Old EU SCCs as modified by the ICO, they've done the work on that: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-transfers-after-uk-exit/sccs-after-transition-period/ The new thing will be called an International DataRead more
You're right, and it's a good answer, *but* the OP is in the UK so cannot use the new EU SCCs to export data outside the UK to a country not subject to adequacy regulations, and would need to use the ICO's modified version of the "old" EU SCCs. The new UK IDTA would be the transfer tool once approveRead more
You’re right, and it’s a good answer, *but* the OP is in the UK so cannot use the new EU SCCs to export data outside the UK to a country not subject to adequacy regulations, and would need to use the ICO’s modified version of the “old” EU SCCs.
The new UK IDTA would be the transfer tool once approved, but they’ve also got an addendum for the new EU SCCs where it’s not possible/practicable to modify terms.
I must unfortunately dissent from the view of DPOandCyber. If you are the *receiver* of the personal data, then *you* are responsible for providing privacy information under Art. 14. Depending on what it's for, you may need to provide this information as soon as you use the data, or within one monthRead more
I must unfortunately dissent from the view of DPOandCyber.
If you are the *receiver* of the personal data, then *you* are responsible for providing privacy information under Art. 14.
Depending on what it’s for, you may need to provide this information as soon as you use the data, or within one month of receipt.
The warranty from the *sender* of the data subjects’ consent is of more relevance in the due diligence stage than operationally.
Rule of thumb – whenever you get personal data other than as a processor, you need to provide a privacy notice. The way you do this can be quite creative and depends on the circumstances. I find many examples of professionals getting this wrong.
As DP-Pro says, this is not by itself profiling, however I would question how malpractice is determined by recording behaviour. If behaviours are compared to a set of behaviours that may indicate malpractice, it could be that individuals are being profiled as an additional step to the monitoring/recRead more
As DP-Pro says, this is not by itself profiling, however I would question how malpractice is determined by recording behaviour.
If behaviours are compared to a set of behaviours that may indicate malpractice, it could be that individuals are being profiled as an additional step to the monitoring/recording.
OP - I would argue you are in fact engaged in a controller-to-controller transfer, as you are not determining the purposes and means of processing prior to the leads being given to you. The marketing co are sharing data with you, but from that point, is it yours to do as you please with? As in, onceRead more
OP – I would argue you are in fact engaged in a controller-to-controller transfer, as you are not determining the purposes and means of processing prior to the leads being given to you.
The marketing co are sharing data with you, but from that point, is it yours to do as you please with? As in, once you get a lead you’re paying a fee for it, and it’s up to you to convert that into a sale? If so, there’s a clear line in the sand between their and your responsibilities. Theirs end when they transfer data to you, yours begin when you receive it. This is very ordinary in a controller-to-controller transfer.
...But there is an exemption from this where you are marketing your own similar products/services to individuals whose contact details were obtained in the course of a sale or negotiations for a sale, AND where they were given the option to opt out of marketing at that point, AND in every subsequentRead more
…But there is an exemption from this where you are marketing your own similar products/services to individuals whose contact details were obtained in the course of a sale or negotiations for a sale, AND where they were given the option to opt out of marketing at that point, AND in every subsequent direct marketing communication. This is the “soft opt-in”.
When you use soft opt-in, you’re not employing consent, so you need another lawful basis. At this point, the lawful basis may very well be legitimate interests. The two, therefore, are not mutually exclusive.
In *any* case where you are direct marketing, the recipient has the right to object to the use of their personal data for this purpose under Art. 21(2) [UK] GDPR, no matter the lawful basis or whether it’s soft opt-in or otherwise.
I hope this goes some way towards answering your question.
While I'm grateful for DP-Pro's willingness to post an answer, I don't feel they have satisfied the OP's query: what is the difference between soft opt-in and legitimate interest? Under the [UK] GDPR, processing must be lawful, which is to say, it must be covered by one of the lawful bases in ArticlRead more
While I’m grateful for DP-Pro’s willingness to post an answer, I don’t feel they have satisfied the OP’s query: what is the difference between soft opt-in and legitimate interest?
Under the [UK] GDPR, processing must be lawful, which is to say, it must be covered by one of the lawful bases in Article 6. The legitimate interests of the controller or a third party is the sixth such basis (Art. 6(1)(f)). Consent is the first.
When an organisation’s (or a third party’s) interests, often commercial, are both legitimate (not unlawful, false or deceptive) and compatible with individuals’ rights and freedoms, and where processing personal data by the controller is necessary to further those interests, they may rely on this basis.
The ePrivacy Directive, implemented in the UK by the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”) requires consent for direct marketing by email or SMS in Regulation 22.
(Continued…)
So if the clinician is an agency worker, and they will be processing personal data "under the direct authority of" your organisation, then from your perspective, they are not a third party and can therefore not be considered a processor. There may need to be controller-to-controller contractual safeRead more
So if the clinician is an agency worker, and they will be processing personal data “under the direct authority of” your organisation, then from your perspective, they are not a third party and can therefore not be considered a processor.
