Expert Advice Community

Guest

GDPR Questions

  Quote
Guest
Guest user Created:   Jun 09, 2022 Last commented:   Jun 09, 2022

GDPR Questions

  1. Advisera docs Footer and Change record – do we have to keep the Advisera wording on all docs?
  2. Client data – How long can we keep data? 6 years +1 from collection date or when client has left then 6+1
  3. Confirm BtoB data is still governed the same way as BtoC – PII
  4. Back Ups on Tape Drives and SAR requests – where do we stand?
  5. If a client asks to see our policies can\should we hand them over? Incident log, do we have to show that if asked?
  6. Clarify medical data in ***, we don’t collect it, but customer could upload it, what are the implications for us as Processor?
0 0

Assign topic to the user

EU GDPR DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

EU GDPR DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Tudor Galos Jun 09, 2022

1: Advisera docs Footer and Change record – do we have to keep the Advisera wording on all docs?

No, they can be customized to match your templates or any other form that you may consider necessary.

2: Client data – How long can we keep data? 6 years +1 from collection date or when client has left then 6+1

It depends. Storage of data is considered the processing of personal data. So if you choose to store data for 6 years +1 from the collection date, you should have a legal ground for storing. It can be legitimate interest (for eg to protect your organization in court) or legal obligation (Fiscal law, labor law, etc).

3: Confirm BtoB data is still governed the same way as BtoC – PII

Yes, personal data is any information related to an identified or identifiable data subject, it doesn’t matter if B2B or B2C.

4: Back Ups on Tape Drives and SAR requests – where do we stand?

If you receive a Subject Access Request – SAR -  according to art 15 GDPR you should disclose a copy of all personal data that you are processing. If there is data on the backup, it should be in production as well anyway, so you shouldn’t do anything special besides mentioning the backup storage time for the data.

5: If a client asks to see our policies can\should we hand them over? Incident log, do we have to show that if asked?

If you act as a Data Processor, the Data Controller has the right to check all you technical and organizational measures needed to demonstrate GDPR Compliance. The Data Controller is accountable for how it chooses its Data Processors. You might choose not to share policies and procedures, especially if they contain confidential information, but you should find a way to demonstrate to your client that you took all necessary technical and organizational measures needed to demonstrate GDPR Compliance. For incident logs, I recommend sharing only the non-confidential information.

6: Clarify medical data in ***, we don’t collect it, but customer could upload it, what are the implications for us as Processor?"

The Data Controller is accountable for how it processes personal data, including uploading of medical data. As a Processor, you must make sure that you are respecting the Controller’s instructions, that you don’t process that medical data for other purposes, and that you protect that data.

Tudor Galos
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jun 09, 2022

Jun 09, 2022

Suggested Topics

Guest user Created:   Oct 04, 2022 EU GDPR
Replies: 0
0 0

Board/Forum registration

Guest user Created:   Oct 03, 2022 EU GDPR
Replies: 0
0 0

Data privacy

Guest user Created:   Oct 03, 2022 EU GDPR
Replies: 1
0 0

GDPR - which mailing is allowed?