All Questions
Tagged with united-kingdom gdpr
119
questions
1
vote
0
answers
73
views
Is it GDPR compliant to require registration to access a privacy policy?
There is currently an issue with Windows operating systems, reputed to be related to Falcon Sensor from CrowdStrike. From the description of their tool, the question of GDPR compliance can be asked ...
6
votes
1
answer
2k
views
Is deciding to use google fonts the sort of decision that makes an entity a controller rather than a processor?
In ensuring GDPR compliance determining which entities are data controllers and which data processors is a critical step. The UK government says:
The UK GDPR defines a controller as:
the natural or ...
0
votes
0
answers
20
views
Does the transfer occurring under Article 45, 46 or 49 affect the Right of Access under Article 15.2?
Transfer of personal data from the UK to the US can, at least in theory, occur under Articles 45, 46 and 49. These all have different requirements.
Article 15 of the GDPR the Right of access includes ...
0
votes
0
answers
23
views
What does being "informed of the appropriate safeguards pursuant to Article 46" mean?
Article 15 of the GDPR the Right of access includes section 2:
Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be ...
0
votes
2
answers
178
views
Do patients have the right to foot moulds / models from chiropodists? [closed]
If a chiropodist produces a 3D model or mould from a patient's foot in order to produce orthotic insoles, is the chiropodist required to retain the model or mould for a particular period of time? Does ...
1
vote
0
answers
45
views
How specific does the information need to be relating to personal information transfer between data controllers?
When personal information is transferred between data controllers the GDPR imposses certain requirements. Among these are information that must be provided to the data subject. As I understand it ...
1
vote
1
answer
139
views
Can computer performance metrics be personal data?
ScorecardResearch is a major data collection organisation that serves code onto some major UK web sites. Their privacy policy mentions a lot of tracking, including "hardware or device ...
3
votes
0
answers
44
views
Does there exist an example of meaningful information about an automated individual decision-making algorithm?
The GDPR Article 14 includes provisions for the data subject to have meaningful information about an automated individual decision-making algorithm that which produces legal effects concerning him or ...
0
votes
0
answers
58
views
Does the GDPR right to deletion in Art. 17 effectively include some "disproportionate effort" exception?
Some provisions of the GDPR have explicit exceptions about "disproportionate effort". Particularly relevant is the one in Article 19:
The controller shall communicate any rectification or ...
1
vote
1
answer
89
views
What exactly is a decision wrt. GDPR Automated individual decision-making?
The GDPR Article 22 provides rights relating to automated individual decision-making, including profiling. It starts:
The data subject shall have the right not to be subject to a decision based ...
5
votes
2
answers
167
views
How do Wi-Fi Positioning Systems interact with the GDPR?
There is a paper (described in the news) that details how to use Apple's Wi-Fi Positioning System (WPS) facilitates mass surveillance, even of those not using Apple devices. The system is described ...
0
votes
0
answers
25
views
Would a GDPR SAR cover the evidence an online company would be expected to provide to enforce a contractual debt?
It is in the news that HelloFresh is accused of charging people for deliveries they did not request, and said they would "send a third-party debt collector round" in the case of non-payment. ...
4
votes
1
answer
113
views
What happens when data that was not personal information become personal information?
Supposed there is some data that is not associated with an individual. This data is processed by a company and distributed on the web. At a later date this data becomes associated with an individual ...
0
votes
0
answers
36
views
Is a third party which solicits and accepts personal data from a customer on another’s behalf a processor or a controller?
Alice contracts with ACME insurance which sends her to their identity verification solution provider’s app/website (BCME KYC SOLUTIONS Inc). BCME’s portal asks Alice for photos of herself and other ...
1
vote
1
answer
75
views
Can either side of a GDPR SAR require the other to agree to ToS during the identification process?
I shall use a real situation that happened to me, but this is just to demonstrate my point. I am definitely not going to do anything about it. This is a purely theoretical question, I am not ...
0
votes
1
answer
100
views
Is "gossip surveillance" processing personal data under the GDPR?
The Guardian has an article on "gossip surveillance" where strangers report on social media private conversations they are not party to in the hope of exposing duplicity from the speakers in ...
2
votes
2
answers
177
views
Is it legal/appropriate to email a GDPR SAR to the executive team if that is the only email address the company provides?
