GDPR Compliance – Get Your Questions Answered

Q: Is GDPR certification a voluntary or mandatory certification for organizations?

A: GDPR Certification is a voluntary certification as per the GDPR regulation. However, if you are a processor working for a controller, the controller may demand a certification from you proving your company is complying with GDPR requirements.

Q: Is there a comprehensive to-do list for US-based companies that only have a web presence but no offices in Europe?

A: If you have a web preference, and if you are collecting personal data from EU Nationals then you are coming into the scheme of GDPR, but we need to go through the list of GDPR requirements to see how you demonstrate compliance there is not a specific list available till now or not that I’m aware of, but there could be.

Q: Does a US company have to have a DPO located in Europe, if they have a customer there?

A: No, but if you have an office in Europe then you have to designate someone to act as the DPO or as someone to contact in case there is a complaint.

Q: If my company is ISO 27001:2013 certified and touches PII and has a field office in Poland.  What is the impact on my certification audits?  What might customers require beyond our ISO certificate?

A: There will be no impact on your certification audits but if you need to show your customers compliance to GDPR only for those employees who are in Poland. However, you do have to include the GDPR related privacy requirements into the scope of your SOA, and you have to be audited against that.

Q: Where can I find the list of authorized countries?

A: You can access the list of authorized countries at https://cyprus.representation.ec.europa.eu/news/data-protection-european-commission-adopts-new-adequacy-decision-safe-and-trusted-eu-us-data-flows-2023-07-10_en

Q: If a company credit card is used without any direct reference to an individual, does this come under GDPR?

A: A company credit card number is not private information and according to the definition of GDPR, unless it is attached to an individual.

Q: Does remote access where data is not pulled/transferred to a country outside EU fall under GDPR?

A: If you are accessing data remotely then it is not considered as a transfer; however, the data within EU is still covered under GDPR. The body which is storing the data in the EU, they are still responsible for managing the safeguarding of this data. So if you are a processor you are only accessing the data from here, you are not processing, and you are not bringing the data to your facility then you may need a risk assessment. Does your company have any risk of a data breach from your end? If there is proof that there is no chance of data breach, then you can claim exemption from GDPR.­

Do you have an unanswered question? Then check out the webinar recording by going to https://youtu.be/bJugoQ6k-EY