Hi! I would perform the satisfaction survey based on legitimate interest (quite plausible), but offer an opt-in possibility to be contacted based on the submitted results... So, bit of both.. Hope this helps. -Alexander.
Hi! I would perform the satisfaction survey based on legitimate interest (quite plausible), but offer an opt-in possibility to be contacted based on the submitted results… So, bit of both..
In The Netherlands, a consortium of larger mail carriers have agreed with the AP (ICO equivalent) that when it comes to deliver the mail, they are a data controller based on their legal obligation to send/deliver the mail. Personal data used for this purpose is strictly divided from other processesRead more
In The Netherlands, a consortium of larger mail carriers have agreed with the AP (ICO equivalent) that when it comes to deliver the mail, they are a data controller based on their legal obligation to send/deliver the mail.
Personal data used for this purpose is strictly divided from other processes (as it should be always), so for other aspects, these carriers can be considered a data processor, but not for sending/delivering mail.
Thank you Dean, sorry for the delayed response... But if I go "against" the AP, they fine me, and I'm taking it up all the way to EU court (yes, to be very patient), I can only imagine it will eventually fall towards me, since the EDPB is "higher" than the AP? I know it's becoming more "theoretical"Read more
Thank you Dean, sorry for the delayed response…
But if I go “against” the AP, they fine me, and I’m taking it up all the way to EU court (yes, to be very patient), I can only imagine it will eventually fall towards me, since the EDPB is “higher” than the AP?
I know it’s becoming more “theoretical” now, but there are already some court cases in NL with this specific dispute… which I’m following with great interest…
Stupid question perhaps, but has someone already asked this particular employee on "why" he/she refuses to activate the camera? Perhaps it's because he/she would be embarrassed to show her colleagues the activities on the background (not all computers are able to blur the background, it depends mainRead more
Stupid question perhaps, but has someone already asked this particular employee on “why” he/she refuses to activate the camera? Perhaps it’s because he/she would be embarrassed to show her colleagues the activities on the background (not all computers are able to blur the background, it depends mainly on CPU strength)
And is this an outlier, or are there many cases? (I’m not a fan of defining a process to cover the exception, but that’s just me)
I would like to add to Deans answer that it also depends on the type of audit. In some cases, audits are mandatory by law, this makes the auditor >not< being a data processor since it's not the controller determining what the auditor can audit, but specific legislation.
I would like to add to Deans answer that it also depends on the type of audit. In some cases, audits are mandatory by law, this makes the auditor >not< being a data processor since it's not the controller determining what the auditor can audit, but specific legislation.
Hi Jess, assuming "your" GDPR is the same as ours ;-) I would stay away from consent in this case. I don't think this form of consent can be considered "freely given". I would either use the legitimate interest (although that might be challenging as well), or the "needed to enter into a contract". TRead more
Hi Jess, assuming “your” GDPR is the same as ours 😉 I would stay away from consent in this case.
I don’t think this form of consent can be considered “freely given”. I would either use the legitimate interest (although that might be challenging as well), or the “needed to enter into a contract”.
The criminal offence data is a different type of personal data and since you’re not collecting it “currently”, I can only state to be very careful when collecting that information. since its explicitly limited under art 9 GDPR.
Since this community is built on DPOrganizer infrastructure and we're not supposed to bite the hand that feeds us, it's obvious what platform is the best ;-) But all jokes aside... I'm not sure in what capacity you ask this question, everything starts with mapping out the required functionality, theRead more
Since this community is built on DPOrganizer infrastructure and we’re not supposed to bite the hand that feeds us, it’s obvious what platform is the best 😉
But all jokes aside… I’m not sure in what capacity you ask this question, everything starts with mapping out the required functionality, there is no “one size fits all”. You could use the IAPP report to read about the strong vendors in the various areas so you can make your own shortlist.
You can use that shortlist when you’re asked for advice.
Don't mistaken IAPP for a "course" as the others above mention. "certified" DPO courses are very valuable, but not really comparable to the IAPP. There might be an overlap in the covered topic(s), but CIPP/E (combined with CIPM) is not as extensive as DPO courses in universities. They are both valuaRead more
Don’t mistaken IAPP for a “course” as the others above mention.
“certified” DPO courses are very valuable, but not really comparable to the IAPP.
There might be an overlap in the covered topic(s), but CIPP/E (combined with CIPM) is not as extensive as DPO courses in universities. They are both valuable, but in other ways.
