gdpr questions and answers for employees

GDPR Quiz Answers. Hi. If a data subject does not grant their consent to the administrator of a service, it does not justify the failure to provide the service, unless the consent is a requirement of the provider of the service itself. This regulation affects every company and public institution in the European Union as well as foreign companies doing business within the EU. One of the new principles that GDPR brings is the necessity to acquire unambiguous and unconditional consent for personal data processing from a data subject. Do we need to track that this request was made and fulfilled? If I understand it correctly, you are asking whether the employer has a right to take employee’s personal mobile phone from him/her during the work hours. Secondly, GDPR does not require consent in all cases of personal data processing. If the regulatory authority decides to provide recommendations rather than fine, it is specific cases entirely possible. However, one imagines the intention of the GDPR is that it should apply to any offering targeting individuals in the EU. GDPR does not address this particular scenario. Could you tell me your thoughts on banners advertising a businesses products included on email signatures. Good article, I learned much from it and from the comments and answers to the questions. It depends on the legal purpose for processing his/her personal data. How GDPR changes the rules for research? In case of additional questions, just let us know. Should you have any additional questions, do not hesitate to ask. In your opinion, if someone withdrew consent would we have to get rid of both the potential identifier and the data connected to it, or just the identifier? The European government has taken this measure to ensure security measures in today’s digitalized era. Is it against GDPR to have this type of message book in the office to be completed by staff when a call comes through. In your case, I would suggest to say that the purpose is sending whitepapers on regular basis, from which the user can unsubscribe at any time and he is going to receive the first one immediately. I work for a small bank not established in the EU which has some EU customers. These exam questions relate to the GDPR Foundation certification and are great examples of what you might expect on an entry-level GDPR exam. In general, you don’t need consent for types of processing, that fall under different lawful basis of Article 6 (1) of GDPR. Does GDPR apply only to commercial businesses, or even charitable organizations, or private individuals? I have a question of my own; the booking system for the leisure company I support collects customer information and requires that customers sign a waiver before taking part in various activities. (b) the monitoring of their behaviour as far as their behaviour takes place within the Union. Do these data come under the competence of GDPR? On the other hand, it is very tricky question and it was never answered by the CJEU. I know we’re not allowed to use that email to use for another mailing on another topic…but can we offer, say, a series of white papers issued at quarterly intervals, that can be covered by a one-time consent? In this case, in our opinion, you are not offering goods or services to the data subjects in EU. The right to be forgotten is not absolute/ultimate right. name for a year, and you can use it however you want – you don’t have to keep it at wordpress.com. 27 says, the representative is not needed in the following case: Have you heard the phrase “GDPR” and wondered what it is? – ensure adequate level of security for both transfer and using the data INTO question and answer guide “Everyone has the right to the protection of personal data” –European Commission The General Data Protection Regulation (GDPR) came into force from RU May RPQX. I would suggest to ask this question to your employer, as you have the right for information by GDPR. Does an offer of shares in a company constitute an offer of “goods or services” under Article 3.2(a) GDPR. It requires you to protect personal data in both physical and digital forms adequately. We keep record of data and store them in cloud services, for example Google Suite. DPO is a stand-alone entity responsible for the processing of personal data in an organization. A separate database on separate server? Other examples of large scale processing are the use of search engines to target personal data for advertising, and processing customer data as a part of the routine sales activities of an insurance company or a bank. GDPR requirements apply to organizations, but data protection responsibilities also naturally pass on to employees who work with the data. First of all, it is necessary to examine the extent of ISMS to find out if it really applies to all kinds of personal data processing in the organization. In that case, it won’t fall under the material scope of the GDPR. Right or wrong? Please note that GDPR might not be the only law related to direct marketing and the situation may vary according to the country you do business in. When groups design their systems to be GDPR compliant, they must not forget to review and modify the systems that deal with internal staff information. The online marketing platform that I use has stated they are doing everything they need to do on their end to comply with the GDPR. tracking visitors on your website, large profiling of customers, cookies etc.) If we get a response from some natural person who responds from info@company.com then we should acquire