I would say you take the GDPR as the gold standard as other laws take most principles from it. However, you will need to do a gap assessment for other laws where there are divergences and implement those in addition to GDPR’s requirements.
I would say you take the GDPR as the gold standard as other laws take most principles from it. However, you will need to do a gap assessment for other laws where there are divergences and implement those in addition to GDPR’s requirements.
I would say you need to assess the necessity of getting the personal contact details of all those employees. For senior members, whose involvement is necessary in case of an emergency, I would say it meets such requirement, and legitimate interest can be used. however, it is the same for the rest ofRead more
I would say you need to assess the necessity of getting the personal contact details of all those employees. For senior members, whose involvement is necessary in case of an emergency, I would say it meets such requirement, and legitimate interest can be used. however, it is the same for the rest of the employees? I’d depends on the purpose, what kind of emergencies? Based on this, the relevant lawful basis should be used, legitimate interest or consent. But you also should consider whether the consent would actually meet the requirements of freely given in an employment context, and they can withdraw it at any time without consequences. If this leads to the idea that actually the contact details are necessary, then probably legitimate interest is the right option. Or is it necessary at all?
You can see some case law on monitoring employees’ correspondence here https://www.echr.coe.int/Documents/FS_Workplace_surveillance_ENG.pdf Basically, the interference should be necessary and proportionate to the purpose, hence the unlimited access is unlikely to meet these requirements
You can see some case law on monitoring employees’ correspondence here https://www.echr.coe.int/Documents/FS_Workplace_surveillance_ENG.pdf
Basically, the interference should be necessary and proportionate to the purpose, hence the unlimited access is unlikely to meet these requirements
If this is for a certain team, as a suggestion is to understand what the team’s priorities are, what plans and activities they do so that the training relates to their work. This sparks interest and questions
If this is for a certain team, as a suggestion is to understand what the team’s priorities are, what plans and activities they do so that the training relates to their work. This sparks interest and questions
There are no rules on how many signs should be. The requirement is to provide clear notice to people before collecting the data. So it would need to be visible, clear to understand that by entering the specific office/location, the space is monitored. This ideally should be prior to entering, and haRead more
There are no rules on how many signs should be. The requirement is to provide clear notice to people before collecting the data. So it would need to be visible, clear to understand that by entering the specific office/location, the space is monitored. This ideally should be prior to entering, and have some contact information to the DPO or office responsible for data protection matters for any questions.
If it is for processor’s own interest who is taking on its own the decision to proceed with this analysis, then he is no longer a processor, but controller. Most likely it would rely on legitimate interest as no other grounds would be applicable. But this would require also to perform an LegitimateRead more
If it is for processor’s own interest who is taking on its own the decision to proceed with this analysis, then he is no longer a processor, but controller. Most likely it would rely on legitimate interest as no other grounds would be applicable. But this would require also to perform an Legitimate Interest Assessment (LIA).
If however, the activity is performed at the instructions of another company, then a data processor would not need a legal basis, but do so based on the contract with that company and based on its instructions.
Overseas data subjects
CRodica
I would say you take the GDPR as the gold standard as other laws take most principles from it. However, you will need to do a gap assessment for other laws where there are divergences and implement those in addition to GDPR’s requirements.
I would say you take the GDPR as the gold standard as other laws take most principles from it. However, you will need to do a gap assessment for other laws where there are divergences and implement those in addition to GDPR’s requirements.
See lessproviding personal contact details
CRodica
I would say you need to assess the necessity of getting the personal contact details of all those employees. For senior members, whose involvement is necessary in case of an emergency, I would say it meets such requirement, and legitimate interest can be used. however, it is the same for the rest ofRead more
I would say you need to assess the necessity of getting the personal contact details of all those employees. For senior members, whose involvement is necessary in case of an emergency, I would say it meets such requirement, and legitimate interest can be used. however, it is the same for the rest of the employees? I’d depends on the purpose, what kind of emergencies? Based on this, the relevant lawful basis should be used, legitimate interest or consent. But you also should consider whether the consent would actually meet the requirements of freely given in an employment context, and they can withdraw it at any time without consequences. If this leads to the idea that actually the contact details are necessary, then probably legitimate interest is the right option. Or is it necessary at all?
See lessAccess to emails
CRodica
You can see some case law on monitoring employees’ correspondence here https://www.echr.coe.int/Documents/FS_Workplace_surveillance_ENG.pdf Basically, the interference should be necessary and proportionate to the purpose, hence the unlimited access is unlikely to meet these requirements
You can see some case law on monitoring employees’ correspondence here https://www.echr.coe.int/Documents/FS_Workplace_surveillance_ENG.pdf
See lessBasically, the interference should be necessary and proportionate to the purpose, hence the unlimited access is unlikely to meet these requirements
It’s that dreaded time! I need to put together some FUN Data Protection training for Staff. Anyone have some great clips, quizzes, etc that they wouldn’t mind sharing!
CRodica
If this is for a certain team, as a suggestion is to understand what the team’s priorities are, what plans and activities they do so that the training relates to their work. This sparks interest and questions
If this is for a certain team, as a suggestion is to understand what the team’s priorities are, what plans and activities they do so that the training relates to their work. This sparks interest and questions
See lessCCTV warning signs
CRodica
There are no rules on how many signs should be. The requirement is to provide clear notice to people before collecting the data. So it would need to be visible, clear to understand that by entering the specific office/location, the space is monitored. This ideally should be prior to entering, and haRead more
There are no rules on how many signs should be. The requirement is to provide clear notice to people before collecting the data. So it would need to be visible, clear to understand that by entering the specific office/location, the space is monitored. This ideally should be prior to entering, and have some contact information to the DPO or office responsible for data protection matters for any questions.
See lessWhat is a data processors legal basis for using data related to app usage?
CRodica
If it is for processor’s own interest who is taking on its own the decision to proceed with this analysis, then he is no longer a processor, but controller. Most likely it would rely on legitimate interest as no other grounds would be applicable. But this would require also to perform an LegitimateRead more
If it is for processor’s own interest who is taking on its own the decision to proceed with this analysis, then he is no longer a processor, but controller. Most likely it would rely on legitimate interest as no other grounds would be applicable. But this would require also to perform an Legitimate Interest Assessment (LIA).
See lessIf however, the activity is performed at the instructions of another company, then a data processor would not need a legal basis, but do so based on the contract with that company and based on its instructions.