Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
GDRP - Transfer to the US
1. If an EU affiliate brings in a new hire and takes down their personal data, and it gets stored on my company’s global HR platform or on hard drives or serves in the US, is that a cross border transfer?
2. Does the fact that it is a US company holding the data make a difference? In other words, has the Commission decided that the US ensures an adequate level of protection?
3. And most importantly, what agreements or series of agreements should I have in place for a US company with EU affiliates?
Answers:
1. Yes it does, the fact that the HR platform is hosted in the US is consistent with a cross border transfer of personal data.
2. The EU Commissions has not issued a adequacy decision for the US. So, the answer would be no. However there is Privacy Shield which was developed by the EU and US provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce. So if the US subsidiary is certified according to Privacy Shield the transfer is permitted.
3. You can chose to rely on Privacy Shield as a safeguard for the transfer or you can have a Intragroup Data Transfer Agreement based on Standard Contractual Clauses between the EU to and US entity.
To find out more about cross border data transfers check out our webinar “ How to make personal data transfers to other countries compliant with GDPR” https://advisera.com/webinars/how-to-make-personal-data-transfers-compliant-with-gdpr-free-webinar-on-demand/ -
Data Breach Response and Notification Procedure
Call lists & substitution - who would be on the call list? What does substitution mean in this context?
Contact details - whose contact details are we recording?
Answers:
The “Call lists & substitution” refers to the telephone contacts and the replacements of the persons within the company which are tasked to handle data breaches. Same goes for the contact details.
To learn more about data breaches check out our webinar “A How-to Guide for GDPR Data Breach Notifications” https://advisera.com/eugdpracademy/webinar/a-how-to-guide-for-gdpr-data-breach-notifications-free-webinar-on-demand/ -
GDPR privacy policy
Answer:
Hypothetically yes, especially if you sell your chat software to EU companies this means you may be targeting data subjects in the Union. -
Remittance Group and GDPR
Another question, if for the airtime, all the air time supplier deal with service provider and supplier, we are all sub-processor and it is bilateral way. how do we draft it in processor sub processor agreement? as we all could be processor and sub processor at any time. we cant put it as A is a processor, B is a sub processor, as A could be sub processor and B could be processor at anytime they could always change. Their relationship is bilateral. how should we draft the agreement? -
Email subscription
Answer:
If you rely on consent for your marketing activities you need a “opt in” kind of consent so silence would not be considered a valid consent.
To find out more about consent check out our webinar “How to handle consents under GDPR” https://advisera.com/eugdpracademy/webinar/how-to-handle-consents-under-gdpr-free-webinar-on-demand/ -
Landbase Casino GDPR
Answer:
From your description you are a data controller for the data of your casino customers as well as your visitors. Being a casino and using the mrz scanners you are collecting a great deal of personal data including winning and maybe “high rollers” player profile. You are most likely also processing high quality video surveillance footage from our gambling tables.
So, my conclusion is that the EU GDPR will deeply impact your processing activities and you would need to have a full blown EU GDPR compliance program in force to prove compliance. You would need to focus on : privacy Notices, managing data subject rights, data protection impact assessments, third party compliance, data breaches basically everything.
In your current situation I am sure that the EU GDPR Documentation Toolkit(https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/) would prove to be a useful tool. -
EU GDPR Documentation Toolkit
Answer:
All the documents in the EU GDPR Documentation Toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ are meant to be cross industry so they will most likely need minimum amendment from your part. Based on you description you are acting as a processor for the cinemas you provide the software as well as the ticketing services. All the documents in the EU GDPR Documentation Too lkit are meant to be cross industry so they will most likely need minimum amendment from your part. Based on you description you are acting as a processor for the cinemas you provide the software as well as the ticketing services.
In this case the sections in the Toolkit regarding managing data subject rights and DPIAs would be less relevant to your activity. However, be aware that if you are established in the EU you will be acting as a data controllers as regards to the data of your employees.
To learn more about the applicability of the EU GDPR check out our free “EU GDPR Foundations Course” (https://advisera.com/training/eu-gdpr-foundations-course// ).
In this case the sections in the Toolkit regarding managing data subject rights and DPIAs would be less relevant to your activity. However, be aware that if you are established in the EU you will be acting as a data controllers as regards to the data of your employees.
To learn more about the applicability of the EU GDPR check out our free “EU GDPR Foundations Course” https://advisera.com/training/eu-gdpr-foundations-course// -
GDPR and private site
Answer:
Based on your description you are processing personal data of users on your website especially the ones that fill in the contact form and those to whom you are sending newsletters to. In this case you are acting as a data controller and yes the EU GDPR is applicable to you regardless if you are a company or not.
As per art 4(7) – Definitions (https://advisera.com/gdpr/definitions/) of the EU GDPR controller means “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or M ember State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law”.
To learn more about the applicability of the EU GDPR check out our free “EU GDPR Foundations Course” https://advisera.com/training/eu-gdpr-foundations-course// -
Residual risk in the risk assessment process
Answer: You have to calculate the residual risk after the definition of the risk treatment to be applied. At this point the residual risk is the risk value you expect to achieve with the implementation of the controls. After the implementation of the controls, the risk value you will measure will confirm if the previously calculated value is correct, or if you have to make adjustments in the control implementation.
These articles will provide you further explanation about risk assessment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- Why is residual risk so important? https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/
These materials will also help you regarding risk assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basi cs of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
ISO 27017 controls
For explanations about some ISO 27017 controls I suggest you these articles:
- ISO 27001 vs. ISO 27017 – Information security controls for cloud services https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
- Resolving cloud security concerns by defining clear responsibilities according to ISO 27017 https://advisera.com/27001academy/blog/2016/08/23/resolving-cloud-security-concerns-by-defining-clear-responsibilities-according-to-iso-27017/
- Network segregation in cloud environments according to ISO 27017 https://advisera.com/27001academy/blog/2016/09/26/network-segregation-in-cloud-environments-according-to-iso-27017/
- How to use ISO 27017 to manage legal risks related to geographical location https://advisera.com/27001academy/blog/2016/09/19/how-to-use-iso27017-to-manage-legal-risks-related-to-geographical-location/