Sign Up

What is 8 + 4?

Have an account? Sign In Now

Sign In

What is 8 + 4?

Forgot Password?

Don't have account, Sign Up Here

Forgot Password

Lost your password? Please enter your email address. You will receive a link and will create a new password via email.

What is 8 + 4?

Have an account? Sign In Now

Please type your username.

Please type your E-Mail.

Please choose an appropriate title for the question so it can be answered easily.
Please choose the appropriate section so the question can be searched easily.

Type the description thoroughly and in details.

What is 8 + 4?

Sign InSign Up

Watercooler by DPOrganizer

Watercooler by DPOrganizer Logo Watercooler by DPOrganizer Logo

Watercooler by DPOrganizer Navigation

Search
Ask A Question

Mobile menu

Close
Ask a Question
  • Home
  • Categories
    • GDPR
    • Privacy Management
    • Professional Development
    • Software tips and tricks
    • Polls
  • Help
  • About Watercooler

BlueBottle

Bronze contributor
0Followers
0Questions
Home/ BlueBottle/Answers
  • About
  • Questions
  • Polls
  • Answers
  1. Asked: September 20, 2021In: GDPR, Privacy Management

    What SCCs to use for UK transfers?

    BlueBottle

    BlueBottle

    • 0 Questions
    • 26 Answers
    • 0 Best Answers
    • 27 Points
    View Profile
    BlueBottle Bronze contributor
    Added an answer on October 20, 2021 at 12:06 pm

    Old EU SCCs as modified by the ICO, they've done the work on that: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-transfers-after-uk-exit/sccs-after-transition-period/ The new thing will be called an International DataRead more

    Old EU SCCs as modified by the ICO, they’ve done the work on that: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-transfers-after-uk-exit/sccs-after-transition-period/

    The new thing will be called an International Data Transfer Agreement (IDTA) and the consultation just closed.

    See less
    • 0
    • Share
      Share
      • Share on Facebook
      • Share on Twitter
      • Share on LinkedIn
  2. Asked: October 4, 2021In: GDPR

    Using SCC’s

    BlueBottle

    BlueBottle

    • 0 Questions
    • 26 Answers
    • 0 Best Answers
    • 27 Points
    View Profile
    BlueBottle Bronze contributor
    Replied to answer on October 20, 2021 at 12:03 pm

    You're right, and it's a good answer, *but* the OP is in the UK so cannot use the new EU SCCs to export data outside the UK to a country not subject to adequacy regulations, and would need to use the ICO's modified version of the "old" EU SCCs. The new UK IDTA would be the transfer tool once approveRead more

    You’re right, and it’s a good answer, *but* the OP is in the UK so cannot use the new EU SCCs to export data outside the UK to a country not subject to adequacy regulations, and would need to use the ICO’s modified version of the “old” EU SCCs.

    The new UK IDTA would be the transfer tool once approved, but they’ve also got an addendum for the new EU SCCs where it’s not possible/practicable to modify terms.

    See less
    • 0
    • Share
      Share
      • Share on Facebook
      • Share on Twitter
      • Share on LinkedIn
  3. Asked: October 8, 2021In: GDPR

    Telling individuals of our processing

    BlueBottle

    BlueBottle

    • 0 Questions
    • 26 Answers
    • 0 Best Answers
    • 27 Points
    View Profile
    BlueBottle Bronze contributor
    Added an answer on October 20, 2021 at 11:53 am

    I must unfortunately dissent from the view of DPOandCyber. If you are the *receiver* of the personal data, then *you* are responsible for providing privacy information under Art. 14. Depending on what it's for, you may need to provide this information as soon as you use the data, or within one monthRead more

    I must unfortunately dissent from the view of DPOandCyber.

    If you are the *receiver* of the personal data, then *you* are responsible for providing privacy information under Art. 14.

    Depending on what it’s for, you may need to provide this information as soon as you use the data, or within one month of receipt.

    The warranty from the *sender* of the data subjects’ consent is of more relevance in the due diligence stage than operationally.

    Rule of thumb – whenever you get personal data other than as a processor, you need to provide a privacy notice. The way you do this can be quite creative and depends on the circumstances. I find many examples of professionals getting this wrong.

    See less
    • 1
    • Share
      Share
      • Share on Facebook
      • Share on Twitter
      • Share on LinkedIn
  4. Asked: October 1, 2021In: GDPR

    Profiling

    BlueBottle

    BlueBottle

    • 0 Questions
    • 26 Answers
    • 0 Best Answers
    • 27 Points
    View Profile
    BlueBottle Bronze contributor
    Added an answer on October 20, 2021 at 11:45 am

    As DP-Pro says, this is not by itself profiling, however I would question how malpractice is determined by recording behaviour. If behaviours are compared to a set of behaviours that may indicate malpractice, it could be that individuals are being profiled as an additional step to the monitoring/recRead more

    As DP-Pro says, this is not by itself profiling, however I would question how malpractice is determined by recording behaviour.