his/her fully GDPR compliant consent. As Art. We also don’t think the processing may result in a risk to the rights and freedoms of natural persons. GDPR stands for the General Data Protection Regulation. If you need more information, please specify the question a little bit more. Is my company GDPR compliant? Here we answer the 20 most frequently asked questions people have about GDPR. So, if you are able to trace these ‘personality traits’ back to specific customers, it is considered a processing of personal data. There is no previous I have two options: to store the data in the software on my computer in my dentist’s office, or to store the data online – in the cloud. This will help you identify key points to achieve compliance. In GDPR, there are more articles that could be misunderstood, that’s why we recommend discussing the implementation with experts to be sure you are implementing it correctly. GDPR states that processing personal data on a ”large scale” triggers the designation of a DPO. Our data contains at most one or two pseudonymized data connected to the data they produce. I gathered the questions and answers collected from our GDPR webinars (webinar 1, webinar 2) as well as questions asked by our customers. incorporate customer portals under authenticated section on the webpage. How is ”large scale” defined? Also, there is a limited impact of security incident affecting just these numbers. Is it enough that someone has emailed you from a recognised email address and perhaps has physical address details as well or other basic personal information? Broad home office exposes your company data, You are analyzing or collecting data to the necessary extent required for your business. Yes, we recommend documenting the request for your internal tracking. On a side note, many of the email gateways encrypt emails within internal communication by default. The GDPR (General Data Protection Regulation) came into force on 25 May 2018. I have a question on Non European company who hired European citizens. – Who has access to the server My business provides offshoring support to clients for which we communicate a lot in emails. We outsource to a company abroad (outside of the EU), so they have access to our CRM database and client information. By making access to your personal information a right, GDPR seems to be making it less secure! I ask about the first two because it seems counter to GDPR to now voluntarily email someone who just asked to be removed from all communications. The EU General Data Protection Regulations (GDPR) come into effect on 25th of May 2018 and another layour of regulations to The Data Protection Act 1998. consent, …) Who regulates/controls wording of the Consent for personal data processing document? What would I give you would be definitely general ideas, because GDPR is general ( ) regulation that can be used for organization of any size and industry. Alice Baker 6th April 2018. To do so, there must be an intention to offer goods or services to data subjects in EU which is not the case here. It went into effect May 25, 2018. Thanks for this article. You can find the information you are seeking in Article 3 (2) of GDPR: This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: d) €20 million is the maximum fine, or 4% of an organisation’s annual turnover (for the previous year), whichever is greater. Each company should decide for itself whether to designate an internal or external DPO. the customer does not have a database of asset numbers (notebooks) and employees with a connection between them; Do we need to track that this request was made and fulfilled? Sorry for the length of this… As one of the primary objectives od GDPR is protecting the personal information of natural persons, I wonder if you could comment on the following senario? The GDPR came into effect on May 25, 2018, and raises numerous questions among organizations that handle data in Europe. And how do I ensure permission for using a reporter’s email address, if this information is publicly available online? Hello. GDPR impacts your whole organization and by just transferring all personal data to G-Suite you are not doing enough to comply with it. According to law, I have to keep record of this documentation for 10 years – either in print form or electronically with an electronic signature. You should go step by step through all GDPR requirements and do a gap analysis to make sure that you are compliant. There is conflicting information as to whether it is for “…any citizen living in the EU…” or “…any EU citizen regardless of where the company is..”. Could you suggest me modalities to implement this GDPR for my company? If I have a physical contract for example, do I a have to put it in digital format? and these may trigger this requirement as mandatory for you. (301) 664-6800 IT Managed Services Cybersecurity Solutions Financial Management Solutions. Are there basic questions you’re too scared to ask? Is this something we would have to provide if the customer requested a copy of their data? In case of further questions, do not hesitate to contact us. An employee is a natural person and if a record of his/her attendance is unambiguously connected with his/her identifier, then it is considered to be personal data. The personality information would be used to help sales staff communicate effectively with the customer. right to be deleted upon a customer’s request can be done by removing a single line in an Excel Spreadsheet). You would be held liable in case of the incident you describe, if the regulatory authority