EU GDPR - Expert Advice Community



Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Consent required

    Where a company has an existing mailing list for emails, is consent required? If they're already doing business with the company, is consent required? Is consent required before sending an initial email?
  • Documents to be produced.

    So in the toolkit, document 01.2 there is a (long) list of documents to be produced during the project. Should all documents be produced in every situation? E.g. are they all relevant for a SAAS software developer which is basically only a data processor and not a data controller?
  • Data Subject Access Form

    I have bought the GDPR toolkit. Which document(s) cover the data subject's right to be forgotten / right to erasure?
  • Security policy

    I have a technical question about the documents. In document 7.2 ANNEX 2 1a "Processor must document a security policy ", what document is "security police"? I can not find a document with this name.
  • Legal grounds

    Help me identify the following: Which legal grounds are available besides the legitimate interests of business?
  • EU GDPR for the banking sector

    I would like to know the specific data protection requirements that have to be defined during a bank development project in terms of the software development cycle and which meets the DSGVO requirements. Can you please help with a template?
  • Data Protection Officer

    We’re only starting with the GDPR toolkit, but I’ve an important question that you may be able to answer. The template mention the DPO a lot and we decided to not appoint one as we don’t have to, how should we go about it? Who should be there instead? (separately I wonder if there’s a specific requirement regarding the format of the record for the decision not to have a DPO?)
  • Showing data on request of data controller

    So since we are a data processor (SAAS) almost everything we do with (personal) data is on request of the data controller. If our customer requests to show certain personal data which could be in conflict with the GDPR should we inform them about this and provide the functionality or are we responsible to tell them we won't agree on data which might conflict with GDPR? An example is a public page where members can be found. - Yes, we can provide an extra check where the member must agree on showing their data 1. What if the customer doens't want to use it, who is responsible? 2. On which personal data is the extra confirmation applicable? (name, birth date, city, etc., all?)
  • Processing personal data

    We are a software supplier. Via our application a lot of data is stored in our databases, but we're not the ones processing the data. The input and output of data will be done by our customers. When I look at the 01.1 document a lot of questions are about processes to take care of personal data like adding, removing or anonymize. How does a software supplier normally integrate these standards? We cannot force each customer to ask permission to their professionals before they enter data. And if we could it is almost unverifiable.
  • Documentation of processing activities

    I am taking a look at the “Documentation of processing activities” at the moment. The requirements seem quite clear, what I am not entirely clear about is the way, we can get receive e.g. the sign-off from our (very many) data controllers, their DPO data, confirmation of data processing agreement etc. Does all of this need to be written (on paper)? Are digital forms acceptable? What digital forms are good? ParentPay have about 9000 customers, all of which are data controllers, and who we process data for. Would it be sufficient to ask them to “tick a box” in an online form, and confirm who their DPO is? Or does that process need to be somewhat more robust? Would we need to apply a form of proof of identity before accepting their submission?
Page 92 of 97 pages