I'm curious why you would not just ask the Directors in question for consent? Alternatively could you not provide them with a work phone on which the Business Continuity Director could contact them if necessary?
I’m curious why you would not just ask the Directors in question for consent? Alternatively could you not provide them with a work phone on which the Business Continuity Director could contact them if necessary?
There have been some recent cases in Europe on the topic of access to former employees email accounts which may provide some insight on regulatory expectations. Try searching https://gdprhub.eu/index.php?title=Welcome_to_GDPRhub.
There have been some recent cases in Europe on the topic of access to former employees email accounts which may provide some insight on regulatory expectations. Try searching https://gdprhub.eu/index.php?title=Welcome_to_GDPRhub.
There was a recent case in Finland, where the Data Protection Authority ruled that a cleaning company breached the GDPR by using WhatsApp instant messaging services with its employees as a mean to share information about its customers. Among other things, the company had no means to oversee the useRead more
There was a recent case in Finland, where the Data Protection Authority ruled that a cleaning company breached the GDPR by using WhatsApp instant messaging services with its employees as a mean to share information about its customers. Among other things, the company had no means to oversee the use of personal data via WhatsApp, or otherwise impose restrictions on possible further use.
Are your colleagues anticipating using analytical cookies for tracking usage? If so, you will need to ensure that your cookie banners are clear and correctly set up and consent gathered (it seems unlikely you could say that the analysis is necessary for the performance of the search). Are you goingRead more
Are your colleagues anticipating using analytical cookies for tracking usage? If so, you will need to ensure that your cookie banners are clear and correctly set up and consent gathered (it seems unlikely you could say that the analysis is necessary for the performance of the search).
Are you going to get consent for the profiling/emails or (depending where in the world you and your users are) rely on the existing customer relationship (assuming you are recommending similar products or services). Either you you need to be transparent in your privacy policy and give your users a chance to opt out.
Whilst I agree that volume alone will not determine whether the request is excessive, you also bear in mind that the courts also look at a 'reasonable and proportionate test'.
Whilst I agree that volume alone will not determine whether the request is excessive, you also bear in mind that the courts also look at a ‘reasonable and proportionate test’.
I agree with Liz. If you don't have any reason to think that your senior managers are using WhatsApp for work related conversations you could argue that you are not the controller of any personal information in those conversations. This might be supported by your company policies on, for example conRead more
I agree with Liz. If you don’t have any reason to think that your senior managers are using WhatsApp for work related conversations you could argue that you are not the controller of any personal information in those conversations. This might be supported by your company policies on, for example confidential information?
If you think you are the controller, then unless you can point to a company policy on this, it is unlikely that you will be able to compel the senior managers to hand over their personal devices for you to search. I would document how the managers respond to any request to search their devices so you can produce this evidence if the ICO investigates.
You might also want to consider whether any information would be disclosable as part of a DSAR taking into account the third party privacy rights of your managers and therefore whether you can decline to search on the basis that it would not be reasonable or proportionate.
We use a balance of KPIs and KRI (Key Risk Indicators). So, for example , we might have KPI: Percentage of data subject rights requests completed within relevant timeframe KRI: Number of data subject rights requests received (as it might indicate issues elsewhere in the business) KPI: Percentage ofRead more
We use a balance of KPIs and KRI (Key Risk Indicators). So, for example , we might have
KPI: Percentage of data subject rights requests completed within relevant timeframe
KRI: Number of data subject rights requests received (as it might indicate issues elsewhere in the business)
KPI: Percentage of DPIAs reviewed and returned to the originator within x days
KRI: Number of initiatives which have gone live without a DPIA being initiated or being initiated in unrealistic timeframes
I agree with Simon, either model is possible. Personally I am in favour of educating and equipping front line staff to carry this out, with lots of guidance and support.
I agree with Simon, either model is possible. Personally I am in favour of educating and equipping front line staff to carry this out, with lots of guidance and support.
providing personal contact details
Andrea
I'm curious why you would not just ask the Directors in question for consent? Alternatively could you not provide them with a work phone on which the Business Continuity Director could contact them if necessary?
I’m curious why you would not just ask the Directors in question for consent? Alternatively could you not provide them with a work phone on which the Business Continuity Director could contact them if necessary?
