/r/gdpr

Photograph via snooOG

The General Data Protection Regulation (GDPR) went into effect 25 May 2018. Ask questions about the GDPR, discuss and share resources about the GDPR, and learn about best-practices regarding personal data and data privacy. Related laws like ePrivacy or UK GDPR are also in scope.

The General Data Protection Regulation (GDPR) went into effect 25 May 2018. Ask questions about the GDPR, discuss and share resources about the GDPR, and learn about best-practices regarding personal data and data privacy.

Rules

  1. No personal attacks

  2. No overt advertisements

  3. No blog spamming

/r/gdpr

17,411 Subscribers

1

How many of you bought illow's LTD?

With Illow shutting down at the end of Jan 2025, it occurred to me that there must be a few people left without a substitute.

0 Comments
2024/12/05
02:11 UTC

1

Struggling to Transition into Data Protection: Over 100 Applications, 3 Interviews, No Luck—What Am I Doing Wrong?

Hi all,

I need some help and advice regarding jobs—more specifically, how to transition from my current role in complaints to a career in data protection or information governance.

A bit of background: I have a degree in Business Management (not that it means much these days) and have worked in complaints for just over 10 years, mostly with banks like Lloyds and Barclays. Earlier this year, I developed an interest in data protection and decided to pursue a career in the field.

Due to a lack of hands-on experience, I thought obtaining certifications might help with the transition. So, I went ahead and earned the BCS Practitioner Certificate in Data Protection and IAPP’s CIPM, and I’m willing to gain more qualifications if needed. However, despite my efforts, I’ve been struggling to secure interviews.

After applying for over 100 jobs, I’ve only had three interviews—for roles as a Data Protection Administrator, Junior Data Protection Consultant, and Information Governance Officer—but I wasn’t successful, and I haven’t managed to secure any further interviews since.

What am I doing wrong? I’ve tweaked my CV multiple times and even had it professionally reviewed, but I can’t seem to break into data protection. Any advice would be greatly appreciated.

Thanks, 🙏

6 Comments
2024/12/04
19:45 UTC

3

Privacy breach

Hi, would it be a breach of privacy under GDPR if an employer is covertly listening to your conversations while you work from home, even though it is not mentioned in your contract? The contract specifies that data may be collected on how you use your PC but does not mention anything about recording conversations.

3 Comments
2024/12/04
03:09 UTC

0

Seeking Recourse with Onedrive blocked from Office 365

I am a Microsoft Office 365 user, and a couple of weeks ago, I have been blocked from accessing my Onedrive for no apparent reason. I have reached out to them and they refused to budge, any recourse can I take? Please advise me, thanks

3 Comments
2024/12/03
09:38 UTC

2

Personal address on policies etc.

Hi,
I live in Spain and work on a t-shirt design website. I work with a print-on-demand service located in the USA, so he does all the fulfillment work. The selling market is only for the USA.
Do I need to add an address on the newsletter and privacy policy etc?

5 Comments
2024/12/03
00:20 UTC

0

Council left a letter addressed to me on my car windshield. Found it days later!? Gdpr breach?

So this letter contains my full name and address plus some private information. Has the council breached gdpr by leaving this letter outside on a vehicle windscreen, rather than posting it to my address?

I'm not on any voting registers so as far as I'm aware they've exposed my sensitive data and gave out my full name and address ???

16 Comments
2024/12/02
18:46 UTC

4

Company cc'd Christmas invite entire staff 's personal emails

I'm curious if this scenario is a privacy or HR law or just plain data breach issue. This is a cleaning company located in Canada where privacy laws are very strict. So, i have a client who sent a Christmas party invite to all staff and some close vendors. The email was cc'd and since the non-office staff don't have company emails the receptionist used their personal emails in the invite. Before i bring this up to the president i need to make sure i am not making shit up. I am their IT provider so i need to advise how unprofessional and possibly illegal this letter invite was. Thanks

11 Comments
2024/12/02
16:01 UTC

0

UK, is this charity using PECR correctly?

Many years ago I donated items I didn't need any more to a national charity who have a shop in my local area.

I didn't consent to receiving emails from them, but even though I've told them I've opted out, they claim to have a legitimate interest in emailing me about fundraising events and their new online shopify shop which has Christmas discount codes.

I'm sure they're in breach of PECR because charities can't use legitimate interest as a legal basis for email marketing. Can somebody confirm that's true? I'm sure I read something in the papers last week about an open letter to the MP who looks after GDPR where charities can't do this but they'd like to in the future.

I've also checked Companies House and this charity has a retail subsidiary. Is it legal for a non-commercial charity to send me commercial marketing emails about buying stuff from their online shopify shop? Would that be PECR, GDPR, both and/or something else?

Should I report this to the ICO as a possible breach and/or make a DSAR to see what data they have about me?

6 Comments
2024/12/01
21:16 UTC

0

Is data anonymization enough to justify that the system is not exclusively based on profiling?

ty!

9 Comments
2024/12/01
12:37 UTC

0

U.K. specific: Is the government (specifically the DVLA) exempt from GDPR requirements when handing personal information (name, address etc) to private companies?

