Hi Caroline! If you're referring to Fly Software Ltd - it is a UK company and therefore a DPA would be enough and no transfer tool should be needed if your company is in the UK, too. As far as I know the jury is still out on how US surveillance laws (e.g. Cloud Act and FISA) impact UK/EU companies wRead more
Hi Caroline! If you’re referring to Fly Software Ltd – it is a UK company and therefore a DPA would be enough and no transfer tool should be needed if your company is in the UK, too. As far as I know the jury is still out on how US surveillance laws (e.g. Cloud Act and FISA) impact UK/EU companies with US parent companies. Maybe someone else in the community knows more?
If you decide to play it safe and apply a transfer tool, I can only say that the ICO announced that the old SCCs are still valid for third country transfers. You can find the adapted versions and more info about the post-Brexit context here: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-transfers-after-uk-exit/sccs-after-transition-period/
If your data leaves the UK and gets transferred to a third country that doesn't enjoy the luxury of an EU Commision Adequacy decision you have to use a transfer tool, e.g. the new SCCs (https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj). Since Schrems II you'll also have to assess the standard of dRead more
Hi! If you're located in the EEA and want to use a processor in the UK you don't have to enter into SCCs since the EU Commission issued an Adequacy decision for transfers to the UK. So, if the data stays in the UK you don't have to take any extra steps to render the data transfer lawful beyond enterRead more
Hi! If you’re located in the EEA and want to use a processor in the UK you don’t have to enter into SCCs since the EU Commission issued an Adequacy decision for transfers to the UK. So, if the data stays in the UK you don’t have to take any extra steps to render the data transfer lawful beyond entering into a regular Art. 28 GDPR DPA. E.g. you could use the new standard DPA by the EU Commission (https://eur-lex.europa.eu/eli/dec_impl/2021/915/oj).
You'll need to enter into a data processing agreement (DPA) with your clients for the processing activities of personal data where you act as a processor, i.e. for the activities that you carry out on behalf of your client. The DPA needs to be in line with Art. 28 GDPR. When you act as a processor fRead more
You’ll need to enter into a data processing agreement (DPA) with your clients for the processing activities of personal data where you act as a processor, i.e. for the activities that you carry out on behalf of your client. The DPA needs to be in line with Art. 28 GDPR.
When you act as a processor for a certain processing activity, it does not matter if you or the controller collect the personal data – you are still the processor and carry those activities out as defined in the DPA.
If you carry out processing activities that are not in line with the DPA and the instructions of the controller (i.e. you decide the means and purposes of the processing), you act as a controller for the data. This may be problematic since you need to comply with obligations for controllers under GDPR.
Here's a great resource for privacy-friendly tools that can serve as a good starting point for beefing up your privacy on the web -> https://privacytools.io/
Here’s a great resource for privacy-friendly tools that can serve as a good starting point for beefing up your privacy on the web -> https://privacytools.io/
I'd say that most people who are aware of the risks care about privacy. IMO being in control of what info is known about me and by whom is crucial. Seeing how much organisations know about people is quite scary. Not only because I don't like that they know so much about me (maybe know me better thanRead more
I’d say that most people who are aware of the risks care about privacy. IMO being in control of what info is known about me and by whom is crucial. Seeing how much organisations know about people is quite scary. Not only because I don’t like that they know so much about me (maybe know me better than I know myself and can thereby predict my behaviour) but also because mistakes happen.
Identity theft, exposing sensitive info to hackers following a data breach, or the data may be shared with an organisation that I don’t like the data should be shared with.
E.g. I don’t want that Facebook has access to all my private messages since I have almost no control over who reads those messages and what happens with them. I therefore use FOSS E2E apps as much as possible.
I'd say that this processing activity can be based on legitimate interest instead of consent. It is in your company's legitimate interest to keep the morale high among the troops. Don't forget to conduct a Legitimate Interest Assessment before to confirm that you can rely on this legal ground and toRead more
I’d say that this processing activity can be based on legitimate interest instead of consent. It is in your company’s legitimate interest to keep the morale high among the troops.
Don’t forget to conduct a Legitimate Interest Assessment before to confirm that you can rely on this legal ground and to ensure that you’re taking all the necessary measures to carry this processing out in the best and safest way possible.
Using SCC’s
d9d9d9
Hi Caroline! If you're referring to Fly Software Ltd - it is a UK company and therefore a DPA would be enough and no transfer tool should be needed if your company is in the UK, too. As far as I know the jury is still out on how US surveillance laws (e.g. Cloud Act and FISA) impact UK/EU companies wRead more
Hi Caroline! If you’re referring to Fly Software Ltd – it is a UK company and therefore a DPA would be enough and no transfer tool should be needed if your company is in the UK, too. As far as I know the jury is still out on how US surveillance laws (e.g. Cloud Act and FISA) impact UK/EU companies with US parent companies. Maybe someone else in the community knows more?