This is prompted by this question but I am fairly sure I do not have the correct answer so I am making this one.
My personal answer to "How do I get my data from company X under GDPR" is to ...
-2
votes
1
answer
119
views
Are deleted comments left by U.K. based users retained and subject to subject access under U.K. GDPR?
Meet Bob; Bob left some comments on a post on stack exchange and some over zealous moderators decided that they were not needed and so to delete them. Bob wishes to access these comments for the ...
1
vote
2
answers
199
views
What are an employed/contracted software developer's responsibilities under the GDPR?
This is prompted by this question but that is rather complicated by the technical details. Suppose the following hypothetical:
Alice is a software developer for Bob Inc. perhaps as a normal employee, ...
3
votes
1
answer
98
views
Can one person's genetic information be another persons personal information?
In the UK GDPR ‘personal data’ is defined as:
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one ...
3
votes
2
answers
188
views
What rules determine jurisdiction on the internet?
It is in the news that Clearview AI has won an appeal against the UK Information Commissioner's Office (ICO). The reasons for judgment are here: Clearview AI Inc v The Information Commissioner [2023] ...
0
votes
1
answer
117
views
Are outward facing security cameras’ footage on the outside of ambassadorial missions subject to subject access rights?
Bob walks past the front entrance of the embassy of the republic of Zwakilostan which is somehow under diplomatic protocols Zwakilostani sovereign territory. The cameras point outside toward the road ...
3
votes
1
answer
212
views
UK GDPR Transcribing calls
I'd like to understand the rules around automated transcribing calls in the UK, from a B2B perspective.
GDPR seems quite clear that if you are recording calls, video and/or audio, you must get consent....
8
votes
1
answer
3k
views
Does GDPR apply when PII is already publicly available?
Pretend there is a website, it might be free to access, or be a paid per search service, where the users get access to summarised information on the people that they search for.
All of the information ...
1
vote
0
answers
52
views
What are the limits to what the information commissioner can take action upon?
It is in the news that a doctor inappropriately accessed and distributed a patients medical records. They did this through their employer, Cambridge University Hospitals (CUH) at Addenbrookes. The ...
4
votes
1
answer
553
views
What does "Household Exception" to the GDPR mean?
GDPR Section 2 Recital 18 (?) reads:
Not Applicable to Personal or Household Activities
This Regulation does not apply to the processing of personal data by a natural person in the course of a purely ...
1
vote
1
answer
90
views
Do any other consumer rights laws have extraterritorial applicability to international organisations that cater to British or European customers?
The GDPR purports to bind any organisation, wheresoever it may be based, that serves individuals based in the EU, or (as the case may be) the UK.
The GDPR governs the obligations of organisations and ...
-2
votes
1
answer
55
views
Old backups containing login information [closed]
I've been keeping an old website backup of a website that I used to work on on my PC for the last year or so. It was all my own work and wanted to just keep it in case I ever wanted to reuse it or use ...
1
vote
1
answer
41
views
GDPR When using an external CV formatting company
As a recruitment company, if I use an external company to format CVs that have been shared, do I need to inform the candidates? What are the potential pitfalls of an external company being given ...
0
votes
1
answer
233
views
Is it legal for ProtonMail to suspend access to your email until you pay for subscription periods that haven’t yet elapsed or for you’ve not had use?
ProtonMail runs on an annual subscription model. If your pre-yearly renewal payment fails, then you lose access to your data until you pay the yearly rate in respect of the year ahead of the date on ...
3
votes
2
answers
1k
views
What is the U.K. GDPR?
I understand that the DPA implemented the GDPR in British law as an act of Parliament. Then there was Brexit, and the U.K. GDPR was introduced to stand in for the no longer binding EU GDPR, with only ...
4
votes
1
answer
1k
views
Is it a breach of GDPR and DPA to say a colleague is sick and off work?
This is a hypothetical question. Suppose a customer calls asking for a colleague, call her Alice, and Bob answers the phone and tells the customer that Alice is off sick with the flu. The customer ...
0
votes
1
answer
84
views
Practical implications of failing to follow GDPR for online businesses
Suppose a person based in UK has started a one-man business online, for example, a web blog where people can read articles and post comments. Now, the business owner is focused on testing out the ...