    If behaviours are compared to a set of behaviours that may indicate malpractice, it could be that individuals are being profiled as an additional step to the monitoring/recording.

    See less
    • 0
    • Share
      Share
      • Share on Facebook
      • Share on Twitter
      • Share on LinkedIn
  5. Asked: October 17, 2021In: GDPR

    Generating leads with a marketing company….

    BlueBottle

    BlueBottle

    • 0 Questions
    • 26 Answers
    • 0 Best Answers
    • 27 Points
    View Profile
    BlueBottle Bronze contributor
    Added an answer on October 20, 2021 at 11:39 am

    OP - I would argue you are in fact engaged in a controller-to-controller transfer, as you are not determining the purposes and means of processing prior to the leads being given to you. The marketing co are sharing data with you, but from that point, is it yours to do as you please with? As in, onceRead more

    OP – I would argue you are in fact engaged in a controller-to-controller transfer, as you are not determining the purposes and means of processing prior to the leads being given to you.

    The marketing co are sharing data with you, but from that point, is it yours to do as you please with? As in, once you get a lead you’re paying a fee for it, and it’s up to you to convert that into a sale? If so, there’s a clear line in the sand between their and your responsibilities. Theirs end when they transfer data to you, yours begin when you receive it. This is very ordinary in a controller-to-controller transfer.

    See less
    • 0
    • Share
      Share
      • Share on Facebook
      • Share on Twitter
      • Share on LinkedIn
  6. Asked: October 19, 2021In: GDPR

    Legitimate Interest v. Soft Opt In

    BlueBottle

    BlueBottle

    • 0 Questions
    • 26 Answers
    • 0 Best Answers
    • 27 Points
    View Profile
    BlueBottle Bronze contributor
    Replied to answer on October 20, 2021 at 11:32 am

    ...But there is an exemption from this where you are marketing your own similar products/services to individuals whose contact details were obtained in the course of a sale or negotiations for a sale, AND where they were given the option to opt out of marketing at that point, AND in every subsequentRead more

    …But there is an exemption from this where you are marketing your own similar products/services to individuals whose contact details were obtained in the course of a sale or negotiations for a sale, AND where they were given the option to opt out of marketing at that point, AND in every subsequent direct marketing communication. This is the “soft opt-in”.

    When you use soft opt-in, you’re not employing consent, so you need another lawful basis. At this point, the lawful basis may very well be legitimate interests. The two, therefore, are not mutually exclusive.

    In *any* case where you are direct marketing, the recipient has the right to object to the use of their personal data for this purpose under Art. 21(2) [UK] GDPR, no matter the lawful basis or whether it’s soft opt-in or otherwise.

    I hope this goes some way towards answering your question.

    See less
    • 1
    • Share
      Share
      • Share on Facebook
      • Share on Twitter
      • Share on LinkedIn
  7. Asked: October 19, 2021In: GDPR

    Legitimate Interest v. Soft Opt In

    BlueBottle

    BlueBottle

    • 0 Questions
    • 26 Answers
    • 0 Best Answers
    • 27 Points
    View Profile
    BlueBottle Bronze contributor
    Added an answer on October 20, 2021 at 11:27 am
    This answer was edited.

    While I'm grateful for DP-Pro's willingness to post an answer, I don't feel they have satisfied the OP's query: what is the difference between soft opt-in and legitimate interest? Under the [UK] GDPR, processing must be lawful, which is to say, it must be covered by one of the lawful bases in ArticlRead more

    While I’m grateful for DP-Pro’s willingness to post an answer, I don’t feel they have satisfied the OP’s query: what is the difference between soft opt-in and legitimate interest?
    Under the [UK] GDPR, processing must be lawful, which is to say, it must be covered by one of the lawful bases in Article 6. The legitimate interests of the controller or a third party is the sixth such basis (Art. 6(1)(f)). Consent is the first.
    When an organisation’s (or a third party’s) interests, often commercial, are both legitimate (not unlawful, false or deceptive) and compatible with individuals’ rights and freedoms, and where processing personal data by the controller is necessary to further those interests, they may rely on this basis.
    The ePrivacy Directive, implemented in the UK by the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”) requires consent for direct marketing by email or SMS in Regulation 22.
    (Continued…)

    See less
    • 0
    • Share
      Share
      • Share on Facebook
      • Share on Twitter
      • Share on LinkedIn
  8. Asked: September 9, 2021In: GDPR, Privacy Management

    Outsourcing of clinicians from a Third Party

    BlueBottle

    BlueBottle

    • 0 Questions
    • 26 Answers
    • 0 Best Answers
    • 27 Points
    View Profile
    BlueBottle Bronze contributor
    Replied to answer on September 16, 2021 at 10:04 am

    So if the clinician is an agency worker, and they will be processing personal data "under the direct authority of" your organisation, then from your perspective, they are not a third party and can therefore not be considered a processor. There may need to be controller-to-controller contractual safeRead more

    So if the clinician is an agency worker, and they will be processing personal data “under the direct authority of” your organisation, then from your perspective, they are not a third party and can therefore not be considered a processor.