See lessIf you decide to play it safe and apply a transfer tool, I can only say that the ICO announced that the old SCCs are still valid for third country transfers. You can find the adapted versions and more info about the post-Brexit context here: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-transfers-after-uk-exit/sccs-after-transition-period/
Using SCC’s
d9d9d9
If your data leaves the UK and gets transferred to a third country that doesn't enjoy the luxury of an EU Commision Adequacy decision you have to use a transfer tool, e.g. the new SCCs (https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj). Since Schrems II you'll also have to assess the standard of dRead more
If your data leaves the UK and gets transferred to a third country that doesn’t enjoy the luxury of an EU Commision Adequacy decision you have to use a transfer tool, e.g. the new SCCs (https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj). Since Schrems II you’ll also have to assess the standard of data protection of the recipient country (https://edpb.europa.eu/system/files/2021-06/edpb_recommendations_202001vo.2.0_supplementarymeasurestransferstools_en.pdf and https://edpb.europa.eu/sites/default/files/files/file1/edpb_recommendations_202002_europeanessentialguaranteessurveillance_en.pdf).
See lessUsing SCC’s
d9d9d9
Hi! If you're located in the EEA and want to use a processor in the UK you don't have to enter into SCCs since the EU Commission issued an Adequacy decision for transfers to the UK. So, if the data stays in the UK you don't have to take any extra steps to render the data transfer lawful beyond enterRead more
Hi! If you’re located in the EEA and want to use a processor in the UK you don’t have to enter into SCCs since the EU Commission issued an Adequacy decision for transfers to the UK. So, if the data stays in the UK you don’t have to take any extra steps to render the data transfer lawful beyond entering into a regular Art. 28 GDPR DPA. E.g. you could use the new standard DPA by the EU Commission (https://eur-lex.europa.eu/eli/dec_impl/2021/915/oj).
See lessGDPR consultancy concerns/Confusion
d9d9d9
You'll need to enter into a data processing agreement (DPA) with your clients for the processing activities of personal data where you act as a processor, i.e. for the activities that you carry out on behalf of your client. The DPA needs to be in line with Art. 28 GDPR. When you act as a processor fRead more
You’ll need to enter into a data processing agreement (DPA) with your clients for the processing activities of personal data where you act as a processor, i.e. for the activities that you carry out on behalf of your client. The DPA needs to be in line with Art. 28 GDPR.
When you act as a processor for a certain processing activity, it does not matter if you or the controller collect the personal data – you are still the processor and carry those activities out as defined in the DPA.
If you carry out processing activities that are not in line with the DPA and the instructions of the controller (i.e. you decide the means and purposes of the processing), you act as a controller for the data. This may be problematic since you need to comply with obligations for controllers under GDPR.
See lessWhat browser is from your point of view the most privacy-friendly browser?
d9d9d9
Here's a great resource for privacy-friendly tools that can serve as a good starting point for beefing up your privacy on the web -> https://privacytools.io/
Here’s a great resource for privacy-friendly tools that can serve as a good starting point for beefing up your privacy on the web -> https://privacytools.io/
See lessIs privacy over rated?
d9d9d9
I'd say that most people who are aware of the risks care about privacy. IMO being in control of what info is known about me and by whom is crucial. Seeing how much organisations know about people is quite scary. Not only because I don't like that they know so much about me (maybe know me better thanRead more
I’d say that most people who are aware of the risks care about privacy. IMO being in control of what info is known about me and by whom is crucial. Seeing how much organisations know about people is quite scary. Not only because I don’t like that they know so much about me (maybe know me better than I know myself and can thereby predict my behaviour) but also because mistakes happen.
Identity theft, exposing sensitive info to hackers following a data breach, or the data may be shared with an organisation that I don’t like the data should be shared with.
E.g. I don’t want that Facebook has access to all my private messages since I have almost no control over who reads those messages and what happens with them. I therefore use FOSS E2E apps as much as possible.
See lessPosting gifts to employees
d9d9d9
I'd say that this processing activity can be based on legitimate interest instead of consent. It is in your company's legitimate interest to keep the morale high among the troops. Don't forget to conduct a Legitimate Interest Assessment before to confirm that you can rely on this legal ground and toRead more
I’d say that this processing activity can be based on legitimate interest instead of consent. It is in your company’s legitimate interest to keep the morale high among the troops.
Don’t forget to conduct a Legitimate Interest Assessment before to confirm that you can rely on this legal ground and to ensure that you’re taking all the necessary measures to carry this processing out in the best and safest way possible.
See less