-1
votes
1
answer
37
views
Restricting processing of data provided to police
Suppose that a person A would like to report a crime of which they’ve become a victim, to the police. For this purpose the police typically require the victim’s date of birth in order to create a ...
0
votes
1
answer
336
views
Would it be illegal to forward CCTV footage of someone committing a crime to their employer? (UK)
An incident has occurred where an individual in a private business committed an offence (common assault/battery).
As expected the police seem fairly unmotivated or interested however a quick Google ...
3
votes
1
answer
943
views
Am I allowed to use US web hosting according to GDPR
I live in UK, and I own a super simple website (web blog). The users of my website are not required to log in or provide any kind of personal information, they are just readers of my content.
I used ...
-2
votes
1
answer
67
views
Why do some data controllers require two forms of ID and others only one?
Meet Bob. Bob has submitted a number of subject access requests to various data controlling bodies, including businesses and several police forces.
Some police forces simply require scan of id with ...
0
votes
1
answer
77
views
Practical GDPR guidance for online businesses
When you start an online business, or even just create a website, there is a lot of confusion on what needs to be done to comply with GDPR. As many online resources (including StackExchange) suggest, ...
4
votes
2
answers
236
views
What is the lawful basis for running Know Your Customer (KYC) checks on startup investors?
Suppose you have a startup that raises money from a number of angel investors, many of whom are investing as natural persons.
What is the lawful GDPR basis for processing the investors' personal data, ...
-1
votes
1
answer
38
views
What are good tips and tricks to keep in mind when performing a subject access request for a comprehensive record of self-pertinent data from the met? [closed]
Bob would like to obtain as comprehensive as possible am archive of all data held on him by the metropolitan police, as well as any other police networks that they may be part of and share data with/...
1
vote
1
answer
286
views
What exactly triggers the GDPR Article 14?
Article 14 of the GDPR concerns the requirement for a data controller to inform the data subject when they obtain personal data has been obtained from an entity that is not the data subject:
Art. 14 ...
10
votes
4
answers
5k
views
Is there a way to determine if an email address is personal information?
The GDPR defines personal data as:
Personal data is information that relates to an identified or identifiable individual.
My understanding is that this means that [email protected] is ...
1
vote
1
answer
103
views
Is satelite data personal data?
It is in the news that artificial intelligence (AI) has been applied to aerial photography to identify homeowners who have made unauthorised additions of swimming pools to their properties in France. ...
1
vote
1
answer
35
views
Responsabilities on data breaches UK Data Protection Act
Following a question from THIS StackExchange about Data Protection Act application in the UK, there is an aspect about "proactivity" and "responsabilities" that I do not fully ...
0
votes
1
answer
59
views
Does the UK have a (enforcable) law linked with the Data Protection Act to control document's metadata?
Reading the information on the ICO's website, I came across a few items mentioning how to handle metadata on my organization's workflow like THIS or THIS.
I noticed they use expressions like "...
0
votes
2
answers
55
views
If you recieve others PII as part of the response to a GDPR SAR do you become a data controller?
Say Alice makes a GDPR Subject Access Request of a data controller, and in response receives some of Bob's Personally Identifiable Information, does the Alice then become a data controller with ...
2
votes
1
answer
181
views
Under what circumstances is it lawful or unlawful for police to disclose one's information to third parties, e.g. complainants?
Is it basically neither prohibited nor required and thus entirely to police discretion as to whether or not to disclose parties' details to either their purported victims, or to other parties like ...
0
votes
2
answers
134
views
Any obligation to disclose one's name and address to private parties for service of civil claims after a street altercation?
Suppose A is walking down the street and B punches A in the nose, thus committing assault. Legally, A is entitled to claim civil damages against B, and can practically do so if they know A's name and ...
0
votes
1
answer
47
views
Under GDPR, do organisations have to tell the ICO (or similar) the email address they use for GDPR deletion requests?
As is well known, websites (illegally) use deliberately misleading and frustrating web design to slow down users who want to tell them not to collect information for marketing purposes.
If they ...
1
vote
2
answers
63
views
Limits of automated decision making WRT workplace surveys
As part of the GDPR, if personal data is used for automated decision making a number of rules apply, particularly regarding consent and access to data.
A number of companies offer workplace surveys, ...