In addition to that, go visit the ICO Accountability & Governance pages: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/ Their new Framework: https://ico.org.uk/for-organisations/accountability-framRead more
There is a lack of consensus as to who is a controller / joint controller, further confounded by what processing is being undertaken on a given dataset at any one time. Blockchains, involve many different players and is unlikely to be an entity (and ergo a controller), in and of itself. You will neeRead more
There is a lack of consensus as to who is a controller / joint controller, further confounded by what processing is being undertaken on a given dataset at any one time. Blockchains, involve many different players and is unlikely to be an entity (and ergo a controller), in and of itself. You will need to apply the GDPR (and EDPB) definitions of controller to each blockchain you encounter, on a case-by-case basis. You know the familiar phrase – ‘There is no one-size fits all’! As an entity placing said data onto a distributed ledger, you are a (de facto) controller, but do you remain so, given the dilution of your powers?
It is impossible to state whether blockchains are, as a whole, either completely compliant or non-compliant with the GDPR. Blockchains often seek to achieve decentralisation by replacing a unitary CONTROLLER with many different entities, making the allocation of responsibility and accountability almRead more
It is impossible to state whether blockchains are, as a whole, either completely compliant or non-compliant with the GDPR. Blockchains often seek to achieve decentralisation by replacing a unitary CONTROLLER with many different entities, making the allocation of responsibility and accountability almost impossible. Additionally, exercisable rights are confounded by blockchains in order to preserve so-called data integrity and trust in the technology. That said, it may be possible for private and discrete permissioned blockchains to comply with GDPR requirements but the compatibility of these technologies and the GDPR can only ever be assessed on a case-by-case basis.
Much of this will depend on what you mean by 'cold contacting'. Whether you mean you are randomly marketing to citizens/member of the public (who have no expectation of the potential approach) or (say) attendees at an event (who may reasonably expect to be approached by organisations connected to orRead more
Much of this will depend on what you mean by ‘cold contacting’. Whether you mean you are randomly marketing to citizens/member of the public (who have no expectation of the potential approach) or (say) attendees at an event (who may reasonably expect to be approached by organisations connected to or present at the event). There are no relevant exemptions within the GDPR, but CONSENT will be required when using a list acquired from a 3rd part (eg event organiser)
Ideally we'd need a bit more information about the process to be able to give an informed answer but what you are describing is the fuzzy margin between CONSENT and EXPLICIT CONSENT. Simply by providing contact details could constitute consent, but it is not clear whether this was FREELY GIVEN. FurtRead more
Ideally we’d need a bit more information about the process to be able to give an informed answer but what you are describing is the fuzzy margin between CONSENT and EXPLICIT CONSENT. Simply by providing contact details could constitute consent, but it is not clear whether this was FREELY GIVEN. Furthermore, without providing any contextual dialogue at the time the details were obtained it is unlikely that the provision of these details was SPECIFIC or INFORMED, meaning that any assumed CONSENT will be invalid. If the details were necessary for a product or service, then CONTRACT might be the more appropriate lawful basis. I tend to regard LEGITIMATE INTERESTS as the last option, because it is so wide and vague in its application, but there are options and the choice is yours..
Hi. It would be reasonable and correct to do so. In some countries financial data are considered particularly sensitive and with the additional requirements of the PCI DSS, its easy to understand that elevation both risk and protection of these data. As you know, what constitutes personal data is aRead more
Hi. It would be reasonable and correct to do so. In some countries financial data are considered particularly sensitive and with the additional requirements of the PCI DSS, its easy to understand that elevation both risk and protection of these data. As you know, what constitutes personal data is a broad list of attributes and a recent case in Germany established that vehicle chassis numbers (VIN) may also be regarded as personal data, so be cautions and treat all financial data as special category and you cant go too far wrong. The ICO will applaud the additional risk measures you will implement and customers will appreciate the additional protections you give to their data.