See lessAccess to emails
Andrea
There have been some recent cases in Europe on the topic of access to former employees email accounts which may provide some insight on regulatory expectations. Try searching https://gdprhub.eu/index.php?title=Welcome_to_GDPRhub.
There have been some recent cases in Europe on the topic of access to former employees email accounts which may provide some insight on regulatory expectations. Try searching https://gdprhub.eu/index.php?title=Welcome_to_GDPRhub.
See lessUsing Whats App to communicate with customers
Andrea
There was a recent case in Finland, where the Data Protection Authority ruled that a cleaning company breached the GDPR by using WhatsApp instant messaging services with its employees as a mean to share information about its customers. Among other things, the company had no means to oversee the useRead more
There was a recent case in Finland, where the Data Protection Authority ruled that a cleaning company breached the GDPR by using WhatsApp instant messaging services with its employees as a mean to share information about its customers. Among other things, the company had no means to oversee the use of personal data via WhatsApp, or otherwise impose restrictions on possible further use.
See lessCan ads be reactivated?
Andrea
Not if they have opted out of receiving marketing from you.
Not if they have opted out of receiving marketing from you.
See lessIs usage tracking allowed?
Andrea
Are your colleagues anticipating using analytical cookies for tracking usage? If so, you will need to ensure that your cookie banners are clear and correctly set up and consent gathered (it seems unlikely you could say that the analysis is necessary for the performance of the search). Are you goingRead more
Are your colleagues anticipating using analytical cookies for tracking usage? If so, you will need to ensure that your cookie banners are clear and correctly set up and consent gathered (it seems unlikely you could say that the analysis is necessary for the performance of the search).
Are you going to get consent for the profiling/emails or (depending where in the world you and your users are) rely on the existing customer relationship (assuming you are recommending similar products or services). Either you you need to be transparent in your privacy policy and give your users a chance to opt out.
See lessWhen can you say a DSAR email search is excessive ?
Andrea
Whilst I agree that volume alone will not determine whether the request is excessive, you also bear in mind that the courts also look at a 'reasonable and proportionate test'.
Whilst I agree that volume alone will not determine whether the request is excessive, you also bear in mind that the courts also look at a ‘reasonable and proportionate test’.
See lessWhatsapp Conversation relating to data subject on a work related matter on a non-work phone between senior managers. Is this SAR-able and FOI-able?
Andrea
I agree with Liz. If you don't have any reason to think that your senior managers are using WhatsApp for work related conversations you could argue that you are not the controller of any personal information in those conversations. This might be supported by your company policies on, for example conRead more
I agree with Liz. If you don’t have any reason to think that your senior managers are using WhatsApp for work related conversations you could argue that you are not the controller of any personal information in those conversations. This might be supported by your company policies on, for example confidential information?
If you think you are the controller, then unless you can point to a company policy on this, it is unlikely that you will be able to compel the senior managers to hand over their personal devices for you to search. I would document how the managers respond to any request to search their devices so you can produce this evidence if the ICO investigates.
You might also want to consider whether any information would be disclosable as part of a DSAR taking into account the third party privacy rights of your managers and therefore whether you can decline to search on the basis that it would not be reasonable or proportionate.
See lessPrivacy program KPIs
Andrea
We use a balance of KPIs and KRI (Key Risk Indicators). So, for example , we might have KPI: Percentage of data subject rights requests completed within relevant timeframe KRI: Number of data subject rights requests received (as it might indicate issues elsewhere in the business) KPI: Percentage ofRead more
We use a balance of KPIs and KRI (Key Risk Indicators). So, for example , we might have
KPI: Percentage of data subject rights requests completed within relevant timeframe
KRI: Number of data subject rights requests received (as it might indicate issues elsewhere in the business)
KPI: Percentage of DPIAs reviewed and returned to the originator within x days
See lessKRI: Number of initiatives which have gone live without a DPIA being initiated or being initiated in unrealistic timeframes
Managing CCTV requests
Andrea
I agree with Simon, either model is possible. Personally I am in favour of educating and equipping front line staff to carry this out, with lots of guidance and support.
I agree with Simon, either model is possible. Personally I am in favour of educating and equipping front line staff to carry this out, with lots of guidance and support.
See lessComputer based training for employees
Andrea
We are looking to move away from our current packages, and to widen out the focus from concentration on the GDPR.
We are looking to move away from our current packages, and to widen out the focus from concentration on the GDPR.
See less