Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Consent to use personal data
2. When consent is revoked, what is required to be done with the data collected during the time of consent?
Answers:
1. The EU GDPR only deals with personal data. So, using any information that doesn’t constitute personal data is not covered by the EU GDPR. However, consider that that data need to be fully anonymous and that cannot be linked to a specific individual. Another thing to take into account is that the data you are referring to may be protected by other laws such as intellectual property laws so you need to ensure that the data is not protected by any other laws.
2. After the consent is withdrawn no further processing of personal data which was based on is allowed. The data obtained and processed before remains valid as long as the consent was valid.
To learn more about the EU GDPR check out our “EU GDPR Foundation Course” https://advisera.com/training/eu-gdpr-foundations-course// -
Scenario 1/Scenario 2
Scenario2: We do not obtain any personal data from anyone (including from EU) to process their clinical trial provided by our sponsors (who obtains consent from subjects). In this case, what are obligation to ensure we comply to EU GDPR.
Answers:
1. Consent is not necessarily required. You just need to provide an adequate privacy notice to the relevant employees pursuant to art. Article 13 of the EU GDPR – “Information to be provided where personal data are collected from the data subject”( https://advisera.com/eugdpracademy/gdpr/information-to-be-provided-where-personal-data-are-collected-from-the-data-subject/) and among others the fact that date may be sent outside the EEA. In addition you need to ensure that adequate safeguards are in place to regulate the data transfer such as Standard Contractual Clauses.
To learn more about data transfers check out our webinar “ How to make personal data transfers to other countries compliant with GDPR” (https://advisera.com/webinars/how-to-make-personal-data-transfers-compliant-with-gdpr-free-webinar-on-demand/).
2. So you are obtaining personal data from someone namely the “sponsors”. If the personal data you process relates to individuals in the Union then the GDPR is applicable to you. To establish exactly what are your obligations one of the first things you need to do is establish weather you are a controller or a processor.
To learn more about the EU GDPR check out our “EU GDPR Foundation Course” https://advisera.com/training/eu-gdpr-foundations-course// -
Legal basis
2. What is the most simple but also complete form of consent we can use?
Answers:
1. You can only chose legitimate interest for marketing campaigns if you consider factors such as:
- whether people would expect you to use their details in this way;
- the potential nuisance factor of unwanted marketing messages; and
- the effect your chosen method and frequency of communication might have on more vulnerable individuals.
Also consider that individuals have the absolute right to object to direct marketing under Article 21(2) – “Right to object” (https://advisera.com/eugdpracademy/gdpr/right-to-object/) , it is more difficult to pass the balancing test if you do not give individuals a clear option to opt out of direct marketing when you initially collect their details (or in your first communication, if the data was not collected directly from the individual).
2. There in no such thing as “simple and complete” because the requirements of the EU GDPR in terms of consent are quite extensive. Thus, consent needs to be freely given, specific, informed and unambiguous indication of the individual’s wishes. You must keep records so you can demonstrate that consent has been given by the relevant individual.
To learn more about marketing and the EU GDPR check out our webinar “How GDPR Affects Marketing Practices” https://advisera.com/eugdpracademy/webinar/how-gdpr-affects-marketing-practices-free-webinar-on-demand/ -
Quality and Information Security Manager
Hi Brian,
At small IT organizations (up to 20/30 employees), normally, the same person combines the two roles.
At larger organizations, particularly if the core is not software, like manufacturing, normally, each role is performed by different persons.
Please check this free webinar - Free webinar – ISO 27001 implementation: How to make it easier using ISO 9001 - https://advisera.com/9001academy/webinar/iso-27001-implementation-how-to-make-it-easier-using-iso-9001-free-webinar-on-demand/ -
EN 9100 vs ISO 9001
Answer:
EN 9100 includes ISO 9001 and then some more requirements like, for example, planning for product realization, design and development, purchasing and improvement.
Please check in this text “ISO 9001 vs. AS9100” - https://advisera.com/9001academy/blog/2014/09/09/iso-9001-vs-as9100/ a summary of the main differences between ISO 9001 and EN9100 (AS 9100 in the USA and EN 9100 in Europe).
The following material will provide you information about AS 9100:
- ISO 9001 – Five special aerospace terms in AS 9100 Rev D - https://advisera.com/9100academy/blog/2017/05/01/five-special-aerospace-terms-in-as9100-rev-d/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Required consent
2. Similarly, xxx’s other clients which are case study participants- they share their personal data with xxx.
3. Do we require their consent?
4. GDPR implementation’s deadline was in MAY .What kind of an impact does that have ?
Answers:
1. Consent would be required if you are targeting individuals an not companies and usually when the email notification refers to advertisement. If the notifications are used to communicate based on an existing contract with a customer then the consent is not required as the legal grounds for processing would be “contractual obligation”. The EU GDPR does not require a specific process to obtain consent. You just need to ensure that consent is freely given, specific, informed and unambiguous indication of the individual’s wishes. As data controller you must keep records so you can demonstrate that consent has been given by the relevant individual.
2. Using an attorney at law is entirely up to you such thing is not regulated in the EU GDPR.
3. If the sharing and processing of personal data is based on a contract then consent is not required as the legal grounds for processing is “contract obligations”
4. Question is much to broad to be addressed as the impact is different based on the processing activities of each individual company. The impact is that all companies which are processing personal data and fall under the GDPR need to comply with specific requirements or they risk being fined with up to 4% of their turnover.
To learn more about the EU GDPR check out our “EU GDPR Foundation Course” (https://advisera.com/training/eu-gdpr-foundations-course//) -
Data privacy policy and Data protection policy
Answer:
Both documents refer to the same thing, so only the title is different.
To learn more about the EU GDPR check out our “EU GDPR Foundation Course” (https://advisera.com/training/eu-gdpr-foundations-course//) -
Need for DPO
Answer:
For the purpose of your question to define “large scale” the following factors need to be considered:
- The number of data subjects concerned - either as a specific number or as a proportion of the relevant population
- The volume of data and/or the range of different data items being processed
- The duration, or permanence, of the data processing activity
- The geographical extent of the processing activity
Examples of large-scale processing could include:
- processing of patient data in the regular course of business by a hospital;
- processing of travel data of individuals using a city’s public transport system (e.g. tracking via travel cards);
- processing of real time geo-location data of customers of an international fast food chain for statistical purposes by a - processor specialized in providing these services;
- processing of customer data in the regular course of business by an insurance company or a bank;
- processing of personal data for behavioral advertising by a search engine;
- processing of data (content, traffic, location) by telephone or internet service providers
To learn more about the EU GDPR check out our “EU GDPR Foundation Course” (https://advisera.com/training/eu-gdpr-foundations-course//) -
Processor/Controller
Thank you! -
Filling a template
For example:
Asset name:
Laptop Nr 1
Laptop Nr 2
...
Laptop Nr 20
or
Asset name:
Laptops
Mobile phones
System software
Development software
Answer: You can group your assets in classes, using separated classes only when you have to consider different treatments to the same type of asset (e.g. you have development laptops and management laptops, or corporate phones and personnel phones, etc.).
By the way, included in your toolkit, you have access to video tutorials that can help you fill the risks assessment table.