Last year, ISACA also released a Data Privacy certification (CDPSE, Certified Data Privacy Solution Engineer), that aims at (technical) IT staff. Considering the background of ISACA (IT Systems / Security), this certification makes sense for technical oriented staff.
To summarise, decide if you want to go for a “course” (like the DPO track in Maastricht University), or a specific certification and investigate from there.
Hi! I'm an independent privacy professional and a membership of the IAPP is almost "mandatory". When I see the listing of projects on the various websites, 90% of the time, a CIPP/E is requested, quite often combined with CIPM / CIPT. Not having this designation is always a disqualifier, although weRead more
Hi! I’m an independent privacy professional and a membership of the IAPP is almost “mandatory”. When I see the listing of projects on the various websites, 90% of the time, a CIPP/E is requested, quite often combined with CIPM / CIPT.
Not having this designation is always a disqualifier, although we all know that a designation does not guarantee the knowledge.
(I had a wager once where I had 2 days to prepare for a TOGAF Foundation exam and I passed with flying colours, but don’t ask me anything about the methodology anymore hahaha, just sayin’)
I don’t know your situation, if you are an employee, perhaps your employer is willing to take the cost, in the end, it also benefits them as well. As Egil mentioned above, they do provide very valuable information.
Perhaps stating the obvious, but there was no backup of the data elsewhere? If all(!) the data is still available from other locations, I would not consider this a databreach/dataloss. If there was no (complete) backup, I agree on the answers above and treat it as such. Also, this is the "best" timeRead more
Perhaps stating the obvious, but there was no backup of the data elsewhere? If all(!) the data is still available from other locations, I would not consider this a databreach/dataloss.
If there was no (complete) backup, I agree on the answers above and treat it as such. Also, this is the “best” time to request budget for a backup technology 😉
I hope no personal damages occurred during this incident!
Contacting Tenants – Satisfaction Survey
Alexander Sturing
Hi! I would perform the satisfaction survey based on legitimate interest (quite plausible), but offer an opt-in possibility to be contacted based on the submitted results... So, bit of both.. Hope this helps. -Alexander.
Hi! I would perform the satisfaction survey based on legitimate interest (quite plausible), but offer an opt-in possibility to be contacted based on the submitted results… So, bit of both..
Hope this helps.
-Alexander.
See lessDelivery service companies – Data controller or processor?5262
Alexander Sturing
In The Netherlands, a consortium of larger mail carriers have agreed with the AP (ICO equivalent) that when it comes to deliver the mail, they are a data controller based on their legal obligation to send/deliver the mail. Personal data used for this purpose is strictly divided from other processesRead more
In The Netherlands, a consortium of larger mail carriers have agreed with the AP (ICO equivalent) that when it comes to deliver the mail, they are a data controller based on their legal obligation to send/deliver the mail.
Personal data used for this purpose is strictly divided from other processes (as it should be always), so for other aspects, these carriers can be considered a data processor, but not for sending/delivering mail.
Hope this helps.
See less“Discretion” of local supervisory authorities
Alexander Sturing
Thank you Dean, sorry for the delayed response... But if I go "against" the AP, they fine me, and I'm taking it up all the way to EU court (yes, to be very patient), I can only imagine it will eventually fall towards me, since the EDPB is "higher" than the AP? I know it's becoming more "theoretical"Read more
Thank you Dean, sorry for the delayed response…
But if I go “against” the AP, they fine me, and I’m taking it up all the way to EU court (yes, to be very patient), I can only imagine it will eventually fall towards me, since the EDPB is “higher” than the AP?
I know it’s becoming more “theoretical” now, but there are already some court cases in NL with this specific dispute… which I’m following with great interest…
See lessVideoconferencing calls
Alexander Sturing
Stupid question perhaps, but has someone already asked this particular employee on "why" he/she refuses to activate the camera? Perhaps it's because he/she would be embarrassed to show her colleagues the activities on the background (not all computers are able to blur the background, it depends mainRead more
Stupid question perhaps, but has someone already asked this particular employee on “why” he/she refuses to activate the camera? Perhaps it’s because he/she would be embarrassed to show her colleagues the activities on the background (not all computers are able to blur the background, it depends mainly on CPU strength)
And is this an outlier, or are there many cases? (I’m not a fan of defining a process to cover the exception, but that’s just me)
See lessData Processor or Other Recipient
Alexander Sturing
I would like to add to Deans answer that it also depends on the type of audit. In some cases, audits are mandatory by law, this makes the auditor >not< being a data processor since it's not the controller determining what the auditor can audit, but specific legislation.