Hi. Its unlikely that CONSENT is a valid basis because without sending a CV, the applicant would unlikely be selected for consideration and CONSENT must not be conditional nor should refusal or withdrawal lead to any detriment. Therefore, you should apply CONTRACT as your lawful basis (the provisionRead more
Hi. Its unlikely that CONSENT is a valid basis because without sending a CV, the applicant would unlikely be selected for consideration and CONSENT must not be conditional nor should refusal or withdrawal lead to any detriment. Therefore, you should apply CONTRACT as your lawful basis (the provision of a CV/Application etc. being a requirement / condition of entering into an contract of employment).
DSARs never come in on a good day but, regardless of the history or cause, there is no power or right that a controller can exert over a requestor to withdraw a DSAR.
DSARs never come in on a good day but, regardless of the history or cause, there is no power or right that a controller can exert over a requestor to withdraw a DSAR.
In a DSAR, only information. minutes etc relating to and/or about the requestor is within scope of Art.15 Anything else would need to be disclosed under the FoIA (subject to exemptions) if you are a public body or your general disclosure regime if not. If you hold no further information, say so andRead more
In a DSAR, only information. minutes etc relating to and/or about the requestor is within scope of Art.15 Anything else would need to be disclosed under the FoIA (subject to exemptions) if you are a public body or your general disclosure regime if not. If you hold no further information, say so and offer the requestor the ICO complaint route and their right to legal redress.
Er, have you/your client tried asking the contracting bank for clarification? Data Quality in data protection terms is quite different to data quality in Master Data Management terms, with a range of exotic qualitative and quantitative values applied to an eye-watering list of data quality dimensionRead more
Er, have you/your client tried asking the contracting bank for clarification? Data Quality in data protection terms is quite different to data quality in Master Data Management terms, with a range of exotic qualitative and quantitative values applied to an eye-watering list of data quality dimensions and metrics..
GDPR Compliance
DP-Pro
In addition to that, go visit the ICO Accountability & Governance pages: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/ Their new Framework: https://ico.org.uk/for-organisations/accountability-framRead more
In addition to that, go visit the ICO Accountability & Governance pages: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/
Their new Framework: https://ico.org.uk/for-organisations/accountability-framework/
And Tool: https://ico.org.uk/for-organisations/accountability-framework-self-assessment/
Good luck!
See lessWho is the data controller when storing data in a blockchain? (immutable distributed data store)
DP-Pro
There is a lack of consensus as to who is a controller / joint controller, further confounded by what processing is being undertaken on a given dataset at any one time. Blockchains, involve many different players and is unlikely to be an entity (and ergo a controller), in and of itself. You will neeRead more
There is a lack of consensus as to who is a controller / joint controller, further confounded by what processing is being undertaken on a given dataset at any one time. Blockchains, involve many different players and is unlikely to be an entity (and ergo a controller), in and of itself. You will need to apply the GDPR (and EDPB) definitions of controller to each blockchain you encounter, on a case-by-case basis. You know the familiar phrase – ‘There is no one-size fits all’! As an entity placing said data onto a distributed ledger, you are a (de facto) controller, but do you remain so, given the dilution of your powers?
See lessStoring pseudo-anonymized personal data on a blockchain
DP-Pro
It is impossible to state whether blockchains are, as a whole, either completely compliant or non-compliant with the GDPR. Blockchains often seek to achieve decentralisation by replacing a unitary CONTROLLER with many different entities, making the allocation of responsibility and accountability almRead more
It is impossible to state whether blockchains are, as a whole, either completely compliant or non-compliant with the GDPR. Blockchains often seek to achieve decentralisation by replacing a unitary CONTROLLER with many different entities, making the allocation of responsibility and accountability almost impossible. Additionally, exercisable rights are confounded by blockchains in order to preserve so-called data integrity and trust in the technology. That said, it may be possible for private and discrete permissioned blockchains to comply with GDPR requirements but the compatibility of these technologies and the GDPR can only ever be assessed on a case-by-case basis.
