EU GDPR questions

"I run a small "haute" couture shop and I have some questions regarding sole GDPR aspects.Are the measurements taken for custom suites considered biometric data?” 

Measurements taken for custom suites are not considered biometric data because biometric data is defined as personal data acquired through biometric process like fingerprints, samples, facial recognition as stated at paragraph 51 of the Preamble of GDPR. 

Clothes size and physical measurement (like weight and height) belong instead to demographics and so they are personal data under article 5 of GDPR. 

In this article, you can find some useful resources for small companies and GDPR:- GDPR challenges for small companies  https://advisera.com/articles/gdpr-for-small-businesses-the-most-common-challenges/ 

“If we collect the measurements and name and surname is there any information we need to provide the customers?” 

You must inform your customers in the privacy notice. In fact, according to article 5 GDPR, the processing of personal data requires to inform the data subject.

In this article, you can find all the information you need to convey to your customer, in order to provide a GDPR compliant privacy notice:Everything you need to know about the GDPR Privacy Notice https://advisera.com/articles/gdpr-privacy-notice-6-key-elements-to-include/ 

“We use CCTV in our shop are there any specific requirements?” 

CCTV is among the main privacy issues. Most national laws set legal requirements in order to protect the privacy and avoid workers’ surveillance. Under GDPR the images of CCTV are personal data processed so you need to follow the principle of data processing illustrated in article 5.

Here you can find some useful resources about privacy issues:

- GDPR one year on: Why it should still be your top priority if you care about profit, clientele and reputation: https://advisera.com/articles/gdpr-one-year-on-does-it-still-matter-interview/

"We use a contractor on XYZ where we sent the measurements to cut the clothes is this a transfer of personal data?”

Measurement can be considered personal data if they can indicate directly or indirectly to a natural person (data subject), as illustrated in article 4 n. 1 GDPR. Consequently, if measurement is transferred with reference to a natural person (i.e. name of the customer) all the rules on data transfer will apply. Otherwise, if the measurement is transferred anonymized or pseudonymized (i.e. order number) it is not considered a transfer of personal data. 

Here you can find a free registered webinar about the transfer of personal data under GDPR:How to make personal data transfers to other countries compliant with GDPR https://advisera.com/webinars/how-to-make-personal-data-transfers-compliant-with-gdpr-free-webinar-on-demand/

Here is an article about the first three steps to take into account when transferring personal data:3 steps for data transfers according to GDPR https://advisera.com/articles/3-steps-for-data-transfers-according-to-gdpr/

Do we need to keep records for our activities?

According to the last paragraph of Article 5 GDPR, you shall comply with the principle of accountability. In other words, you must be able to demonstrate that in your company process personal data are processed complying with GDPR requirements. As a consequence, it is better to keep track of your activities. 

Here you can find a list of mandatory documents to implement in order to comply with GDPR:- List of mandatory documents required by EU GDPR https://advisera.com/articles/list-of-mandatory-documents-required-by-eu-gdpr/  

We also do marketing campaigns for our customers by telephone. Do we need consent?

Yes. Marketing activity and lack of consent is one of the main cause of GDPR fines by Supervisory Authorities. 

Here you can find an article on GDPR impact on marketing activities- How does GDPR impact marketing activities? https://advisera.com/eugdpracademy/blog/2018/02/08/how-does-gdpr-impact-marketing-activities/  

Can we collect the consent via telephone?

Consent can be acquired in written or oral form and so also via telephone. In fact, it is defined by paragraph 11 of Article 4 GDPR as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her”. 

Are we allowed to record the calls?

Recording calls is a form of processing personal data, so you need to inform your customer that you are about to record the call and inform the customer about the location of privacy notice. 

Here you can find the information on how to write a privacy notice:- Everything you need to know about the GDPR Privacy Notice https://advisera.com/articles/gdpr-privacy-notice-6-key-elements-to-include/  

Can we buy potential clients' databases?

If you are considering buying potential clients' database, you should verify if the seller acquired the clients' consent to transfer and sale of data in order to avoid fines for unlawful processing. In fact, as a data controller, you will be liable for the entire data processing (from acquisition to retention until the very end of the dismission).