Hi! I'm not an expert for PECR but based on my understanding, you organisation could rely on soft opt-in for both email and phone marketing provided that your organisation: - has an ongoing relationship with the individuals - is the entity that has both obtained the contact details - is sending theRead more
Hi! I’m not an expert for PECR but based on my understanding, you organisation could rely on soft opt-in for both email and phone marketing provided that your organisation:
– has an ongoing relationship with the individuals
– is the entity that has both obtained the contact details
– is sending the marketing email or calling (not through a third party), and
– provides an easy way for individuals to opt-out
Soft opt-in means that you can contact an individual for marketing purposes on an opt-out basis if the listed conditions are fulfilled.
I hope this helps and maybe someone with more experience can weigh in!
In regard to the second question, I recommend looking at Guidelines 01/2022 on data subject rights -Right of access. Of particular interest are likely para. 104 and Example 1 in para. 171. In brief, the right to access also applies to the actual call recordings (and the transcripts, if they exist alRead more
In regard to the second question, I recommend looking at Guidelines 01/2022 on data subject rights -Right of access. Of particular interest are likely para. 104 and Example 1 in para. 171.
In brief, the right to access also applies to the actual call recordings (and the transcripts, if they exist already). You should however analyse if giving access to this data has a negative impact on the rights and freedoms of the customer service agent.
In the example the EDPB gives, if the only personal data processed by the CS agent is their voice, it is unlikely to identify said CS agent and it would therefore not negatively affect their own rights. Therefore you may provide the full recording in the DSAR.
If other personal data by the CS agent is included (e.g. their name) you may consider emitting/censoring those parts.
I hope this helps!
(In regard to question #1 – stating the unhelpful obvious – it depends on the purpose you process the personal data for in the first place.)
Hi Caroline! If you're referring to Fly Software Ltd - it is a UK company and therefore a DPA would be enough and no transfer tool should be needed if your company is in the UK, too. As far as I know the jury is still out on how US surveillance laws (e.g. Cloud Act and FISA) impact UK/EU companies wRead more
Hi Caroline! If you’re referring to Fly Software Ltd – it is a UK company and therefore a DPA would be enough and no transfer tool should be needed if your company is in the UK, too. As far as I know the jury is still out on how US surveillance laws (e.g. Cloud Act and FISA) impact UK/EU companies with US parent companies. Maybe someone else in the community knows more?
If you decide to play it safe and apply a transfer tool, I can only say that the ICO announced that the old SCCs are still valid for third country transfers. You can find the adapted versions and more info about the post-Brexit context here: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-transfers-after-uk-exit/sccs-after-transition-period/
If your data leaves the UK and gets transferred to a third country that doesn't enjoy the luxury of an EU Commision Adequacy decision you have to use a transfer tool, e.g. the new SCCs (https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj). Since Schrems II you'll also have to assess the standard of dRead more
Hi! If you're located in the EEA and want to use a processor in the UK you don't have to enter into SCCs since the EU Commission issued an Adequacy decision for transfers to the UK. So, if the data stays in the UK you don't have to take any extra steps to render the data transfer lawful beyond enterRead more
Hi! If you’re located in the EEA and want to use a processor in the UK you don’t have to enter into SCCs since the EU Commission issued an Adequacy decision for transfers to the UK. So, if the data stays in the UK you don’t have to take any extra steps to render the data transfer lawful beyond entering into a regular Art. 28 GDPR DPA. E.g. you could use the new standard DPA by the EU Commission (https://eur-lex.europa.eu/eli/dec_impl/2021/915/oj).
You'll need to enter into a data processing agreement (DPA) with your clients for the processing activities of personal data where you act as a processor, i.e. for the activities that you carry out on behalf of your client. The DPA needs to be in line with Art. 28 GDPR. When you act as a processor fRead more
You’ll need to enter into a data processing agreement (DPA) with your clients for the processing activities of personal data where you act as a processor, i.e. for the activities that you carry out on behalf of your client. The DPA needs to be in line with Art. 28 GDPR.
When you act as a processor for a certain processing activity, it does not matter if you or the controller collect the personal data – you are still the processor and carry those activities out as defined in the DPA.
If you carry out processing activities that are not in line with the DPA and the instructions of the controller (i.e. you decide the means and purposes of the processing), you act as a controller for the data. This may be problematic since you need to comply with obligations for controllers under GDPR.
