Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11270 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
GDPR Compliance with Google
Answer:
There is nothing keeping you form storing personal data using Google Sheets or other cloud storage solution. As far as Google is concerned you should also check out their statement on GDPR - https://cloud.google.com/security/gdpr/
To learn more about the EU GDPR check out our free “EU GDPR Foundations Course” https://advisera.com/training/eu-gdpr-foundations-course// -
Parental Consent & Consent withdrawal forms
2. Can we leave the forms 4.1 & 4.2 as templates to be completed when needed? If not, can we use“for the purpose of carrying out business with Grazing and communication” as specification of the purpose for processing activity?
3. On the Personal Protection Policy some of the roles specified don’t exist on our company organisation, should them be replaced? E.g. Procurement Manager, Marketing Manager, etc. Could these be replaced by “Administration Team”?
Answers:
1. The two forms you refer to are to be used only if your services are aimed at minors thus the consent of the parents/legal guardians would be necessary. If you don't intend to sell to minors the forms are not relevant to you.
2. The consent forms are to be used only if you rely your processing activities on consent. In your case most likely you will process the personal data of individuals placing order s based on “contractual necessity” since you need to know the contact details of the individual to deliver the order to them.
3. The roles in the “Personal Data Protection Policy” are to be used just as examples and they can be replaced by any relevant roles in your company that deal with a specific topic.
To learn more about the EU GDPR check out our free “EU GDPR Foundations Course” https://advisera.com/training/eu-gdpr-foundations-course// -
Cross border data transfer
Answer:
You should be considering a cross border data transfer only if the individuals are “in the Union”.
The EU GDPR will only apply to personal data regarding individuals within the Union, while the nationality or habitual residence of those individuals is irrelevant. For example, a company based in the EU which is processing the data of Japanese individuals located in Japan will still need to comply with the EU GDPR. Consequently, the Japanese individuals will be benefiting from all rights according to the EU GDPR, even if these rights do not exist in their own nation’s laws.
When the data of EU citizens is processed outside of the EU by companies which are also outside the EU, then this is not considered to be “in the Union”. For example, the EU GDPR will not be applicable for a school which is based in the United States just because there is a possibility that one or several of its students would be EU citizens. In this case the processing does not take place “in the Union,” nor is the individual “in the Union”.
To find out more about cross border data transfers check out our webinar “How to make personal data transfers to other countries compliant with GDPR” https://advisera.com/webinars/how-to-make-personal-data-transfers-compliant-with-gdpr-free-webinar-on-demand/ -
Disclaimers for the footer of emails
Answer:
Such declaimers are not something which is required by the EU GDPR, you can use existing declaimers which usually refer to the confidentiality of communication between.
To learn more about the EU GDPR check out our free “EU GDPR Foundations Course” https://advisera.com/training/eu-gdpr-foundations-course// -
GDPR Consent for existing user
Consent forms and Privacy Notices are different things. The consent form is to be used to get the consent of the individuals for certain processing activities such as direct marketing, privacy notices on the other hand are meant to inform the individuals about the a certain processing activity.
Another difference is that privacy notices are just to be presented to the data subjects the data subject does not need to agreed to them. -
“opt-in” consent
2. What happens if an old client/prospects receives emails from us after May 25th? Are we allowed to continue to send emails? For HR: Do we require to send consent to existing employees on the data we collect on them?
3. What do we do with employees who leave the company? Do we require to send them a consent?
4. Or do you have some FAQs around typical questions for how marketing/sales handles these type of requests?
Our concern is that due to the nature of our clients if we send a new “opt-in” consent most people will ignore it and then we will not be able to send them emails.
Answers:
1. You are required to get consent only four new customers, for the existing customers you can rely on legitimate interest to carry out your marketing activities. For prospects and leads you may need to obtain their consent of you want to send them marketing materials.
To fi nd out more about consent and marketing check out our webinar “How GDPR Affects Marketing Practices” (https://advisera.com/eugdpracademy/webinar/how-gdpr-affects-marketing-practices-free-webinar-on-demand/).
2. You can continue sending marketing emails to your existing clients based on legitimate interest proved you leave them the choice to refuse marketing (opt out) as for prospects most likely you need their consent. So, unless you have appropriate grounds for processing personal data for marketing purposes you should not sent marketing.
3. If an employee leaves the company one of the thing to do is to delete the personal data which is no longer required taken into account the local legal obligations to retain certain data about employees for a certain time (e.g. Pension records).