For example, private car parks issue PCNs for parking violations by accessing the DVLA database and (I presume) buying the transgressor's name, address, DOB etc.

It's a stupid question I suppose because they must be exempt, otherwise they have been taken to court long ago. But how are they exempt? I can't see any reason other than the business model of private car parks would fail to be viable - and that doesn't seem grounds for GDPR failures.

7 Comments
2024/11/30
10:15 UTC

11

Eon sent me someone else’s Subject Access Request

On disputing a final bill with Eon I requested a SAR, they sent me an Google drive link but it was for another customer, there I had access to bank details, voice recordings etc etc.

I reported it EON but they didn’t acknowledge any wrong doing until I sent them a screenshot and then replied saying that there was no breach. This obviously has added another reason not trust their processes in accurately dealing with my final bill.

If they have violated GDPR, can I stand to gain from this scenario?

33 Comments
2024/11/30
08:52 UTC

1

Unsubscribed from marketing - does this count?

After being spammed by 50000 Black Friday deals I unsubscribed from all marketing emails. About a minute later I got an email saying along the lines of “you’ve been unsubscribed from marketing emails. Here’s a leaving gift of a 15% off discount code on any future bookings. Here’s how to re subscribe”

Is this appropriate? It’s normal to receive marketing very shortly after unsubscribing because the database hasn’t been updated yet and the email was already scheduled, but this felt like inappropriate marketing contact because they’re trying to get me to buy their services when I just unsubscribed.

5 Comments
2024/11/29
23:22 UTC

2

Zero-consent analytics - what's allowed under GDPR/ePrivacy?

I'm looking to implement basic anonymous analytics tracking on my site:

  • Page views
  • Search terms
  • Basic engagement metrics

Planned event format would be something along the lines of event type, timestamp and url, plus meta data like search term for searches.

Since I'm not storing anything on user devices and keeping everything anonymous, this should fall under the 'no consent needed' category. Could someone verify this approach is compliant with GDPR/ePrivacy? Or do I still need to have it stated in my privacy policy and/or ask for consent?

5 Comments
2024/11/29
23:17 UTC

1

Boss telling about sickdays

Inside EU, is it breach of GDPR if the boss is running around and telling everyone how many sickdays some co workers have and also showing private messages she receives from co workers to everyone?

4 Comments
2024/11/29
21:32 UTC

1

Legitimate interest, special category data, and consent.

I've been trying to read up on this but I'm not sure I fully grasp it.

tl;dr: In the context of an advice charity, can legitimate interest be used to store special category data?

A scenario: A person goes to an advice charity for advice about a work issue. They fill out a consent sheet which includes their name, DOB, address, etc, but they don't tick any boxes for special category data. Since the client was speaking about a work-related issue, can the organisation store information about their trade union membership?

12 Comments
2024/11/29
18:05 UTC

2

Suggestion regarding EDPB Guidelines and History.

So, I have almost completed reading GDPR and making notes of it and I will start revision as well soon. I want to start with EDPB but I don't know what to do and how to do. Like what what do we have read, if someone has any content regarding it please share.

Also, I have heard people saying we need to also read about the history of the Privacy Law, any suggestion on that or any available content you people have to share will really help.

Thanks & Regards,

Fellow Reddit user.

4 Comments
2024/11/29
08:25 UTC

0

If an employer or colleagues delete emails, messages etc ahead of my DSAR, would there be any way to prove this?

Let’s just assume the business ICT team are in on this too.

Would provide more details but maybe a general question is best in these times lol

10 Comments
2024/11/28
19:28 UTC

1

Public interest balancing test?

Would anyone suggest that doing a balancing test similar to an LIA is necessary for relying on public interest (for a public body), or producing some kind of documentation to evidence what that interest is?

8 Comments
2024/11/28
18:20 UTC

1

Is taking this data info against GDPR

When an user enters on my site I make a API call on cliente-side which returns some data like, state, city, latitude and longitude, is having this data in order to show some ecommerce located stock without ask user for consent against GDPR?

17 Comments
2024/11/28
11:56 UTC

4

School accidentaly disclosed information during subject access request

The school accidentaly disclosed information about other pupils (including family suicide) during a subject access request.

I deleted the email with the sensitive information but what process should school follow? Do they need to inform ico and the other pupils who's data was disclosed ?

7 Comments
2024/11/27
21:29 UTC

0

Is it a GDPR breach if it was a known fact ?

Hi
I'm dealing with an issue at work, a manager talked about my medication with another colleague. I raised a grievance for a GDPR breach. Still, they are saying it's not a GDPR breach because "it was common knowledge" and others were aware of my medication by either seeing me taking it or me sharing that information with 2 colleagues from my team (but not with that manager ).

So please if anyone can tell me for sure if it was or not, I would massively appreciate it. thanks

25 Comments
2024/11/27
20:01 UTC

5

Processors & Sub-Processors

Hi all,

Apologied for the upcoming wall of text but I've exhausted several options trying to find an answer, and I feel this is quite a specific challenge.

We have a client (controller), who we act as a processor on their behalf. As part of this relationship, we engage further sub-processors to provide the service.

