Whilst I agree that volume alone will not determine whether the request is excessive, you also bear in mind that the courts also look at a 'reasonable and proportionate test'.
Whilst I agree that volume alone will not determine whether the request is excessive, you also bear in mind that the courts also look at a ‘reasonable and proportionate test’.
I agree with Liz. If you don't have any reason to think that your senior managers are using WhatsApp for work related conversations you could argue that you are not the controller of any personal information in those conversations. This might be supported by your company policies on, for example conRead more
I agree with Liz. If you don’t have any reason to think that your senior managers are using WhatsApp for work related conversations you could argue that you are not the controller of any personal information in those conversations. This might be supported by your company policies on, for example confidential information?
If you think you are the controller, then unless you can point to a company policy on this, it is unlikely that you will be able to compel the senior managers to hand over their personal devices for you to search. I would document how the managers respond to any request to search their devices so you can produce this evidence if the ICO investigates.
You might also want to consider whether any information would be disclosable as part of a DSAR taking into account the third party privacy rights of your managers and therefore whether you can decline to search on the basis that it would not be reasonable or proportionate.
We use a balance of KPIs and KRI (Key Risk Indicators). So, for example , we might have KPI: Percentage of data subject rights requests completed within relevant timeframe KRI: Number of data subject rights requests received (as it might indicate issues elsewhere in the business) KPI: Percentage ofRead more
We use a balance of KPIs and KRI (Key Risk Indicators). So, for example , we might have
KPI: Percentage of data subject rights requests completed within relevant timeframe
KRI: Number of data subject rights requests received (as it might indicate issues elsewhere in the business)
KPI: Percentage of DPIAs reviewed and returned to the originator within x days
KRI: Number of initiatives which have gone live without a DPIA being initiated or being initiated in unrealistic timeframes
I agree with Simon, either model is possible. Personally I am in favour of educating and equipping front line staff to carry this out, with lots of guidance and support.
I agree with Simon, either model is possible. Personally I am in favour of educating and equipping front line staff to carry this out, with lots of guidance and support.
Thanks Dean. I should perhaps have confirmed in the question that the intention is to target existing customers, by providing the details directly to Google. These details have not been collected through our website. I understand the PECR requirements, and am concerned that Google is acting as a conRead more
Thanks Dean. I should perhaps have confirmed in the question that the intention is to target existing customers, by providing the details directly to Google. These details have not been collected through our website.
I understand the PECR requirements, and am concerned that Google is acting as a controller here (but happy to be corrected on this) meaning that we require specific consent to pass the details to Google.
We are a membership body. We run surveys of our members to get feedback on our performance but also on what they see as the future of the profession. Unfortunately I don't read German!
We are a membership body. We run surveys of our members to get feedback on our performance but also on what they see as the future of the profession. Unfortunately I don’t read German!
Thank you Hellen. We do have legal responsibilities to uphold the credibility of the profession, and investigations are usually prompted by complaints. Nevertheless, your points are extremely useful and give me another angle to consider this from.
Thank you Hellen. We do have legal responsibilities to uphold the credibility of the profession, and investigations are usually prompted by complaints. Nevertheless, your points are extremely useful and give me another angle to consider this from.
How comfortable are you that your employees consent will be freely given, in light of the imbalance of power between an employer and employee? Could you identify a different legal basis?
How comfortable are you that your employees consent will be freely given, in light of the imbalance of power between an employer and employee? Could you identify a different legal basis?
When can you say a DSAR email search is excessive ?
Andrea
Whilst I agree that volume alone will not determine whether the request is excessive, you also bear in mind that the courts also look at a 'reasonable and proportionate test'.
Whilst I agree that volume alone will not determine whether the request is excessive, you also bear in mind that the courts also look at a ‘reasonable and proportionate test’.
See lessWhatsapp Conversation relating to data subject on a work related matter on a non-work phone between senior managers. Is this SAR-able and FOI-able?
