GDPR query

1. We are a processor and have received a data subject access request via the controller for a personal data that is bundled together with personal data from several different persons - how should we respond, because if we provide any information, we would reveal personal data from other data subjects as well?

Article 28 par 1 h) GDPR requires the processor shall immediately inform the controller if, in its opinion, an instruction infringes this Regulation or other Union or Member State data protection provisions.This means that you will inform your data controller who is in charge of the relationship with the data subject that the access request should be rejected because it infringes third parties' privacy. The data controller will decide how to behave.

2. For a company based in the UK, should we register the name of our DPO with the ICO?

Yes. Consider that a UK-based company is under UK GDPR since UK has left the EU.

If you need more information about the difference between data controller and processors or data subjects rights, here you can find some resources:

• EU GDPR controller vs. processor – What are the differences? https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/
• Data subject rights according to GDPR https://advisera.com/eugdpracademy/knowledgebase/8-data-subject-rights-according-to-gdpr/

If you need to understand how to comply with the EU GDPR you may consider enrolling in our EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course/