I am taking a look at the “Documentation of processing activities” at the moment. The requirements seem quite clear, what I am not entirely clear about is the way, we can get receive e.g. the sign-off from our (very many) data controllers, their DPO data, confirmation of data processing agreement etc. Does all of this need to be written (on paper)? Are digital forms acceptable? What digital forms are good? ParentPay have about 9000 customers, all of which are data controllers, and who we process data for. Would it be sufficient to ask them to “tick a box” in an online form, and confirm who their DPO is? Or does that process need to be somewhat more robust? Would we need to apply a form of proof of identity before accepting their submission?
Comparison of the different GDPR articles
I was wondering if you know of a website that compares the different GDPR articles / recitals / derogations for different countries like UK, Guernsey, Jersey against the EUGDPR itself?
EU GDPR procedures
Kindly advise from where I can trace procedures or forms relating to Information & Access to Personal Data as outlined in Article 13 & 14 of the GDPR; Rectification Procedure; Data Minimization Procedure; Erasure Procedure as authorized from the data subject; Disposal of personal data procedure after retention period; Special categories of personal data procedure; Records Management Policy; Restriction of Processing procedure; Profiling procedure; Right to object procedure; Reference letters procedure; Direct Marketing procedure regarding Opt In.
Supplier Data Processing Agreement
I went through the toolkit and I cannot seem to find clauses which I should insert in contracts such as contracts of service, contracts for the purchase of a service or good, contract between us as a controller and respective processors etc. Could you please guide me?
GDPR Encryption
Does GDPR require the use of encryption for protecting/securing personal data? Aside from encryption, pseudonymization, and anonymization, are there other “acceptable” mechanisms for securing the data that’s GDPR-compliant?
Best practice
We know that best practice is to not have production data in non-production/development environments. However, does GDPR require that production data not be stored in non-prod/dev environments? Or, as long as the non-prod/dev environment is properly secured, then it’s acceptable?
GDPR and possible software changes
I’ve seen that the documents are providing guidelines and formats for the full documentation regarding the AVG. However can you explain me how this reflects on possible software changes (we are a software developer)? We also need to find out what we need to change / provide and why before we actually make changes to the application.
EU GDPR documentation
Is your documentation compliance with Dlgs 196/2003. Part of that Dlgs will be used after 25 may 2018?
External DPO
Our company wants to hire a external DPO and asked me to be the internal DPO for 2018. My question is, what are my tasks and is this normally the way how it goes? What can I expect from the external DPO and what will be expected from me? Which questions do I need to ask the external DPO?
Publishing personal data
We are in the US and have a facility in the EU. We posted employee birthdays on a monitor in our lobby. Will we be able to do this under GDPR? I assume we will need to get specific consent for this?