in your country finds out that you don’t protect the data well enough. Is this sufficient? Yes, GDPR regulation applies to your case of personal data processing. As you correctly assume, these emails contain personal data that fall under scope of GDPR. Do we have to ask our customers for their permission again, so that the new requirements are met? I want to find out if we implement this GDPR at my company, it is mandatory to transfer all physical documents in digital format? Best regards. What is your opinion on that? Thank you for your feedback and question. Please see the answers below: Do we confirm receipt of the request? GDPR went into effect on May 25th, 2018. If the information is publicly accessible on the website of the person in question, so that people can contact him/her, you don’t have to ask the person for permission. At the webinar we received more questions than we could possibly have answered and so here are answers: Is there a document available online which lists everything that is considered personal data? To answer the other part – by using either of the two options you named, you do not transfer the burden of GDPR to anybody else. The answer to your question then must be yes, the content of such documents must be considered personal data, provided that it is attributable to a specific person and other recipients could match content of some document with its author. What are our duties to protect data when servers are out of our reach? GDPR Compliance (Information/Questions … In order to be compliant, as with any other processing, there are more things you should do. What about other information which can be accessed online, such as address, phone-number….other related information about people, such a youtube-username, etc…? For example you definitely need an address to be able to send a product to a customer. However, it’s possible that we have customers that have moved from the US to Europe and we are unaware of this move. It depends on if the incident happens at the administrator or processor side. And do both the operator of the web application and I need to treat them that way? General Data Protection Regulation (GDPR) does not provide explicit answer for your question. It seems to me that, in the absence of any hard and fast rules, each company will interpret “reasonable means” in a different way. Will we now need to ask for explicit permission to store them? 50,000+ businesses use Seers CMP to meet their GDPR, PECR, CCPA Under the Article 3 of Regulation (EU) 2016/679 on the protection of natural persons (hereinafter “GDPR”), the GDPR applies to the processing of personal data of data subject who are in the Union by a controller or processor not established in the Union, where the processing activities are related to the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union. Shop All; Professional Supplies; Accessories; Consumer Products. If I understand your question properly, we would not recommend doing it. Hi, I work for a retail store that prints my name and employee number at the bottom of the receipt. Thanks in advance. You guarantee the safety of personal data (e.g. It depends on the way you will communicate the purpose of processing the personal data. But by employing the right of subject access, the customer can raise an objection/question on why a particular type of information is being processed. I work with a large public education entity. Recognizing this, manually or automatically, will be a nightmare. So, you get an email request from someone on your database asking for any information you hold on them and you are legally obliged to provide that. These asset numbers are not considered personal data if there is no connection with a natural person – e.g. It clearly comes under GDPR yet in all fairness, I didn’t ask for it and I was given it in a way that makes it almost impossible to segregate it from information for which I do have a legitimate interest. Do you GDPR? For example, they have to be secured against being misused by police. It is a necessary first step when determining how you are going to comply with the GDPR. my name is used on my email address for the company that I work for and my full name, does this fall under GDPR? In your particular example, if this happens just once in a time, it might not be worthwile to invest to the encryption solution as oposed to bigger organizations, where it happens on a regular basis. Yes, it is essential to verify the stated age of the person who gives consent for data processing. Are we allowed under GDPR to send one email to a police officer with a list of names and ask for updates or do we need to send an individual email for each service user to the one police officer? Sometimes it is as much psychology as IT, says about the development of DLP Zbyněk Sopuch, CTO of Brno’s Safetica, Safetica 9.8: Efficient detection and investigation. request to remove any records related to a customer or export data in a universal format readable by a machine – see right for data portability), You are removing personal data no longer needed on regular basis, You’ve documented how you handle personal data (all parts required by GDPR). You are right that there is a possibility that companies will misunderstand the requirement properly, which can lead to unintended exposure and misuse of the information. So, there is no need to meet the obligations set by GDPR. Nevertheless, I would recommend to think about your database in more detail – sometimes it is not enough to just erase one identifier. In this post, we’ll answer 8 common GDPR