LIVE VIRTUAL TRAININGS
Learn in small groups from top experts and real-life examples

Expert Advice Community

Guest

Personal data visibility

  Quote
Guest
Guest user Created:   Apr 09, 2018 Last commented:   Apr 20, 2018

Personal data visibility

I have another question for you about GDPR implementation.
0 0

Assign topic to the user

EU GDPR DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

EU GDPR DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Andrei Hanganu Apr 09, 2018
Consider the scenario:
1) the company sells standard suit and custom tailored suit as well;
2) for the custom tailored suit, the company needs the measures of the final customer (body measure); because, potentially, these measures contain sensitive data about health status, the companuy ask for the explicit consensus before manufacturing;
3) after final customer’s consensus, the suit has to be produced; the suit go through a lot of workcenters where we have only a personal data of the customer, first name and family name, written on a specific label; this label is visible for the manufacturing people involved in the production steps;
4) also, the final check of the suit involves an external step, where an external supplier verifies the suit before the delivery to the customer; the delivery is performed by the company whem the suit gets back after the check.
I would like to know if the company has to inform (notice) the final customer about the manufacturing process in terms o f its personal data visibility and, most important, if the company has to explicitly declare the name of the external supplier that check the suit before the delivery. For the company, in fact, could be difficult because this kind of supplier may change year after year.

Answer:

You should include the information about personal data being shared to third parties in your customer Privacy Notice you don’t need to name which are those third parties but only make a reference about the activities that the third parties do.
Quote
0 0
Guest
brunostefanutti Apr 20, 2018
Hello Andrei and thank you for this response; I have a little important clarification about this scenario. I summarise the situation: the "direct" and independent customers of the company A (we call "B" these customers) collect the body measures for their final customers (called "C") that aren't direct customers of the company A. So "A" has a lot of customers "B" and "B" have lot of customers "C" that are NOT customers of "A"; but "A" collects "C" data through "B", that are biometric data (measures for tailored made suits), potentially sensitive data. Most important in my opinion, in this case "A" needs a formal letter from every "B" customers for operating as "processor" of "C" personal data: is it correct? What about "B" don't give to "A" this formal agreement?
Thank in advance for your response.
Bruno
Quote
0 0
Expert
Andrei Hanganu Apr 22, 2018
Whoever is the controller needs to have signed Data Processing Agreements with its processors, not a letter but a legally binding document. So, the trick in this case and in any cases for that matter is correctly identifying the parties (controller and processor).

Also, the controllers need to specify in their privacy notices if they will be using third parties to process data on their behalf.

To learn more about privacy notices you can check out our webinar “Privacy Notices under the EU GDPR” https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/
Quote
0 0
Guest
brunostefanutti Apr 23, 2018
Thank you Andrei; the last question about that is if we can use the same agreement "modified" for nominating the "internal" data processors or , in other words, the functional/executive manager that are employees of the company and would have to manage and guarantee in their area the GDPR procedure.

Kind regards.
Bruno
Quote
0 0
Expert
Andrei Hanganu Apr 25, 2018
Not sure I understand what you mean, you need just to refer to the legal entities which are processing the data not the employees that handle the processing.
Quote
0 0
Guest
brunostefanutti Apr 25, 2018
Yes, but I mean that a company probably needs a set of internal employees (probably executive) involved as "verifiers" that the processes in every area will be "aligned" with GDPR; suppose that we not have a DPO, the question is if exists some formal document (agreement, ecc.) for formally instruct , for example some head office for this specific job supporting the
"Data Protection Officer". Kind regards. Bruno
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Apr 09, 2018

Apr 25, 2018

Suggested Topics

Guest user Created:   Jun 21, 2019 EU GDPR
Replies: 2
0 0

GDPR Data Controller or Data Processor

Guest user Created:   Dec 10, 2021 EU GDPR
Replies: 1
0 0

Data protection