Search results

Erasure request refusal

1. Hello, I have contacted a company that manages a messaging app I used in the past to request information about exercising my right to erasure (Article 17(1) GDPR), since they say they're GDPR compliant. In particular, my question to them was about having my messages/posts (private and public) deleted when they close my account. They say they would refuse to delete these messages, since they argue that would interfere with other users' right to free expression and information (Article 17(3)(a)), as there would be gaps in the conversations potentially leading to misinterpretations or the lack of important context.

My questions to you are:

Are the messages and posts I sent through the app considered personal data under GDPR to the extent that the app would have to delete them under request?

The right to be forgotten or the right to erasure is not an absolute right, it depends on the data controller’s retention schedule which must be based on one of the six legal grounds for processing personal data (storage is a data processing operation).

Related to your question, yes, messages and posts that you submitted through the app are considered to be personal data.

You can find more details at this link:

• Six legal bases to process data according to GDPR https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/

2. Is the exception in Article 17(3)(a) a valid ground for refusing this request in this case?

In my opinion, Art 17 (3) (a), that specifies that right to be forgotten does not apply when exercising freedom of expression is not a valid ground for refusing your request in this case, is not a valid ground for refusing your request in this case. This article should be invoked only when the processing of personal data is done solely for journalistic purposes, or for the purposes of academic, artistic, or literary expression. The data controller could take technical and organizational measures to fulfill your request, such as anonymizing your identifiers – name, surname, username, nickname, etc. For example, they could change your username to something like anonymous_user and modify all your posts/comments and answers to your posts/comments. If they cannot do this, it would mean that the data controller is in breach of Art 25 GDPR, Data protection by design and by default, which states that “the controller shall, […], implement appropriate technical and organizational measures, […], in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.”

You can find more details at these links:

• Data subject rights according to GDPR https://advisera.com/eugdpracademy/knowledgebase/8-data-subject-rights-according-to-gdpr/  
• EU GDPR Article 25 – Data protection by design and by default https://advisera.com/eugdpracademy/gdpr/data-protection-by-design-and-by-default/ 
• EU GDPR Article 17 –Right to erasure (‘right to be forgotten’) https://advisera.com/eugdpracademy/gdpr/right-to-erasure-right-to-be-forgotten/

To learn more about the right to be forgotten, see this free online training: GDPR Foundations Course https://advisera.com/training/eu-gdpr-foundations-course/  

Identifying Assets

This is a valid approach, but you need to be careful to not make your asset register unnecessarily complex.

For example, a data loss risk is applicable to all these assets, and with your approach, you will need to create this risk for each asset.

In this case, you may use an asset called “customer data” and include this data loss risk only once and use the specific assets only to specific risks (e.g., SQL injection risk is applicable only to “Customer data in SQL database”).

This will prevent a risk to be repeated only because it also applies to multiple forms that information can be.

This article will provide you with a further explanation about the asset register:

• How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

IR35 compliance and ISO 27001

I’m assuming you are referring to the UK legislation to combat tax avoidance by workers, and the firms hiring them.

We are not legal experts, so you should seek local expert advice for a more definitive answer, but provided the contractors only need to follow rules related to information security applicable to all contractors (either they are a personal services company or not), and do not need to follow other rules applied to your own employees (e.g., defined working hours), you may be able to classify them as not employees.

Some conditions you should consider to evaluate IR35 applicability are:

• Control: what degree of control does the client have over what, how, when, and where the worker completes the work (the less control the client has the less applicable is IR35)
• Substitution: is personal service by the worker required, or can the worker send a substitute in their place? (in case substitution is possible less applicable is IR35)

Grouping of Assets in Risk Assessment Table

Both approaches are accepted by the standard. As a tip for planning on how to group assets, you should consider assets that share similar risks.

For example, you can have development PCs, Sales PCs, etc. In case all desktops share the same risks, you can use your PC's Office x” approach.

This article will provide you with a further explanation about the register of assets:

• How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

A.15 Control section

I’m assuming that by Y2005 and Y.2013 you are referring to versions 2005 and 2013 of ISO 27001.

Considering that, there is no official explanation for this change, but most probably the change was made to make the application of the control clearer.

ISO generally uses the term “third party” for an entity that is independent of the organization, like customers, suppliers, business partners, government, etc.

Since the controls from ISO 27001 Annex A are related to suppliers, it makes more sense to change the section name to reflect this situation.

This article will provide you a further explanation about supplier security management:

- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/

Naming of ISO 27001 Annex

ISO 27001 Annex A is directly related in numbering to ISO 27002 (a non-mandatory standard which provides guidance for implementation of Annex A controls), and sections 1 to 4 in ISO 27002 do not cover controls:

0 Introduction

1 Scope

2 Normative references

3 Terms and definitions

4 Structure of this standard

From section 5 onwards, the section title is the same from the respective ISO 27001 Annex A section. For example, both ISO 27001 Annex A.5 section and ISO 27002 section 5 are titled A.5 “Information security policies”

This article will provide you a further explanation about ISO 27001 and ISO 27002:

- ISO 27001 vs. ISO 27002 https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/

GDPR and drones

Yes, GDPR applies to drones usage when drones record images of people. If this recording is for scientific research, according to article 89 (2) GDPR you might qualify for a derogation from GDPR requirements, related to processing for scientific research. However, recital 156 requires you to make sure you implemented the necessary controls to ensure data minimization and data pseudonymization or even anonymization of personal data once the purpose of processing is fulfilled.

Find more details about GDPR requirements at the following links:

• A summary of 10 key GDPR requirements https://advisera.com/eugdpracademy/knowledgebase/a-summary-of-10-key-gdpr-requirements/
• Full text of article 89 in GDPR: https://advisera.com/eugdpracademy/gdpr/safeguards-and-derogations-relating-to-processing-for-archiving-purposes-in-the-public-interest-scientific-or-historical-research-purposes-or-statistical-purposes/ 

Question regarding ISO 27001 Lead Auditor training & Certification

Both certification and auditing experience are comparable.

Exemplar Global and PECB are accredited providers certified against ISO 17024 – which provides general requirements for bodies operating certification of persons.

In fact, there are current agreements between PECB and Exemplar Global where applicants must be able to demonstrate holding a current certification with one of them in order to qualify. (https://exemplarglobal.org/certification/information-security/information-security-management-system-isms-auditor/)

Lead Auditor Exam

The ISO 27001 Lead Auditor Course provided by Advisera is accredited by Exemplar Global, and it is all you need to be able to take the Lead Auditor Exam to obtain the Certificate.

For further information, see:

• ISO 27001 Lead Auditor Course https://advisera.com/training/iso-27001-lead-auditor-course/

Instruction on how to revise a manual

In this article - List of mandatory documents required by ISO 9001:2015 – https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/ - you can see the mandatory documents and records according to ISO 9001:2015