One of those sub-processors provides a platform that we whitelabel and sell on. Therefore they're still a sub-processor but maybe not in the classic sense.

Go back a few weeks and the sub-processor/whitelabel partner makes some changes to their platform. Client approaches us to complain and asks what we're going to do about these changes. I actually agree that they're not useful changes, so promise I'll do my best to reverse them.

Following back and forward between us and the sub-processor, they state they will not be rolling back the changes. Fair enough.

However, the client is now asking for information on a) all of our sub-processors and b) the sub-processors of our sub-processor in question.

I am obviously happy to provide a), but I cannot find anything as to how far down the chain we go, or indeed who is responsible for b). Do we pass the controller on to the sub-processor and tell them to deal with it direct? Do we take it on ourselves to find out, even though we have no issue with their potential compliance, etc? I've made it clear to the client that we have agreements/DPAs in place with this sub-processor and have no concerns over their compliance, but they will not let it lie.

The client also seems to have assumed that we're responsible for our sub-processors' actions, which I agree from a data protection perspective, but surely not from anything else (e.g., material changes to their platform).

It has my mind boggled so feel free to ask for any extra detail that I've forgotten.

11 Comments
2024/11/26
15:46 UTC

1

Whatsapp Group thumbnail and name advice

Hello, if I blur/remove people's names, thumbnail pictures, and phone numbers from text messages in a WhatsApp group, is it still possible to display screenshots of the text messages with the group thumbnail and name still appearing visible? (the group thumbnail doesn't identify pictures it is a work logo).

The purpose of this screenshot is to be used in a work grievance.

7 Comments
2024/11/25
22:32 UTC

2

My DSAR has come back and contains only emails or documents - can I request workplace messaging data and WhatsApp (we use it for work)

They have also left out a line of my request about including ‘all communications that refer to me’ in the DSAR response. This was an incredibly important part of the request yet for some reason they left it out…

10 Comments
2024/11/25
22:21 UTC

0

Professional life and GDPR

Hi, Recently my company has shared without my consent my professional email which contains personal datas (name and surname) with a sub contractor. Is my company allowed to do this? Is it conform with GDPR and what are my rights ? Thank you for your help

8 Comments
2024/11/25
17:04 UTC

1

Equifax - supplying incorrect information

Not sure this is the right place for this query, but thought it was worth a go. I received a letter today from EON stating they'd opened an account for me, which I hadn't done. When I called them they told me they'd created it as there is a balance outstanding from September 2023, and they had got my details from Equifax.

Ok, but the period they are requesting payment for is before we purchased the house and not my debt. EON are now pursuing me for the debt

Curious to know if there is a GDPR/data issue here, and if it's worth chasing Equifax?
- EON state they got the data from Equifax.
- Equifax seem to be associating my name with the property for a period when I wasn't at the property, and have provided my name and DOB to EON

3 Comments
2024/11/25
16:07 UTC

5

Call recording question - consent not received

Hi all, I was hoping to get some advice on a situation that I've encountered.

The company I work for handles legal information for personal injury cases on behalf of another company.

A call was made to a client but the person placing the call forgot to mention that the call was being recorded.

The call recording has been requested by the third party we are handling the information for which is when we discovered this.

My questions are:

Is there a situation where we can keep this call recording and share it?

What would we need to do in order to facilitate this?

4 Comments
2024/11/25
11:46 UTC

0

How do I change my data?

I have a GDPR question. I recently received some personal data about myself from a data release request I made to a major digital organisation. I won't say which.

Anyway upon receipt of my personal data, I realised there were a few problems. I don't particularly like my age, name, and some of the health related data points about myself.

What can I do about this?

6 Comments
2024/11/25
10:20 UTC

2

Need Guidance for CIPP/E Preparations.

Hi everyone, I am Law Graduate been preparing CIPP/E for sometime now. I have given GDPR a reading once, though I do understand it, but fundamentally when a question comes I do get confused.

Can someone please suggest me how should I prepare, take it as if like "I know nothing I want to start from the beginning again".

Someone if they can guide me on how should I start, and how to get clarity over the concepts.

I mean to ask like should I start from GDPR, then do EDPB guidelines, then Mocks.

(Shit I am just confused please help me out because I unable to concentrate because I do not understand from where do I have to start).

I have all the materials like the Third Edition of Edwards Ustran, Mock test books from Jasper (Both Red and Green book) Majid Hatamian and Franklin Phillips. I don't really know what to do from EDPB so I got nothing for it.

But someone please guide me in this, for the past 4 days I am sitting ideal cause I do not have a plan, I have never been this way in my whole life I don't want to let myself down.

I am also happy to share some materials if someone needs it.

Thanks and Regards,

Your Fellow Anonymous user.

12 Comments
2024/11/24
10:45 UTC

1

Google’s details for a SAR?

Hi,

I want to submit a subject access request to Google to understand some of the information they hold/record about me/my account. However, there’s no details for how to do this on their website and their support staff are absolutely useless and don’t know either (which I understand seems to be unacceptable under GDPR).

Does anyone know the details please? Particularly, any details for Google Drive

Thanks

5 Comments
2024/11/23
16:48 UTC

Back To Top