zlacker

[return to "GDPR: Don't Panic"]
1. nabla9+8c[view] [source] 2018-05-18 10:23:03
>>grabeh+(OP)
> The GDPR will require me to hire people and my entity is too small to be able to afford this

Q: Does my business need to appoint a Data Protection Officer (DPO)?

A: DPOs must be appointed in the case of: (a) public authorities, (b) organizations that engage in large scale systematic monitoring, or (c) organizations that engage in large scale processing of sensitive personal data (Art. 37). If your organization doesn’t fall into one of these categories, then you do not need to appoint a DPO.

source: https://www.eugdpr.org/gdpr-faqs.html

◧◩
2. zerost+hc[view] [source] 2018-05-18 10:25:36
>>nabla9+8c
There is a legitimate question here, where does "large scale" begin? There are a lot of similar questions that nobody can personally guarantee they know the answers for.
◧◩◪
3. nabla9+Ge[view] [source] 2018-05-18 10:54:43
>>zerost+hc
In the GDPR draft it was "250 employees or with 5000 records." but 5000 records was dropped.

Now it says:

http://data.consilium.europa.eu/doc/document/ST-5419-2016-IN...

>The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.

Basically small firm that is just holding minimum amount of customer/user information and data and where the business model is not centered around profiling and processing user data.

◧◩◪◨
4. cbg0+Ze[view] [source] 2018-05-18 11:00:09
>>nabla9+Ge
The piece of text you're quoting is referring to obligations of keeping "Records of processing activities", and is not the definition of large scale, which is undefined in the GDPR.
[go to top]