does it mean that : 1) I have to add a specific line based on our customers locations or is it based on our SaaS infrastructure location(s) ? 2) I have to add a specific line per GDPR topic (like each specific users' right) ? If this is the case, I suppose your GDPR toolkit would help me fill in this document ?
  • Proactively applying for GDPR compliance

    Do we have to proactively apply for GDPR compliance by proving that we are compliant or we should make our product compliant without showing to any authority.

    In short is it enough if I follow the guidelines and make the changes or will I have to apply/show it to some authority

  • Questions for DPIA

    1) Do we have to perform DPIA for all our processing activities, or only for some of them? If only for some of them, what is the criteria to distinguish for which activities to perform the DPIA? Is this covered in some of the documents in your GDPR Toolkit? 2) If we have a data breach, do we have to report each data breach to the supervisory authority? If not, what is the criteria to distinguish between the breaches we need and do not need to report? Is this covered in some of the documents in your GDPR Toolkit?
  • Questions for GDPR

    I'm wondering if you could help me out with a couple of questions related to GDPR and controllers? Our company has clients who have personal data that our system collects from their employees and visitors to their premises. The clients have access to the data that our system collects. We (the company) determine the why and how data is collected, however the clients can see the data and even create reports from the personal data. Is this considered a controller to controller relationship, or would it be a controller to processor relationship? (i.e. is the client a controller because they are collecting personal data from employees and visitors?) A second question we have is related to standard contractual clauses. Personal data that our clients collect is transferred to our servers located in Canada. Are SCCs required for the transfer of personal data from the EU/EEA to us for processing?
  • Verifying customers' identity

    Should we be verifying customers' identity via email when the email they are contacting us from is the same email they used to purchase a product from us?
  • Proof of compliance with GDPR & Data Subject Request Register

    When a client of ours asks for proof of GDPR compliance what do companies normally provide? Also, in the 07.24_Data_Subject_Requests_Communication_Register_Premium_EN document I don't see a slot for the name/email of the data subject. Part of me thinks that makes sense as if you are asked to delete their info yet keep it in that document then you technically didn't completely delete it? The other part of me wonders how that demonstrates compliance when you can't link it back to a particular data subject request?
  • Using messages as evidence

    Hi there, I am hoping that you may be able to help me with a question relating to GDPR in the workplace. We currently have a situation at work where a colleague has provided us (a business) text messages with another colleague. These messages may be included as evidence within an upcoming grievance. My question is, can the organisation simply take these messages and use them as evidence, or does this constitute 'processing' under GDPR as they have now been passed from an employee to the business (the employer). Will we need to gain consent from both individuals to use these messages? I think it is also worth noting that these messages were sent on an encrypted messaging service similar to WhatsApp, on personal devices. We are concerned that the employee who did not provide the messages, may raise possible GDPR compliance issues around processing such data which is identifiable. Any support on this matter would be greatly appreciated.
  • LSA

    we (company) do business in the EU but do not have a need for an LSA.. can our company residing in the USA be considered the LSA?
  • Conversion to UK version of GDPR

    I work for ***. Several years ago I purchased your organization's EU GDPR toolkit and used it to assist in preparing my organization for GDPR. As we are a UK firm, in a post-Brexit world we do fall under the UK data protection legislation. I am wondering if you have a similar package related to the UK law. That being said, I recognize the two laws (EU and UK) are quite similar, so perhaps your advice would be to use the same policies and procedures, but to simply reference the UK law in place of the EU law. Please let me know your thoughts when you get a chance.  
Page 9 of 97 pages