    There may need to be controller-to-controller contractual safeguards if the agency transfers the personal data of the clinicians to your organisation, which you then incorporate into your HR systems and process according to your own determination of purposes and means.

    For the clinician, if an agency worker, their contract of employment will be with the agency, not your organisation. Therefore a separate confidentiality agreement incorporating the same terms you would apply to your employees might be needed.

    See less
    • 0
    • Share
      Share
      • Share on Facebook
      • Share on Twitter
      • Share on LinkedIn
  9. Asked: September 9, 2021In: GDPR, Privacy Management

    Outsourcing of clinicians from a Third Party

    BlueBottle

    BlueBottle

    • 0 Questions
    • 26 Answers
    • 0 Best Answers
    • 27 Points
    View Profile
    BlueBottle Bronze contributor
    Replied to answer on September 16, 2021 at 10:04 am

    ... 88. Whereas the terms “personal data”, “data subject”, “controller” and “processor” are defined in the Regulation, the concept of “persons who, under the direct authority of the controller or processor, are authorised to process personal data” is not. It is, however, generally understood as refeRead more

    …

    88. Whereas the terms “personal data”, “data subject”, “controller” and “processor” are defined in the Regulation, the concept of “persons who, under the direct authority of the controller or processor, are authorised to process personal data” is not. It is, however, generally understood as referring to persons that belong to the legal entity of the controller or processor (an employee or a role highly comparable to that of employees, e.g. interim staff provided via a temporary employment agency) but only insofar as they are authorized to process personal data. An employee etc. who obtains access to data that he or she is not authorised to access and for other purposes than that of the employer does not fall within this category. Instead, this employee should be considered as a third party vis-à-vis the processing undertaken by the employer. Insofar as the employee processes personal data for his or her own purposes, distinct from those of his or her employer, he or she will then be considered a controller and take on all the resulting consequences and liabilities in terms of personal data processing.

    See less
    • 0
    • Share
      Share
      • Share on Facebook
      • Share on Twitter
      • Share on LinkedIn
  10. Asked: September 9, 2021In: GDPR, Privacy Management

    Outsourcing of clinicians from a Third Party

    BlueBottle

    BlueBottle

    • 0 Questions
    • 26 Answers
    • 0 Best Answers
    • 27 Points
    View Profile
    BlueBottle Bronze contributor
    Replied to answer on September 16, 2021 at 10:03 am

    [These comment boxes are very strictly limited, so I’ll reply to my comment with the rest of my answer.] Excerpting from pp 28-29: 86. Article 4(10) defines a “third party” as a natural or legal person, public authority, agency or body other than  the data subject,  the controller,  the processorRead more

    [These comment boxes are very strictly limited, so I’ll reply to my comment with the rest of my answer.]

    Excerpting from pp 28-29:

    86. Article 4(10) defines a “third party” as a natural or legal person, public authority, agency or body other than
     the data subject,
     the controller,
     the processor and
     persons who, under the direct authority of the controller or processor, are authorised to process
    personal data.

    …

    See less
    • 0
    • Share
      Share
      • Share on Facebook
      • Share on Twitter
      • Share on LinkedIn
1 2 3

Sidebar

Ask A Question

Trending contributors

Smurf333

Smurf333

  • 12 Answers
Bronze contributor
Dave_Wylie

Dave_Wylie

  • 28 Answers
Bronze contributor
CRodica

CRodica

  • 6 Answers
Rising star contributor
Chris Roberts

Chris Roberts

  • 44 Answers
Silver contributor
Andrea

Andrea

  • 15 Answers
Bronze contributor

Recent questions

  • Ian G

    Revoke.com - new third party portal for customer right requests

    • 0 Answers
  • Anonymous

    Instagram!!

    • 0 Answers
  • Olga

    DPO in EU and UK

    • 2 Answers
  • Smurf333

    DBS scenario with HR retaining excessive information for longer than ...

    • 2 Answers
  • CRodica

    Parties role towards employees data for administrative purposes

    • 0 Answers

Explore

  • Home
  • Categories
    • GDPR
    • Privacy Management
    • Professional Development
    • Software tips and tricks
    • Polls
  • Help
  • About Watercooler

Footer

Your privacy

  • Cookie notice
  • Privacy notice

Terms and policy

  • Acceptable Use Policy
  • Terms of Use

© 2021 DPOrganizer. All Rights Reserved. With Love by DPOrganizer.