Expert Advice Community

Guest

Personal Data and DPO

  Quote
Guest
Guest user Created:   Feb 08, 2018 Last commented:   Feb 08, 2018

Personal Data and DPO

1) How long can we keep personal data, that we received via out website for?
0 0

Assign topic to the user

EU GDPR DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

EU GDPR DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Andrei Hanganu Feb 08, 2018
2) Do we need a Data Protection Officer or is a Data processor enough?
3) Regarding the 'Compliance Questionnaire' Do we need to send this all 3rd parties that hold data of ours or just our clients?

Answers:

1) According to EU GDPR article 5(e) (https://advisera.com/eugdpracademy/gdpr/principles-relating-to-processing-of-personal-data/) personal data cannot be kept longer than is necessary for the purposes for which the personal data are processed. Assuming that the data received via you website comes from users registering there you can set up your own retention period. When establishing that you should consider a reasonable retention period that would be consistent both to the type of services you provide to the data subject and the categories of personal data processed. To give you an example, if you are not collecting special categories of data (https://advisera.com/eugdpracademy/gdpr/processing-of-special-categories-of-personal-data/) you can set up r etention period anywhere between 1-3 years (most likely it will not be considered excessive) from the last time the user accessed his/hers account on your website.

2) Appointing Data Protection Officer is required by the EU GDPR (https://advisera.com/eugdpracademy/gdpr/designation-of-the-data-protection-officer/) only is some specific cases:
- you are required to do so by national law;
- your core activities consist of regular and systematic monitoring of data subjects on a large scale;
- your our core activities consist of processing sensitive personal data on a large scale (including processing
information about criminal offences).

So, if you find yourself in any of the above cases it is required to appoint a DPO which can be an employee or a third party (e.g. consultancy company). If not you don’t, then you are not required to appoint a DPO but you can designate some data protection specific tasks to someone within the organization.

You might find this article interesting https://advisera.com/eugdpracademy/knowledgebase/the-role-of-the-dpo-in-light-of-the-general-data-protection-regulation/

3) The Supplier Due Diligence Questionnaire is used to assess those suppliers that are processing personal data that belong to you as controller. So, those suppliers receiving or having access to personal data that you process as controller regardless if the data of your employees or your customers.
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Feb 08, 2018

Feb 08, 2018

Suggested Topics

Guest user Created:   Nov 16, 2022 EU GDPR
Replies: 1
0 0

Data breach

Guest user Created:   Oct 19, 2022 EU GDPR
Replies: 1
0 0

Required documents