questions that we hear from customers and prospects. a) €2,000. With less than a year left to go, there’s still time to prepare your organization for the EU’s GDPR compliance requirements. All the data you have about people that are now EU citizens fall under the scope of GDPR. The General Data Protection Regulation is a European Union law that was implemented May 25, 2018, and requires organizations to safeguard personal data and uphold the privacy rights of anyone in EU territory. Does GDPR apply also to contact information collected before the regulation comes into force? Are a customer’s business phone number, business email address and business IP address also considered to be personal data? Page 8: 2: Q: What is a data subject access request (DSAR)? According to commentary literature on the GDPR, random or unintentional processing does not fall under the material scope of the GDPR. Who bears the responsibility in case of an incident? For example by saying he/she does not want his/her phone number or IP address to be stored by us? That might be considered ‘reasonable means’ in such case. In other words any data collected in the EU are governed by GDPR. Records are stored on servers in the USA using SAP and Microsoft Cloud (not sure where these MS Cloud servers are located). paralegal, http://www.sedlakovalegal.com, If we do business with EU citizens in the US, do we need to be GDPR compliant? Use our free scanning tool to investigate cookies, technologies Safetica DLP handles a lot of data. They should provide you with all the information about the purpose, legal basis and other terms of processing, as well as with your rights. For some of the processings you mentioned (taxes, agenda about social insurance etc. – find out if the country outside EU provides adequate level of protection and if not, ensure that all the requirements of GDPR for transfer outside of EU is met (e.g. Any e-shop that processes personal customer data must comply with GDPR. Thank you in advance. One example of large scale processing is the processing of patients’ data as a part of routine hospital activities (unlike patient data processing by an individual doctor – this is not considered ”large scale”). Yes, we recommend confirming receipt, especially if the processing of the request is going to take you some time (couple of days / weeks). – Who has access to the database Yes, but this consent has to be recorded and documentable for cases of a control by a supervisory authority, and it has to meet all the GDPR requirements for correct consent granting. Name is the most relevant identifier used to identify a person and therefore shall be considered as personal data. Regarding the consent, you don’t need it if the processing falls under different subsection than (a) of Article 6. section 1 – it might fall under a “legitimate interest” of subsection (f), but it is relevant to how much information do you really collect. c) €2 million. EU GDPR is the “Talk of the Town” presently and it is a big step towards giving EU people the right to their personal data. According to GDPR, the obligation to protect personal data applies to both administrator, and processor (external company processing the data). What is GDPR and why we should care? In the GDPR regulation, the definition of personal data is formulated very generally. As soon as there is a link to the individual, you must treat this information as personal. I have a home and garden blog with a small base of subscribers. Is there anything else we need to consider and do? I work for a charity who often contacts different UK police forces for updates on our service users. “You must verify the identity of the person making the request, using ‘reasonable means’.” And Further GDPR requirements are of course valid. Providers of these kind of services of course have to ensure compliance of their services with GDPR. We recommend a very precise definition of responsibility of both subjects in a contract. When the request comes this way, you can be quite sure about the identity of the person, because he/she needed to authenticate to get into that section anyway. This isn’t an easy topic, but I’ll try to answer you. Do we confirm once the deletion/erasure has taken place? Who has the role of DPO? If you lose an identifier, the data is no longer personal according to the definition in GDPR. If there is no link to a specific individual, randomly generated numbers will not be considered personal data. Under the GDPR, consumers have privacy rights as well. C 8. Safetica is only a tool (system) which collects and processes personal data. If a specific law applies to your business then you should follow it. If the content of documents created in Microsoft Office is attributable to a specific person, the content would then represent a personal data. Question 1 (5 points): Please list at least five GDPR implementation advantages. The most important things to consider in your case: It’s been mentioned that parental consent is required to process the data of children younger than 16. Nevertheless, you can refer to the general provisions of GDPR, which should give you an idea on this topic. If you must process the data in order to provide products or services, then the data can also be minimally processed without consent. Some companies e.g. Answer a few questions and assess your company according to the new General Data Protection Regulation. A separate table within a database? I’m really glad I came across this article, as I have been looking everywhere the answer to my question, and I have not yet been lucky.