4. You are not allowed to send marketing materials to former employees unless you obtain theirs consent or if you can identify another suitable ground for processing their data for marketing purposes.
To learn more consent check out our free “EU GDPR Foundations Course” https://advisera.com/training/eu-gdpr-foundations-course// -
Data Processing Agreement and Data Processing Addendum
Answer:
When using a third party to process personal data on your behalf you need to ensure that it provides “sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of this Regulation” ( art. 28(1) - “Processors” https://advisera.com/eugdpracademy/gdpr/processor/
So, whenever you contract a third party to process personal data on your behalf you need to have a Data Processing Agreement/Addendum (there is not difference they both means the same thing). You can choose to have the content of the Data Processing Agreement/Addendum as a separate section of the commercial agreement although it will be harder to manage.
To learn more about processor obligations check out our free “EU GDPR Foundations Course” https://advisera.com/training/eu-gdpr-foundations-course// -
Processing protocol
2. Do I need a declaration of consent to transfer personal data to an external trainer who should serve the customer? Or is that not actually necessary to fulfill my contract?
3. Do I really need from each individual person from my already existing customer database a consent form in order to be able to send information about training series, or is this a legitimate interest?
4. Do I need a consent form to process the results of personality tests that I need to tailor my advice to the individual customer or is this a legitimate interest? Is not that actually part of contract performance?
5. Can I already on 29.05. expect a warning?
6. How do I best fulfill my obligation to inform in practice?
Answers:
1. If by processing protocol you refer to a Data Processing Agreement/Processor Addendum, this document needs to be signed with those suppliers that process personal data on your behalf (e.g. payroll suppliers).
2. You don`t need the consent for transferring data to a third party supplier. You just need to mention that in your Privacy Notice which you should present to the individuals when collecting their personal data.
3. You can rely on legitimate interest for you existing customers with which you have already an ongoing contract. Make sure to provide them with an unsubscribe option each time you send the advertisement.
4. A personality test most likely would result in processing sensitive personal data or even to profiling of the individual subject to the personality test. I this case processing of sensitive personal data would require explicit consent from the individual as per EU GDPR art. 9 –“ Processing of special categories of personal data” (https://advisera.com/eugdpracademy/gdpr/processing-of-special-categories-of-personal-data/).
5. Is quite unlikely but it depends on where you are based as well as the type of business you are running.
6. If you refer to the transparency obligation best way to fulfill that is to have a Privacy Notice available to the individuals each time you collect their data or when you contact them for the first time when you get their data from some other source.
To learn more about the EU GDPR check out our free “EU GDPR Foundations Course” https://advisera.com/training/eu-gdpr-foundations-course// -
Defining scope
I researched in Editals and RFPs but did not say which processes should be certified in ISO 270001. Could you help me?
Answer: An ISMS scope can be defined in terms of processes, locations and/or information to be protected. Considering that, these are examples of how you can defined your scope:
- Processes related to the provision of hosting, colocation and cloud services to organization's customers (the detail of the processes can be developed later during the risk assessment process)
- Processes performed at physical locations XXX, YYY, ZZZ, etc.
- Information related to the provision of hosting, colocation and cloud services to organization's customers (the detail about the type of information can be identified la ter during the risk assessment process).
These articles will provide you further explanation about defining scope:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
These materials will also help you regarding defining scope:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course// -
Planning information security continuity
Are you able to please help me?
Answer: This control requires an organization to determine its requirements for information security and ensure the continuity of information security management during a crisis or disaster.
A good example is the access control to a datacenter. Datacenters are generally classified as sensitive in the risk assessment, due to the volume or sensitivity of the information they store/process, and organizations implement controls such as electronic locks to prevent unauthorized access (the requirement). When planning information security continuity, an organization should consider how to maintain access control in case of an event that may disable the electronic locks (e.g., a long power outage). For example, the organization can implement a lock that can be also manually used.
This artic le will provide you further explanation about planning information security continuity:
- Business Continuity Management vs. Information Security vs. IT Disaster Recovery https://advisera.com/27001academy/blog/2017/02/27/business-continuity-management-vs-information-security-vs-it-disaster-recovery/
These materials will also help you regarding planning information security continuity:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Writing a business continuity plan according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/writing-a-business-continuity-plan-according-to-iso-22301-free-webinar-on-demand/