Hi. It would be reasonable and correct to do so. In some countries financial data are considered particularly sensitive and with the additional requirements of the PCI DSS, its easy to understand that elevation both risk and protection of these data. As you know, what constitutes personal data is aRead more
Hi. It would be reasonable and correct to do so. In some countries financial data are considered particularly sensitive and with the additional requirements of the PCI DSS, its easy to understand that elevation both risk and protection of these data. As you know, what constitutes personal data is a broad list of attributes and a recent case in Germany established that vehicle chassis numbers (VIN) may also be regarded as personal data, so be cautions and treat all financial data as special category and you cant go too far wrong. The ICO will applaud the additional risk measures you will implement and customers will appreciate the additional protections you give to their data.
Hi. Its unlikely that CONSENT is a valid basis because without sending a CV, the applicant would unlikely be selected for consideration and CONSENT must not be conditional nor should refusal or withdrawal lead to any detriment. Therefore, you should apply CONTRACT as your lawful basis (the provisionRead more
Hi. Its unlikely that CONSENT is a valid basis because without sending a CV, the applicant would unlikely be selected for consideration and CONSENT must not be conditional nor should refusal or withdrawal lead to any detriment. Therefore, you should apply CONTRACT as your lawful basis (the provision of a CV/Application etc. being a requirement / condition of entering into an contract of employment).
DSARs never come in on a good day but, regardless of the history or cause, there is no power or right that a controller can exert over a requestor to withdraw a DSAR.
DSARs never come in on a good day but, regardless of the history or cause, there is no power or right that a controller can exert over a requestor to withdraw a DSAR.
In a DSAR, only information. minutes etc relating to and/or about the requestor is within scope of Art.15 Anything else would need to be disclosed under the FoIA (subject to exemptions) if you are a public body or your general disclosure regime if not. If you hold no further information, say so andRead more
In a DSAR, only information. minutes etc relating to and/or about the requestor is within scope of Art.15 Anything else would need to be disclosed under the FoIA (subject to exemptions) if you are a public body or your general disclosure regime if not. If you hold no further information, say so and offer the requestor the ICO complaint route and their right to legal redress.
Er, have you/your client tried asking the contracting bank for clarification? Data Quality in data protection terms is quite different to data quality in Master Data Management terms, with a range of exotic qualitative and quantitative values applied to an eye-watering list of data quality dimensionRead more
Er, have you/your client tried asking the contracting bank for clarification? Data Quality in data protection terms is quite different to data quality in Master Data Management terms, with a range of exotic qualitative and quantitative values applied to an eye-watering list of data quality dimensions and metrics..
The ICO had to announce its provisional intent to impose the £17m fine due to stock market disclosure regulations. It remains to be seen whether that number stays of falls (cf Marriott and BA). I agree with the view that it was unlawful. Generally, a person publishes a post to social media for a perRead more
The ICO had to announce its provisional intent to impose the £17m fine due to stock market disclosure regulations. It remains to be seen whether that number stays of falls (cf Marriott and BA). I agree with the view that it was unlawful. Generally, a person publishes a post to social media for a personal/domestic purpose, possibly expecting to engage or annoy others. A commercial enterprise, be it Clearview or another, cannot rely on that same domestic purpose. They will be using it for monetary or other purposes, mostly under legitimate interests which is a) not compatible with the original purpose for posting and b) unlawful because the individual was not informed of the collection and sue, nor allowed to object. As this goes to the heart of DS Rights an upper tier fins is appropriate. Also, there is a huge distinction between something that is ‘publicly available’ / made public and the term ‘in the public domain’, and the former does not mean its ‘up for grabs’!
Since the GDPR there is no longer the distinction between JOINT CONTROLLERS and CONTROLLERS IN COMMON. However, each of you are responsible for the processing that you undertake for your own purposes. They, for example are controllers for the lawful collection and provision of personal data, you wilRead more
Since the GDPR there is no longer the distinction between JOINT CONTROLLERS and CONTROLLERS IN COMMON. However, each of you are responsible for the processing that you undertake for your own purposes. They, for example are controllers for the lawful collection and provision of personal data, you will be responsible for your receipt, follow ups and retention of the personal data thereafter. They would not be providing you with any personal data if you hadn’t asked/contracted/paid for it; therfore you are also determining the PURPOSES for processing. How you go about acquiring and using the data also speaks to the MEANS criterion of being a controller. Welcome to the world of being a controller, jointly or alone!
