Expert Advice Community

Guest

Questions regarding GDPR

  Quote
Guest
Guest user Created:   Feb 07, 2020 Last commented:   Feb 11, 2020

Questions regarding GDPR

I would very much appreciate some clarifications of the above: 

  1. Are there any available GDPR certifications?
  2. How do I start with mapping my processing activities?
  3. Is there any video surveillance policy available in the toolkits?
  4. I am negotiating with a Data Processing Contract with an insurance company. Are these companies controllers or processors?
  5. How can I best present a privacy notice? Do clients need to sign the notice
0 0

Assign topic to the user

Assign
Expert
Alessandra Nisticò Feb 11, 2020


I would very much appreciate some clarifications of the above:

Are there any available GDPR certifications?

If you are looking for a certification of individuals, GDPR does not require any certification.
Even the DPO role does not require being in possession of a certification, yet DPO must have deep knowledge of GDPR and privacy regulations. 
In reference to companies, article 42 GDPR encourages the Member States to establish a data protection certification mechanism for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processors. 
There is plenty of courses in the market. Advisera also developed a free course where you can purchase access to the examinations and get a certificate. So if you are looking for a solution in order to certificate the process of your company as data controller or data processor you can look for these solutions on the market.
 

 

How do I start with mapping my processing activities?

The first thing is to know your business. Think about:

- what data do you collect (i.e. name, surname, telephone numbers, IP address, physical address, pictures, health data, etc), 
- who collect them (i.e. administration, HR, management,) 
- why you collect them (i.e. provide a service or a product, video surveillance, security reason, public interests,) 
- how do you collect (i.e. do individuals provide data to you through a form, a contract, website, with/without consent)
- long do you store those data (the time which is necessary to provide the service, 1 hour, 1 year, 10 years, for a legislatively determined period)
- where do you store data (physical archives for paper documents, cloud service, internal servers)


You can find some useful information here:
- 9 steps for implementing GDPR: https://advisera.com/eugdpracademy/knowledgebase/9-steps-for-implementing-gdpr/
- 5 phases of the EU GDPR Data Protection Impact Assessment: https://advisera.com/eugdpracademy/knowledgebase/5-phases-of-the-eu-gdpr-data-protection-impact-assessment/

- In our Advisera GDPR Toolkit, there are Guidelines for Data Inventory and Processing Activities Mapping, here you can download a free demo in order to verify if it suits your business needs: https://advisera.com/eugdpracademy/eu-gdpr-premium-documentation-toolkit/


 Is there any video surveillance policy available in the toolkits?

We did not include video surveillance policy in the toolkit because video surveillance is not directly regulated by GDPR, and most EU countries have their own rules. You should verify compliance with the internal rules of your country.
Most rules require to highlight security reasons for video surveillance, to avoid workers monitoring and public path.
They can require you to minimize the period you store images before overwriting them, to determine who can have access to images (you should set access procedures to those images) and the location where records are stored. Most Surveillance Authorities or Member States have set their specific requirements to comply with.
You can draft your own policy considering your country requirements and the limits set in GDPR as a data processing policy using the blank template from the GDPR Toolkit.

You can also schedule a call with Advisera's expert who can provide you with some guidelines on how to proceed with this document.
 

I am negotiating with a Data Processing Contract with an insurance company. Are these companies controllers or processors?

It depends if they process personal data on your behalf or not. 
Insurance companies usually are considered as data controllers because they determine the purposes and means of data processing on their own. 
However, if they can have direct access to your internal data (i.e. geolocalization data from security tools installed on board of your company car fleet) and process them on your behalf, by storing data in their servers, they can be considered data processor with reference to those data.


Here you can find some references referring to data controller and data processor:
- EU GDPR controller vs. processor – What are the differences? https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/

 

How can I best present a privacy notice? Do clients need to sign the notice

Signature is a clear sign of knowledge yet it is not mandatory. GDPR only requires you to inform your customers on your data processing activity and collect their consent when required.
Consent can be acquired through signature but also orally or by a clear affirmative action (i.e. clicking on a flag boxes)
Therefore, you can present a privacy notice as a link in your email signature in order to make easy for them to be informed, you can attach a privacy notice to your contracts, you can also inform them via telephone and register their consent (if needed), most depends on your activity.


Here you can find some useful material to make a GDPR Privacy Notice:
- Everything you need to know about the GDPR Privacy Notice: https://advisera.com/eugdpracademy/blog/2019/11/04/gdpr-privacy-notice-6-key-elements-to-include/
- Article 13 GDPR https://advisera.com/eugdpracademy/gdpr/information-to-be-provided-where-personal-data-are-collected-from-the-data-subject/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Feb 07, 2020

Feb 11, 2020

Suggested Topics

Guest user Created:   Oct 16, 2019 EU GDPR
Replies: 1
0 1

Questions regarding GDPR

Guest user Created:   Nov 11, 2019 EU GDPR
Replies: 1
0 0

Questions regarding EU GDPR

Guest user Created:   Feb 05, 2020 EU GDPR
Replies: 1
0 0

EU GDPR questions