Privacy Notice Webinar - EU GDPR Premium Kit questions

1. Tudor Galos mentioned using a four column table in a privacy notice. I didn’t get the column details quickly enough. Were they “category of data subject”, “personal data to be processed”, “purpose”, “legal basis”?

This was a recommendation on customizing the Privacy Notice template in your Privacy Notices template. The columns I recommended for the association between personal data categories & purposes were “Personal Data Categories”, “Purpose of processing”, “Legal Basis”.

2. TG also referred to the kit containing granular privacy notice. Did he just mean that you provide different ones for e.g. employees, supplier employees, web users etc?

Yes, I was referring to the privacy notices you have in EU GDPR Premium Documentation Toolkit. In general, if you have a specific processing operation, different than the ones you had until now, you might choose to write a new privacy notice to inform the affected data subjects.

3. Our privacy notice should give the supervisory authority a data subject can complain to. We are based in the UK so obviously we give the ICO for UK residents. We process the personal data of EU residents, mainly from Germany, France and Spain. We have appointed an EU Representative with an address in Germany as that is where the majority of the data subjects are. Which EU supervisory authority should be put in the privacy notice?

For people in the EU you could provide the details of the EU Representative and of the relevant data protection authority in Germany, from the region your EU Representative is established.

4. When dealing with a corporate client or supplier, we may well be given the personal data – usually contact details – of other staff members. How do deal with notifying them that we have their details. Commercially, it would be a bit odd if every time we emailed them direct. I could see us upsetting clients!

If you are dealing with a corporate client or supplier, for the business relationship interactions – invoicing, emails with key updates, support, etc – you are both data controllers. If your client/supplier is giving you details of other staff members, they are responsible for the processing and they should make sure that they inform their staff about this processing (transfer of information to you).

Please also consult these resources:

• Article 13 GDPR – Information to be provided where personal data are collected from the data subject: https://advisera.com/eugdpracademy/gdpr/information-to-be-provided-where-personal-data-are-collected-from-the-data-subject/
• Article 14 GDPR – Information to be provided where personal data have not been obtained from the data subject: https://advisera.com/eugdpracademy/gdpr/information-to-be-provided-where-personal-data-have-not-been-obtained-from-the-data-subject/
• Everything you need to know about the GDPR Privacy Notice: https://advisera.com/articles/gdpr-privacy-notice-6-key-elements-to-include/
• European Data Protection Board Guidelines on Transparency under Regulation 2016/679 (wp260rev.01): https://ec.europa.eu/newsroom/article29/items/622227