I would like to add to Deans answer that it also depends on the type of audit. In some cases, audits are mandatory by law, this makes the auditor >not< being a data processor since it's not the controller determining what the auditor can audit, but specific legislation.
See lessPre-Employment Checks – Consent?
Alexander Sturing
Hi Jess, assuming "your" GDPR is the same as ours ;-) I would stay away from consent in this case. I don't think this form of consent can be considered "freely given". I would either use the legitimate interest (although that might be challenging as well), or the "needed to enter into a contract". TRead more
Hi Jess, assuming “your” GDPR is the same as ours 😉 I would stay away from consent in this case.
I don’t think this form of consent can be considered “freely given”. I would either use the legitimate interest (although that might be challenging as well), or the “needed to enter into a contract”.
The criminal offence data is a different type of personal data and since you’re not collecting it “currently”, I can only state to be very careful when collecting that information. since its explicitly limited under art 9 GDPR.
Good luck!
See lessGDPR Managment Tools
Alexander Sturing
Since this community is built on DPOrganizer infrastructure and we're not supposed to bite the hand that feeds us, it's obvious what platform is the best ;-) But all jokes aside... I'm not sure in what capacity you ask this question, everything starts with mapping out the required functionality, theRead more
Since this community is built on DPOrganizer infrastructure and we’re not supposed to bite the hand that feeds us, it’s obvious what platform is the best 😉
But all jokes aside… I’m not sure in what capacity you ask this question, everything starts with mapping out the required functionality, there is no “one size fits all”. You could use the IAPP report to read about the strong vendors in the various areas so you can make your own shortlist.
You can use that shortlist when you’re asked for advice.
You can find the report here: https://iapp.org/resources/article/privacy-tech-vendor-report/
See lessAlternatives to IAPP certification
Alexander Sturing
Don't mistaken IAPP for a "course" as the others above mention. "certified" DPO courses are very valuable, but not really comparable to the IAPP. There might be an overlap in the covered topic(s), but CIPP/E (combined with CIPM) is not as extensive as DPO courses in universities. They are both valuaRead more
Don’t mistaken IAPP for a “course” as the others above mention.
“certified” DPO courses are very valuable, but not really comparable to the IAPP.
There might be an overlap in the covered topic(s), but CIPP/E (combined with CIPM) is not as extensive as DPO courses in universities. They are both valuable, but in other ways.
Last year, ISACA also released a Data Privacy certification (CDPSE, Certified Data Privacy Solution Engineer), that aims at (technical) IT staff. Considering the background of ISACA (IT Systems / Security), this certification makes sense for technical oriented staff.
To summarise, decide if you want to go for a “course” (like the DPO track in Maastricht University), or a specific certification and investigate from there.
Good luck and welcome in the field!
See lessIAPP Membership
Alexander Sturing
Hi! I'm an independent privacy professional and a membership of the IAPP is almost "mandatory". When I see the listing of projects on the various websites, 90% of the time, a CIPP/E is requested, quite often combined with CIPM / CIPT. Not having this designation is always a disqualifier, although weRead more
Hi! I’m an independent privacy professional and a membership of the IAPP is almost “mandatory”. When I see the listing of projects on the various websites, 90% of the time, a CIPP/E is requested, quite often combined with CIPM / CIPT.
Not having this designation is always a disqualifier, although we all know that a designation does not guarantee the knowledge.
(I had a wager once where I had 2 days to prepare for a TOGAF Foundation exam and I passed with flying colours, but don’t ask me anything about the methodology anymore hahaha, just sayin’)
I don’t know your situation, if you are an employee, perhaps your employer is willing to take the cost, in the end, it also benefits them as well. As Egil mentioned above, they do provide very valuable information.
See lessFire destroyed personal data
Alexander Sturing
Perhaps stating the obvious, but there was no backup of the data elsewhere? If all(!) the data is still available from other locations, I would not consider this a databreach/dataloss. If there was no (complete) backup, I agree on the answers above and treat it as such. Also, this is the "best" timeRead more
Perhaps stating the obvious, but there was no backup of the data elsewhere? If all(!) the data is still available from other locations, I would not consider this a databreach/dataloss.
If there was no (complete) backup, I agree on the answers above and treat it as such. Also, this is the “best” time to request budget for a backup technology 😉
I hope no personal damages occurred during this incident!
See less