Andrea
I agree with Liz. If you don't have any reason to think that your senior managers are using WhatsApp for work related conversations you could argue that you are not the controller of any personal information in those conversations. This might be supported by your company policies on, for example conRead more
I agree with Liz. If you don’t have any reason to think that your senior managers are using WhatsApp for work related conversations you could argue that you are not the controller of any personal information in those conversations. This might be supported by your company policies on, for example confidential information?
If you think you are the controller, then unless you can point to a company policy on this, it is unlikely that you will be able to compel the senior managers to hand over their personal devices for you to search. I would document how the managers respond to any request to search their devices so you can produce this evidence if the ICO investigates.
You might also want to consider whether any information would be disclosable as part of a DSAR taking into account the third party privacy rights of your managers and therefore whether you can decline to search on the basis that it would not be reasonable or proportionate.
See lessPrivacy program KPIs
Andrea
We use a balance of KPIs and KRI (Key Risk Indicators). So, for example , we might have KPI: Percentage of data subject rights requests completed within relevant timeframe KRI: Number of data subject rights requests received (as it might indicate issues elsewhere in the business) KPI: Percentage ofRead more
We use a balance of KPIs and KRI (Key Risk Indicators). So, for example , we might have
KPI: Percentage of data subject rights requests completed within relevant timeframe
KRI: Number of data subject rights requests received (as it might indicate issues elsewhere in the business)
KPI: Percentage of DPIAs reviewed and returned to the originator within x days
See lessKRI: Number of initiatives which have gone live without a DPIA being initiated or being initiated in unrealistic timeframes
Managing CCTV requests
Andrea
I agree with Simon, either model is possible. Personally I am in favour of educating and equipping front line staff to carry this out, with lots of guidance and support.
I agree with Simon, either model is possible. Personally I am in favour of educating and equipping front line staff to carry this out, with lots of guidance and support.
See lessComputer based training for employees
Andrea
We are looking to move away from our current packages, and to widen out the focus from concentration on the GDPR.
We are looking to move away from our current packages, and to widen out the focus from concentration on the GDPR.
See lessGoogle Ads
Andrea
Thanks Dean. I should perhaps have confirmed in the question that the intention is to target existing customers, by providing the details directly to Google. These details have not been collected through our website. I understand the PECR requirements, and am concerned that Google is acting as a conRead more
Thanks Dean. I should perhaps have confirmed in the question that the intention is to target existing customers, by providing the details directly to Google. These details have not been collected through our website.
I understand the PECR requirements, and am concerned that Google is acting as a controller here (but happy to be corrected on this) meaning that we require specific consent to pass the details to Google.
See lessCustomer satisfaction survey
Andrea
We are a membership body. We run surveys of our members to get feedback on our performance but also on what they see as the future of the profession. Unfortunately I don't read German!
We are a membership body. We run surveys of our members to get feedback on our performance but also on what they see as the future of the profession. Unfortunately I don’t read German!
See lessCustomer satisfaction survey
Andrea
So, would all surveys also be considered marketing in Germany?
So, would all surveys also be considered marketing in Germany?
See lessEmployees accessing information using personal LinkedIn accounts.
Andrea
Thank you Hellen. We do have legal responsibilities to uphold the credibility of the profession, and investigations are usually prompted by complaints. Nevertheless, your points are extremely useful and give me another angle to consider this from.
Thank you Hellen. We do have legal responsibilities to uphold the credibility of the profession, and investigations are usually prompted by complaints. Nevertheless, your points are extremely useful and give me another angle to consider this from.
See lessCollecting Special Category Data for staff
Andrea
How comfortable are you that your employees consent will be freely given, in light of the imbalance of power between an employer and employee? Could you identify a different legal basis?
How comfortable are you that your employees consent will be freely given, in light of the imbalance of power between an employer and employee? Could you identify a different legal basis?
See less