Interesting. LEGITIMATE INTERESTS is one of the prescribed LAWFUL BASES for data processing. and you are right, it has wider uses, including for marketing, but is subject to the Article 21 Right to Object. SOFT OPT-IN sets up a presumed CONSENT-LED basis and can only be used when an existing relatioRead more
Interesting. LEGITIMATE INTERESTS is one of the prescribed LAWFUL BASES for data processing. and you are right, it has wider uses, including for marketing, but is subject to the Article 21 Right to Object. SOFT OPT-IN sets up a presumed CONSENT-LED basis and can only be used when an existing relationship exists with the data subject through a purchase or enquiries relating to a purchase, and can only relate to your own similar products/services and must offer the opportunity for the data subject to OPT OUT at the outset and at any time thereafter, perhaps on each marketing mail you send. It too is subject to Article 21; Absolutely – no argument, and also, the withdrawal of consent, making that, too, absolute. It becomes more complex when the data subject opts back in, does that, then, become CONSENT or LEGITIMATE INTERESTS processing and do you need to record the different lawful basis for each type of customer engagement?
No, to my mind this is MONITORING. It might become PROFILING if these behaviours are then aggregated with other candidates behaviours and a profile created that is then applied to candidates.
No, to my mind this is MONITORING. It might become PROFILING if these behaviours are then aggregated with other candidates behaviours and a profile created that is then applied to candidates.
credit card number handling – bank
DP-Pro
Hi. It would be reasonable and correct to do so. In some countries financial data are considered particularly sensitive and with the additional requirements of the PCI DSS, its easy to understand that elevation both risk and protection of these data. As you know, what constitutes personal data is aRead more
Hi. It would be reasonable and correct to do so. In some countries financial data are considered particularly sensitive and with the additional requirements of the PCI DSS, its easy to understand that elevation both risk and protection of these data. As you know, what constitutes personal data is a broad list of attributes and a recent case in Germany established that vehicle chassis numbers (VIN) may also be regarded as personal data, so be cautions and treat all financial data as special category and you cant go too far wrong. The ICO will applaud the additional risk measures you will implement and customers will appreciate the additional protections you give to their data.
See lessJob applications and Consent
DP-Pro
Hi. Its unlikely that CONSENT is a valid basis because without sending a CV, the applicant would unlikely be selected for consideration and CONSENT must not be conditional nor should refusal or withdrawal lead to any detriment. Therefore, you should apply CONTRACT as your lawful basis (the provisionRead more
Hi. Its unlikely that CONSENT is a valid basis because without sending a CV, the applicant would unlikely be selected for consideration and CONSENT must not be conditional nor should refusal or withdrawal lead to any detriment. Therefore, you should apply CONTRACT as your lawful basis (the provision of a CV/Application etc. being a requirement / condition of entering into an contract of employment).
See lessSubject Access Request / Link to other processes
DP-Pro
DSARs never come in on a good day but, regardless of the history or cause, there is no power or right that a controller can exert over a requestor to withdraw a DSAR.
DSARs never come in on a good day but, regardless of the history or cause, there is no power or right that a controller can exert over a requestor to withdraw a DSAR.
See lessClosing a DSAR
DP-Pro
In a DSAR, only information. minutes etc relating to and/or about the requestor is within scope of Art.15 Anything else would need to be disclosed under the FoIA (subject to exemptions) if you are a public body or your general disclosure regime if not. If you hold no further information, say so andRead more
In a DSAR, only information. minutes etc relating to and/or about the requestor is within scope of Art.15 Anything else would need to be disclosed under the FoIA (subject to exemptions) if you are a public body or your general disclosure regime if not. If you hold no further information, say so and offer the requestor the ICO complaint route and their right to legal redress.
