Expert Advice Community

Guest

EU GDPR questions

  Quote
Guest
Guest user Created:   Jan 21, 2020 Last commented:   Jan 21, 2020

EU GDPR questions

I am new to the GDPR field and I would ask for your help understanding better.

How can an authority in the EU fine a company in India or another country outside the EU?

Do you have some materials to help me understand how to start a GDPR program?

Do you have some materials that I could present to the management of the company to make them aware of the GDPR?

If we have access to data of EU users do we need to do anything special? We usually get data from EU companies and we do data cleaning removing duplicates.

We also receive some personal data from our clients' employees when they enter tickets. Is there something specific to consider?

How much time do we need to keep the personal data?

Are some specific security measures to be deployed?

Can you recommend a site to get GDPR updates?

Also, we received a request from a client to present out Records of Processing Activities. What are these? Do we need to have them?

0 0

Assign topic to the user

Assign
Expert
Dejan Kosutic Jan 21, 2020

How can an authority in the EU fine a company in India or another country outside the EU?

Based on art 27 of the EU GDPR the controller or processor must appoint a representative. That representative must be based in a Member State in which the relevant individuals are based. There is a limited exemption to the obligation to appoint a representative where the processing is occasional, is unlikely to be a risk to individuals and does not involve large scale processing of sensitive personal data. Although there is no best practice on this, most likely the fine will be issued to the representatives.

Do you have some materials to help me understand how to start a GDPR program?

I would suggest starting by going through our article  “9 steps for implementing GDPR” (https://advisera.com/eugdpracademy/knowledgebase/9-steps-for-implementing-gdpr/) as well as this webinar “An overview of steps needed to comply with GDPR” (https://advisera.com/eugdpracademy/webinar/an-overview-of-steps-needed-to-comply-with-gdpr-free-webinar-on-demand/).

Do you have some materials that I could present to the management of the company to make them aware of the GDPR?

 Please check this Power Point presentation that you can download freely from our website “Why is privacy important for our company? - Awareness presentation” (https://info.advisera.com/eugdpracademy/free-download/why-is-privacy-important-for-our-company-awareness-presentation).

If we have access to data of EU users do we need to do anything special? We usually get data from EU companies and we do data cleaning removing duplicates.

 Based on the description provided you are acting as a processor and you act on the instructions of your clients. Usually, your clients would need to have you sign a Data Processing Agreement where you would commit yourself to process personal data based on the instructions of the data controller.

We also receive some personal data from our clients' employees when they enter tickets. Is there something specific to consider?

When collecting personal data you need to present to the data subjects a Privacy Notice explaining to them why you need their data and what you are using it for. If you want to find out more about Privacy Notices check out this free webinar “ Privacy Notices under the EU GDPR” (https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/).

How much time do we need to keep the personal data?

Unless there is a specific legal obligation that sets up a specific retention period you can define a retention period yourself bearing in mind that the date should not be kept for longer than is necessary.

Are some specific security measures to be deployed?

The EU GDPR only specifies at art. 32 some examples of security measures that can be employed. However, these are mere examples and is up to the controller/processor to define adequate security measures. A good example and best practice are the security measures in the ISO27001 Standard.

Can you recommend a site to get GDPR updates?

I would suggest going first to the European Data Protection Board website (https://edpb.europa.eu/edpb_en) as well as the websites of the Supervisory Authorities in the EU such as the ICO (https://ico.org.uk/). You will also find useful information on our website as well at https://advisera.com/eugdpracademy/what-is-eugdpr/.

Also, we received a request from a client to present out Records of Processing Activities. What are these?

If you act as a controller, you must keep a record of the following information:

·         your name and contact details and, where applicable, any joint controllers, representatives and data protection officers;

·         the purposes of the processing;

·          a description of the categories of data subjects and of the categories of personal data;

·         the categories of recipients, including recipients in third countries or international organizations;

·          details of transfers of personal data to third countries (where applicable);

·          retention periods for different categories of personal data (where possible); and

·         a general description of the security measures employed (where possible).

If you act as a data processor, you must keep the following records:

·         your name and contact details and, where applicable, representatives and data protection officers;

·         the name and contact details of each controller you act for including, where applicable, representatives and data protection officers;

·         the categories of processing carried out on behalf of each controller;

·         details of transfers of personal data to third countries (where applicable);

·          a general description of the security measures employed (where possible)

 Do we need to have them?

This document is mandatory if

·        (a) the company has more than 250 employees; or

·        (b) the processing the company carries out is likely to result in a risk to the rights and freedoms of data subjects; or (c) the processing is not occasional; or (d) the processing includes special categories of data (personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning, a natural person’s sex life or sexual orientation); or (e) the processing includes personal data relating to criminal, convictions, and offenses.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jan 21, 2020

Jan 21, 2020

Suggested Topics

Guest user Created:   Feb 05, 2020 EU GDPR
Replies: 1
0 0

EU GDPR questions