Here's a great resource for privacy-friendly tools that can serve as a good starting point for beefing up your privacy on the web -> https://privacytools.io/
Here’s a great resource for privacy-friendly tools that can serve as a good starting point for beefing up your privacy on the web -> https://privacytools.io/
I'd say that most people who are aware of the risks care about privacy. IMO being in control of what info is known about me and by whom is crucial. Seeing how much organisations know about people is quite scary. Not only because I don't like that they know so much about me (maybe know me better thanRead more
I’d say that most people who are aware of the risks care about privacy. IMO being in control of what info is known about me and by whom is crucial. Seeing how much organisations know about people is quite scary. Not only because I don’t like that they know so much about me (maybe know me better than I know myself and can thereby predict my behaviour) but also because mistakes happen.
Identity theft, exposing sensitive info to hackers following a data breach, or the data may be shared with an organisation that I don’t like the data should be shared with.
E.g. I don’t want that Facebook has access to all my private messages since I have almost no control over who reads those messages and what happens with them. I therefore use FOSS E2E apps as much as possible.
I'd say that this processing activity can be based on legitimate interest instead of consent. It is in your company's legitimate interest to keep the morale high among the troops. Don't forget to conduct a Legitimate Interest Assessment before to confirm that you can rely on this legal ground and toRead more
I’d say that this processing activity can be based on legitimate interest instead of consent. It is in your company’s legitimate interest to keep the morale high among the troops.
Don’t forget to conduct a Legitimate Interest Assessment before to confirm that you can rely on this legal ground and to ensure that you’re taking all the necessary measures to carry this processing out in the best and safest way possible.
Marketing preferences
d9d9d9
Hi! I'm not an expert for PECR but based on my understanding, you organisation could rely on soft opt-in for both email and phone marketing provided that your organisation: - has an ongoing relationship with the individuals - is the entity that has both obtained the contact details - is sending theRead more
Hi! I’m not an expert for PECR but based on my understanding, you organisation could rely on soft opt-in for both email and phone marketing provided that your organisation:
See less– has an ongoing relationship with the individuals
– is the entity that has both obtained the contact details
– is sending the marketing email or calling (not through a third party), and
– provides an easy way for individuals to opt-out
Soft opt-in means that you can contact an individual for marketing purposes on an opt-out basis if the listed conditions are fulfilled.
I hope this helps and maybe someone with more experience can weigh in!
Call recordings
d9d9d9
In regard to the second question, I recommend looking at Guidelines 01/2022 on data subject rights -Right of access. Of particular interest are likely para. 104 and Example 1 in para. 171. In brief, the right to access also applies to the actual call recordings (and the transcripts, if they exist alRead more
In regard to the second question, I recommend looking at Guidelines 01/2022 on data subject rights -Right of access. Of particular interest are likely para. 104 and Example 1 in para. 171.
In brief, the right to access also applies to the actual call recordings (and the transcripts, if they exist already). You should however analyse if giving access to this data has a negative impact on the rights and freedoms of the customer service agent.
In the example the EDPB gives, if the only personal data processed by the CS agent is their voice, it is unlikely to identify said CS agent and it would therefore not negatively affect their own rights. Therefore you may provide the full recording in the DSAR.
If other personal data by the CS agent is included (e.g. their name) you may consider emitting/censoring those parts.
I hope this helps!
(In regard to question #1 – stating the unhelpful obvious – it depends on the purpose you process the personal data for in the first place.)
See lessUsing SCC’s
d9d9d9
Hi Caroline! If you're referring to Fly Software Ltd - it is a UK company and therefore a DPA would be enough and no transfer tool should be needed if your company is in the UK, too. As far as I know the jury is still out on how US surveillance laws (e.g. Cloud Act and FISA) impact UK/EU companies wRead more
Hi Caroline! If you’re referring to Fly Software Ltd – it is a UK company and therefore a DPA would be enough and no transfer tool should be needed if your company is in the UK, too. As far as I know the jury is still out on how US surveillance laws (e.g. Cloud Act and FISA) impact UK/EU companies with US parent companies. Maybe someone else in the community knows more?