See lessConfused – ‘data definitions and calculations’ – must be provided prior to contract?
DP-Pro
Er, have you/your client tried asking the contracting bank for clarification? Data Quality in data protection terms is quite different to data quality in Master Data Management terms, with a range of exotic qualitative and quantitative values applied to an eye-watering list of data quality dimensionRead more
Er, have you/your client tried asking the contracting bank for clarification? Data Quality in data protection terms is quite different to data quality in Master Data Management terms, with a range of exotic qualitative and quantitative values applied to an eye-watering list of data quality dimensions and metrics..
See lessclearview fine
DP-Pro
The ICO had to announce its provisional intent to impose the £17m fine due to stock market disclosure regulations. It remains to be seen whether that number stays of falls (cf Marriott and BA). I agree with the view that it was unlawful. Generally, a person publishes a post to social media for a perRead more
The ICO had to announce its provisional intent to impose the £17m fine due to stock market disclosure regulations. It remains to be seen whether that number stays of falls (cf Marriott and BA). I agree with the view that it was unlawful. Generally, a person publishes a post to social media for a personal/domestic purpose, possibly expecting to engage or annoy others. A commercial enterprise, be it Clearview or another, cannot rely on that same domestic purpose. They will be using it for monetary or other purposes, mostly under legitimate interests which is a) not compatible with the original purpose for posting and b) unlawful because the individual was not informed of the collection and sue, nor allowed to object. As this goes to the heart of DS Rights an upper tier fins is appropriate. Also, there is a huge distinction between something that is ‘publicly available’ / made public and the term ‘in the public domain’, and the former does not mean its ‘up for grabs’!
See lessGenerating leads with a marketing company….
DP-Pro
Since the GDPR there is no longer the distinction between JOINT CONTROLLERS and CONTROLLERS IN COMMON. However, each of you are responsible for the processing that you undertake for your own purposes. They, for example are controllers for the lawful collection and provision of personal data, you wilRead more
Since the GDPR there is no longer the distinction between JOINT CONTROLLERS and CONTROLLERS IN COMMON. However, each of you are responsible for the processing that you undertake for your own purposes. They, for example are controllers for the lawful collection and provision of personal data, you will be responsible for your receipt, follow ups and retention of the personal data thereafter. They would not be providing you with any personal data if you hadn’t asked/contracted/paid for it; therfore you are also determining the PURPOSES for processing. How you go about acquiring and using the data also speaks to the MEANS criterion of being a controller. Welcome to the world of being a controller, jointly or alone!
See lessLegitimate Interest v. Soft Opt In
DP-Pro
Interesting. LEGITIMATE INTERESTS is one of the prescribed LAWFUL BASES for data processing. and you are right, it has wider uses, including for marketing, but is subject to the Article 21 Right to Object. SOFT OPT-IN sets up a presumed CONSENT-LED basis and can only be used when an existing relatioRead more
Interesting. LEGITIMATE INTERESTS is one of the prescribed LAWFUL BASES for data processing. and you are right, it has wider uses, including for marketing, but is subject to the Article 21 Right to Object. SOFT OPT-IN sets up a presumed CONSENT-LED basis and can only be used when an existing relationship exists with the data subject through a purchase or enquiries relating to a purchase, and can only relate to your own similar products/services and must offer the opportunity for the data subject to OPT OUT at the outset and at any time thereafter, perhaps on each marketing mail you send. It too is subject to Article 21; Absolutely – no argument, and also, the withdrawal of consent, making that, too, absolute. It becomes more complex when the data subject opts back in, does that, then, become CONSENT or LEGITIMATE INTERESTS processing and do you need to record the different lawful basis for each type of customer engagement?
See lessProfiling
DP-Pro
No, to my mind this is MONITORING. It might become PROFILING if these behaviours are then aggregated with other candidates behaviours and a profile created that is then applied to candidates.
No, to my mind this is MONITORING. It might become PROFILING if these behaviours are then aggregated with other candidates behaviours and a profile created that is then applied to candidates.
See less