There may need to be controller-to-controller contractual safeguards if the agency transfers the personal data of the clinicians to your organisation, which you then incorporate into your HR systems and process according to your own determination of purposes and means.
For the clinician, if an agency worker, their contract of employment will be with the agency, not your organisation. Therefore a separate confidentiality agreement incorporating the same terms you would apply to your employees might be needed.
... 88. Whereas the terms “personal data”, “data subject”, “controller” and “processor” are defined in the Regulation, the concept of “persons who, under the direct authority of the controller or processor, are authorised to process personal data” is not. It is, however, generally understood as refeRead more
…
88. Whereas the terms “personal data”, “data subject”, “controller” and “processor” are defined in the Regulation, the concept of “persons who, under the direct authority of the controller or processor, are authorised to process personal data” is not. It is, however, generally understood as referring to persons that belong to the legal entity of the controller or processor (an employee or a role highly comparable to that of employees, e.g. interim staff provided via a temporary employment agency) but only insofar as they are authorized to process personal data. An employee etc. who obtains access to data that he or she is not authorised to access and for other purposes than that of the employer does not fall within this category. Instead, this employee should be considered as a third party vis-à-vis the processing undertaken by the employer. Insofar as the employee processes personal data for his or her own purposes, distinct from those of his or her employer, he or she will then be considered a controller and take on all the resulting consequences and liabilities in terms of personal data processing.
[These comment boxes are very strictly limited, so I’ll reply to my comment with the rest of my answer.] Excerpting from pp 28-29: 86. Article 4(10) defines a “third party” as a natural or legal person, public authority, agency or body other than the data subject, the controller, the processorRead more
[These comment boxes are very strictly limited, so I’ll reply to my comment with the rest of my answer.]
Excerpting from pp 28-29:
86. Article 4(10) defines a “third party” as a natural or legal person, public authority, agency or body other than
the data subject,
the controller,
the processor and
persons who, under the direct authority of the controller or processor, are authorised to process
personal data.
What SCCs to use for UK transfers?
BlueBottle
Old EU SCCs as modified by the ICO, they've done the work on that: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-transfers-after-uk-exit/sccs-after-transition-period/ The new thing will be called an International DataRead more
Old EU SCCs as modified by the ICO, they’ve done the work on that: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-transfers-after-uk-exit/sccs-after-transition-period/
The new thing will be called an International Data Transfer Agreement (IDTA) and the consultation just closed.
See lessUsing SCC’s
BlueBottle
You're right, and it's a good answer, *but* the OP is in the UK so cannot use the new EU SCCs to export data outside the UK to a country not subject to adequacy regulations, and would need to use the ICO's modified version of the "old" EU SCCs. The new UK IDTA would be the transfer tool once approveRead more
You’re right, and it’s a good answer, *but* the OP is in the UK so cannot use the new EU SCCs to export data outside the UK to a country not subject to adequacy regulations, and would need to use the ICO’s modified version of the “old” EU SCCs.
The new UK IDTA would be the transfer tool once approved, but they’ve also got an addendum for the new EU SCCs where it’s not possible/practicable to modify terms.
See lessTelling individuals of our processing
BlueBottle
I must unfortunately dissent from the view of DPOandCyber. If you are the *receiver* of the personal data, then *you* are responsible for providing privacy information under Art. 14. Depending on what it's for, you may need to provide this information as soon as you use the data, or within one monthRead more
I must unfortunately dissent from the view of DPOandCyber.
If you are the *receiver* of the personal data, then *you* are responsible for providing privacy information under Art. 14.
Depending on what it’s for, you may need to provide this information as soon as you use the data, or within one month of receipt.
The warranty from the *sender* of the data subjects’ consent is of more relevance in the due diligence stage than operationally.
Rule of thumb – whenever you get personal data other than as a processor, you need to provide a privacy notice. The way you do this can be quite creative and depends on the circumstances. I find many examples of professionals getting this wrong.
See lessProfiling
BlueBottle
As DP-Pro says, this is not by itself profiling, however I would question how malpractice is determined by recording behaviour. If behaviours are compared to a set of behaviours that may indicate malpractice, it could be that individuals are being profiled as an additional step to the monitoring/recRead more
As DP-Pro says, this is not by itself profiling, however I would question how malpractice is determined by recording behaviour.
If behaviours are compared to a set of behaviours that may indicate malpractice, it could be that individuals are being profiled as an additional step to the monitoring/recording.
See lessGenerating leads with a marketing company….
BlueBottle
OP - I would argue you are in fact engaged in a controller-to-controller transfer, as you are not determining the purposes and means of processing prior to the leads being given to you. The marketing co are sharing data with you, but from that point, is it yours to do as you please with? As in, onceRead more
OP – I would argue you are in fact engaged in a controller-to-controller transfer, as you are not determining the purposes and means of processing prior to the leads being given to you.
