GDPR practical examples part 2

Most Popular

This is the second part about GDPR. The first part of GDPR-practical examples is also available.

Can a statutory authority discharge its obligations in regard to data protection by outsourcing the collection, storage, and processing of personal data to another organization?

No. If data handling is outsourced then the company is acting as a data controller and the company which provides outsourcing as a processor, but both have obligations under GDPR.

An online retailer uses a payment company to process its customer transactions. Is the payment company acting as the data processor for the retailer?

No.

The payment company exercises the control over the type of information collected about customers from the retailer, decides how the information is processed and how long it is kept, and has its own terms and conditions that apply directly to the customers.

GDPR with examples

Can personal data be transferred out of one of the EU country except to another member state of the EEA?

It depends.

Subject data may be transferred to another country outside the EEA, if that country’s data protection laws have been approved by the European Commission, or if the level of protection has been assessed as adequate. For countries where the Commission has not made a ruling that there are adequate safeguards, personal data may still be transferred to those countries under certain specific circumstances. These include where the transfer is not made by a public authority in the exercise of its powers, involves data related to only a limited number of individuals, or is necessary for compelling legitimate interests of an organization.

Can personal data be transferred out of the one of the EU country provided that the destination country’s data protection laws have been approved by the European Commission?

Yes.

The European Commission publishes a list of countries whose data protection laws and rights have been reviewed and are deemed adequate (see https://gdpr-info.eu/issues/third-countries/).

Simply assessing the rights of data subjects in the destination country is insufficient: the level of rights must be shown to be ‘adequate’.

The controller must ensure in another way that the personal data will be sufficiently protected by the recipient. This can be assured using standard contractual clauses, for data transfers within a group through so-called “binding corporate rules,” through the commitment to comply with codes of conduct which have been declared by the European Commission as being generally applicable, or by certification of the data processing procedure.

Cellphones in Schools: Unveiling the Pros and Cons

In the modern educational landscape, the cellphones in schools has emerged as a pivotal tool, offering both benefits and drawbacks to the learning environment....

Should school classes start later?

The American Academy of Pediatrics recommended in August 2014 that middle and high schools should not commence before 8:30 a.m. According to the Brookings...

5 Best English and European Schools in Luxembourg

When relocating to Luxembourg, navigating the education system can feel overwhelming, especially due to the language barrier. However, there is good news. Luxembourg offers...

Is there a future for European schools?

With many problems facing the European school system and with their humongous and inefficient bureaucracy that forgets that the main goal is to provide...

Leene Soekov shows lack of awareness about SWALS

Reply from worried parent to deputy director Leene Soekov Dear Ms Soekov, Your answer is not only very worrying but it also shows the lack of...

Another example of discrimination of SWALS students

It is unbelievable how new Mamer school management doesn't have a clue about situation of minorities in the school. New secondary Deputy Director Mrs Leene...