See lessIf you decide to play it safe and apply a transfer tool, I can only say that the ICO announced that the old SCCs are still valid for third country transfers. You can find the adapted versions and more info about the post-Brexit context here: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-transfers-after-uk-exit/sccs-after-transition-period/
Using SCC’s
d9d9d9
If your data leaves the UK and gets transferred to a third country that doesn't enjoy the luxury of an EU Commision Adequacy decision you have to use a transfer tool, e.g. the new SCCs (https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj). Since Schrems II you'll also have to assess the standard of dRead more
If your data leaves the UK and gets transferred to a third country that doesn’t enjoy the luxury of an EU Commision Adequacy decision you have to use a transfer tool, e.g. the new SCCs (https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj). Since Schrems II you’ll also have to assess the standard of data protection of the recipient country (https://edpb.europa.eu/system/files/2021-06/edpb_recommendations_202001vo.2.0_supplementarymeasurestransferstools_en.pdf and https://edpb.europa.eu/sites/default/files/files/file1/edpb_recommendations_202002_europeanessentialguaranteessurveillance_en.pdf).
See lessUsing SCC’s
d9d9d9
Hi! If you're located in the EEA and want to use a processor in the UK you don't have to enter into SCCs since the EU Commission issued an Adequacy decision for transfers to the UK. So, if the data stays in the UK you don't have to take any extra steps to render the data transfer lawful beyond enterRead more
Hi! If you’re located in the EEA and want to use a processor in the UK you don’t have to enter into SCCs since the EU Commission issued an Adequacy decision for transfers to the UK. So, if the data stays in the UK you don’t have to take any extra steps to render the data transfer lawful beyond entering into a regular Art. 28 GDPR DPA. E.g. you could use the new standard DPA by the EU Commission (https://eur-lex.europa.eu/eli/dec_impl/2021/915/oj).
See lessGDPR consultancy concerns/Confusion
d9d9d9
You'll need to enter into a data processing agreement (DPA) with your clients for the processing activities of personal data where you act as a processor, i.e. for the activities that you carry out on behalf of your client. The DPA needs to be in line with Art. 28 GDPR. When you act as a processor fRead more
You’ll need to enter into a data processing agreement (DPA) with your clients for the processing activities of personal data where you act as a processor, i.e. for the activities that you carry out on behalf of your client. The DPA needs to be in line with Art. 28 GDPR.
When you act as a processor for a certain processing activity, it does not matter if you or the controller collect the personal data – you are still the processor and carry those activities out as defined in the DPA.
If you carry out processing activities that are not in line with the DPA and the instructions of the controller (i.e. you decide the means and purposes of the processing), you act as a controller for the data. This may be problematic since you need to comply with obligations for controllers under GDPR.
See lessWhat browser is from your point of view the most privacy-friendly browser?
d9d9d9
Here's a great resource for privacy-friendly tools that can serve as a good starting point for beefing up your privacy on the web -> https://privacytools.io/
Here’s a great resource for privacy-friendly tools that can serve as a good starting point for beefing up your privacy on the web -> https://privacytools.io/
See lessIs privacy over rated?
d9d9d9
I'd say that most people who are aware of the risks care about privacy. IMO being in control of what info is known about me and by whom is crucial. Seeing how much organisations know about people is quite scary. Not only because I don't like that they know so much about me (maybe know me better thanRead more
I’d say that most people who are aware of the risks care about privacy. IMO being in control of what info is known about me and by whom is crucial. Seeing how much organisations know about people is quite scary. Not only because I don’t like that they know so much about me (maybe know me better than I know myself and can thereby predict my behaviour) but also because mistakes happen.
Identity theft, exposing sensitive info to hackers following a data breach, or the data may be shared with an organisation that I don’t like the data should be shared with.
E.g. I don’t want that Facebook has access to all my private messages since I have almost no control over who reads those messages and what happens with them. I therefore use FOSS E2E apps as much as possible.
See lessPosting gifts to employees
d9d9d9
I'd say that this processing activity can be based on legitimate interest instead of consent. It is in your company's legitimate interest to keep the morale high among the troops. Don't forget to conduct a Legitimate Interest Assessment before to confirm that you can rely on this legal ground and toRead more
I’d say that this processing activity can be based on legitimate interest instead of consent. It is in your company’s legitimate interest to keep the morale high among the troops.
Don’t forget to conduct a Legitimate Interest Assessment before to confirm that you can rely on this legal ground and to ensure that you’re taking all the necessary measures to carry this processing out in the best and safest way possible.
See less