The marketing co are sharing data with you, but from that point, is it yours to do as you please with? As in, once you get a lead you’re paying a fee for it, and it’s up to you to convert that into a sale? If so, there’s a clear line in the sand between their and your responsibilities. Theirs end when they transfer data to you, yours begin when you receive it. This is very ordinary in a controller-to-controller transfer.
See lessLegitimate Interest v. Soft Opt In
BlueBottle
...But there is an exemption from this where you are marketing your own similar products/services to individuals whose contact details were obtained in the course of a sale or negotiations for a sale, AND where they were given the option to opt out of marketing at that point, AND in every subsequentRead more
…But there is an exemption from this where you are marketing your own similar products/services to individuals whose contact details were obtained in the course of a sale or negotiations for a sale, AND where they were given the option to opt out of marketing at that point, AND in every subsequent direct marketing communication. This is the “soft opt-in”.
When you use soft opt-in, you’re not employing consent, so you need another lawful basis. At this point, the lawful basis may very well be legitimate interests. The two, therefore, are not mutually exclusive.
In *any* case where you are direct marketing, the recipient has the right to object to the use of their personal data for this purpose under Art. 21(2) [UK] GDPR, no matter the lawful basis or whether it’s soft opt-in or otherwise.
I hope this goes some way towards answering your question.
See lessLegitimate Interest v. Soft Opt In
BlueBottle
While I'm grateful for DP-Pro's willingness to post an answer, I don't feel they have satisfied the OP's query: what is the difference between soft opt-in and legitimate interest? Under the [UK] GDPR, processing must be lawful, which is to say, it must be covered by one of the lawful bases in ArticlRead more
While I’m grateful for DP-Pro’s willingness to post an answer, I don’t feel they have satisfied the OP’s query: what is the difference between soft opt-in and legitimate interest?
See lessUnder the [UK] GDPR, processing must be lawful, which is to say, it must be covered by one of the lawful bases in Article 6. The legitimate interests of the controller or a third party is the sixth such basis (Art. 6(1)(f)). Consent is the first.
When an organisation’s (or a third party’s) interests, often commercial, are both legitimate (not unlawful, false or deceptive) and compatible with individuals’ rights and freedoms, and where processing personal data by the controller is necessary to further those interests, they may rely on this basis.
The ePrivacy Directive, implemented in the UK by the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”) requires consent for direct marketing by email or SMS in Regulation 22.
(Continued…)
Outsourcing of clinicians from a Third Party
BlueBottle
So if the clinician is an agency worker, and they will be processing personal data "under the direct authority of" your organisation, then from your perspective, they are not a third party and can therefore not be considered a processor. There may need to be controller-to-controller contractual safeRead more
So if the clinician is an agency worker, and they will be processing personal data “under the direct authority of” your organisation, then from your perspective, they are not a third party and can therefore not be considered a processor.
There may need to be controller-to-controller contractual safeguards if the agency transfers the personal data of the clinicians to your organisation, which you then incorporate into your HR systems and process according to your own determination of purposes and means.
For the clinician, if an agency worker, their contract of employment will be with the agency, not your organisation. Therefore a separate confidentiality agreement incorporating the same terms you would apply to your employees might be needed.
See lessOutsourcing of clinicians from a Third Party
BlueBottle
... 88. Whereas the terms “personal data”, “data subject”, “controller” and “processor” are defined in the Regulation, the concept of “persons who, under the direct authority of the controller or processor, are authorised to process personal data” is not. It is, however, generally understood as refeRead more
…
88. Whereas the terms “personal data”, “data subject”, “controller” and “processor” are defined in the Regulation, the concept of “persons who, under the direct authority of the controller or processor, are authorised to process personal data” is not. It is, however, generally understood as referring to persons that belong to the legal entity of the controller or processor (an employee or a role highly comparable to that of employees, e.g. interim staff provided via a temporary employment agency) but only insofar as they are authorized to process personal data. An employee etc. who obtains access to data that he or she is not authorised to access and for other purposes than that of the employer does not fall within this category. Instead, this employee should be considered as a third party vis-à-vis the processing undertaken by the employer. Insofar as the employee processes personal data for his or her own purposes, distinct from those of his or her employer, he or she will then be considered a controller and take on all the resulting consequences and liabilities in terms of personal data processing.
See lessOutsourcing of clinicians from a Third Party
BlueBottle
[These comment boxes are very strictly limited, so I’ll reply to my comment with the rest of my answer.] Excerpting from pp 28-29: 86. Article 4(10) defines a “third party” as a natural or legal person, public authority, agency or body other than the data subject, the controller, the processorRead more
[These comment boxes are very strictly limited, so I’ll reply to my comment with the rest of my answer.]
Excerpting from pp 28-29:
86. Article 4(10) defines a “third party” as a natural or legal person, public authority, agency or body other than
the data subject,
the controller,
the processor and
persons who, under the direct authority of the controller or processor, are authorised to process
personal data.
…
See less