See lessCold Prospecting
DP-Pro
Much of this will depend on what you mean by 'cold contacting'. Whether you mean you are randomly marketing to citizens/member of the public (who have no expectation of the potential approach) or (say) attendees at an event (who may reasonably expect to be approached by organisations connected to orRead more
Much of this will depend on what you mean by ‘cold contacting’. Whether you mean you are randomly marketing to citizens/member of the public (who have no expectation of the potential approach) or (say) attendees at an event (who may reasonably expect to be approached by organisations connected to or present at the event). There are no relevant exemptions within the GDPR, but CONSENT will be required when using a list acquired from a 3rd part (eg event organiser)
See lessDocumenting the legal basis for personal information given orally for customer support
DP-Pro
Ideally we'd need a bit more information about the process to be able to give an informed answer but what you are describing is the fuzzy margin between CONSENT and EXPLICIT CONSENT. Simply by providing contact details could constitute consent, but it is not clear whether this was FREELY GIVEN. FurtRead more
Ideally we’d need a bit more information about the process to be able to give an informed answer but what you are describing is the fuzzy margin between CONSENT and EXPLICIT CONSENT. Simply by providing contact details could constitute consent, but it is not clear whether this was FREELY GIVEN. Furthermore, without providing any contextual dialogue at the time the details were obtained it is unlikely that the provision of these details was SPECIFIC or INFORMED, meaning that any assumed CONSENT will be invalid. If the details were necessary for a product or service, then CONTRACT might be the more appropriate lawful basis. I tend to regard LEGITIMATE INTERESTS as the last option, because it is so wide and vague in its application, but there are options and the choice is yours..
See lesscredit card number handling – bank
DP-Pro
Hi. It would be reasonable and correct to do so. In some countries financial data are considered particularly sensitive and with the additional requirements of the PCI DSS, its easy to understand that elevation both risk and protection of these data. As you know, what constitutes personal data is aRead more
Hi. It would be reasonable and correct to do so. In some countries financial data are considered particularly sensitive and with the additional requirements of the PCI DSS, its easy to understand that elevation both risk and protection of these data. As you know, what constitutes personal data is a broad list of attributes and a recent case in Germany established that vehicle chassis numbers (VIN) may also be regarded as personal data, so be cautions and treat all financial data as special category and you cant go too far wrong. The ICO will applaud the additional risk measures you will implement and customers will appreciate the additional protections you give to their data.
See lessJob applications and Consent
DP-Pro
Hi. Its unlikely that CONSENT is a valid basis because without sending a CV, the applicant would unlikely be selected for consideration and CONSENT must not be conditional nor should refusal or withdrawal lead to any detriment. Therefore, you should apply CONTRACT as your lawful basis (the provisionRead more
Hi. Its unlikely that CONSENT is a valid basis because without sending a CV, the applicant would unlikely be selected for consideration and CONSENT must not be conditional nor should refusal or withdrawal lead to any detriment. Therefore, you should apply CONTRACT as your lawful basis (the provision of a CV/Application etc. being a requirement / condition of entering into an contract of employment).
See lessSubject Access Request / Link to other processes
DP-Pro
DSARs never come in on a good day but, regardless of the history or cause, there is no power or right that a controller can exert over a requestor to withdraw a DSAR.
DSARs never come in on a good day but, regardless of the history or cause, there is no power or right that a controller can exert over a requestor to withdraw a DSAR.
See lessClosing a DSAR
DP-Pro
In a DSAR, only information. minutes etc relating to and/or about the requestor is within scope of Art.15 Anything else would need to be disclosed under the FoIA (subject to exemptions) if you are a public body or your general disclosure regime if not. If you hold no further information, say so andRead more
In a DSAR, only information. minutes etc relating to and/or about the requestor is within scope of Art.15 Anything else would need to be disclosed under the FoIA (subject to exemptions) if you are a public body or your general disclosure regime if not. If you hold no further information, say so and offer the requestor the ICO complaint route and their right to legal redress.
See lessConfused – ‘data definitions and calculations’ – must be provided prior to contract?
DP-Pro
Er, have you/your client tried asking the contracting bank for clarification? Data Quality in data protection terms is quite different to data quality in Master Data Management terms, with a range of exotic qualitative and quantitative values applied to an eye-watering list of data quality dimensionRead more
Er, have you/your client tried asking the contracting bank for clarification? Data Quality in data protection terms is quite different to data quality in Master Data Management terms, with a range of exotic qualitative and quantitative values applied to an eye-watering list of data quality dimensions and metrics..
See less