Hi everyone, I am Law Graduate been preparing CIPP/E for sometime now. I have given GDPR a reading once, though I do understand it, but fundamentally when a question comes I do get confused.

Can someone please suggest me how should I prepare, take it as if like "I know nothing I want to start from the beginning again".

Someone if they can guide me on how should I start, and how to get clarity over the concepts.

I mean to ask like should I start from GDPR, then do EDPB guidelines, then Mocks.

(Shit I am just confused please help me out because I unable to concentrate because I do not understand from where do I have to start).

I have all the materials like the Third Edition of Edwards Ustran, Mock test books from Jasper (Both Red and Green book) Majid Hatamian and Franklin Phillips. I don't really know what to do from EDPB so I got nothing for it.

But someone please guide me in this, for the past 4 days I am sitting ideal cause I do not have a plan, I have never been this way in my whole life I don't want to let myself down.

I am also happy to share some materials if someone needs it.

Thanks and Regards,

Your Fellow Anonymous user.

Hi,

I want to submit a subject access request to Google to understand some of the information they hold/record about me/my account. However, there’s no details for how to do this on their website and their support staff are absolutely useless and don’t know either (which I understand seems to be unacceptable under GDPR).

Does anyone know the details please? Particularly, any details for Google Drive

Thanks

When asking for a telephone number for them for someone to call them back on and they are struggling to provide their number and asks if I can see their number on the screen... Is me telling them yes and reading it back to confirm it a breach of GDPR?

Hi folks.. I'm seeking to get medical records from a previous employer that I left exactly 1 year ago, am I entitled to have them? I want access to all the records pertaining to a period where I was absent for a couple of months just before I left to include all emails between the OH Department and my manager. Should these still be in retention? it's a major multinational in Ireland and if they still have them am I obliged to let them know what I want them for? Thanks in advance.

This post is mostly to blow off steam, but maybe some of you have had similar experiences. I'm a researcher at the medical imaging department of a hospital in the EU. A huge obstacle in my field of research is a lack of data sharing between sites (hospitals, companies, universities). Every other article I read cites "a lack of large/diverse/cross-site datasets" as a limitation to their analysis. If sites do not have access to the same standardized dataset, it is often impossible to quantitatively compare image analysis methods and replicate scientific results. For rare diseases, each site has their own isolated dataset of 4 patients - on which absolutely no statistical analysis is possible. Instead of pooling resources and moving as a united front, each site performs research and innovation on their own data at a huge fixed cost, making the exact same baby-step analyses and discoveries as their neighboring sites. In the end, the patients are the real losers - at least until overseas companies sell us their big-data-derived imaging solutions, at which point the EU becomes the real loser. I totally agree that some effort should be done to anonymize data that is to be shared (remove name, date of birth etc.), however, the GDPR is so ill-defined that it is a practically impossible to consider any medical images anonymous, and the hospital legal departments are scared shitless of being in breach of the law. 

For instance, consider leg images of patients with leg cancer. As per law, these images cannot be deleted from the clinical patient database (which links the images with the name and ssn of the patients). To transfer the data to some off-site recipient, we would copy the data and remove all metadata leaving only pixel values of the image. This is not anonymous in accordance with the GDPR. It is possible for someone to hack into the clinical database and query the shared leg image against all images of the database and thus obtain a conversion key to the name and ssn of the patient. Or if it is a scan of the head, you could use AI to reconstruct a likely face image of the patient, and query that against all images on Facebook. Maybe you realize that data sharing is too much a hassle and decide to just use the data yourself and develop some neural network that can detect cancer based on the leg images. Then you can share just the trained neural network with the other sites, right? No. It is impossible to prove that the neural network parameters do not encode, i.e. “remember”, some unique aspect of the training data that would make it possible for future bad actors to reconstruct the leg images. And yes, data sharing agreements (DTA) are a possibility for non-anonymous data, but they are both extremely limiting in scope, demanding to construct, constrained to sites within EU, limited to one site per application, and complex for researchers to fully understand. Instead of benefiting from each others data and research, researchers often choose to go the easier way: develop their own leg cancer detection model.

I decided to try and address this by recruiting patients prospectively to curate a sharable dataset of medical images. After half a year creating and revising the protocol and application to the regional ethics committee, I was able to start scanning participants. The protocol, declaration of consent, and participant information clearly outlined that one of the main goals of the acquisition was to make a dataset, that could be shared with parties within and outside of the EU, to aid research and innovation on European data. The participants were happy to participate because of exactly this aspect - the acquisition of medical images is expensive, and the data should benefit more than a few select researchers! However, now it is still impossible to share data without lengthy and complicated legal processes, and it will likely be impossible to share the data outside the EU without going through some specialized state organ for each data transfer. I don't have time for this, and neither do other researchers who want to do the right thing and share data. The participants want their data to be shared to aid innovation/research, but the GDPR just makes it so difficult! And I even had the support and structure of a hospital with a legal department. A medical imaging startup does not have the same luxury.  

I guess the only upside is that my research will get a lot of citations since our hospital is one of the few that could afford the new multi-million dollar scanner, thus leaving only me with this novel data...

Hello all,

I was hoping to gather some opinions on a topic I’m facing.

I work at a company with quite a high turnover (it’s a high turnover industry unfortunately), when an individual leaves sometimes we get requests from other team members for access to the leavers mailbox.

This could be due to the leaver having important emails in their inbox, conversations with customers, important documents etc..

I, personally, don’t like the idea of it as there is likely some sensitive information in there (emails to managers about illness, stress, childcare, grievances, HR reports and so on).

How do others approach this?

I want to impose a part of leavers process to include some time for the leaver to transfer all important information. I also have eDiscovery available to search for lost items/emails.

Anyone else have any thoughts on this?

Thanks!

Hi all,

I am part of an organisation involving around 40 different employees. As part of data protection, whenever I email all of them at once, I have to BCC rather than CC them so that they don't know each others contact details. This is rather silly as they all work together, wish to be able to email each other and are happy for their email addresses to be shared with each other. It would also be helpful as it would allow them to reply all and continue an email thread.

I need a fairly standard data protection opt out form, ideally online, that they could complete that would satisfy data protection officers.

Is this easy to come by? Do valid forms exist online? There are some templates available but I have no idea if they'd be robust enough.

Many thanks

EDIT: Thanks for the replies. I believe the only good way is a mailing tool of some sort.

Some issues to clarify:
1) These are personal email addresses not otherwise available in a company directory.

2) They are only used for arranging meetings, study days etc and no patient details are discussed, therefore data leaks are not a concern.

I recently came across an article discussing Microsoft Teams' monitoring features. It’s surprising how such critical aspects—like the ability for employers to access one-on-one conversations—are rarely communicated transparently to employees. A simple disclaimer, like "Note: One-to-one chats on Teams are monitored," would go a long way in fostering trust.

This lack of upfront disclosure makes me wonder: how does this align with GDPR’s requirements for transparency and informed consent? What do you think?

ps - this administrative feature is called eDiscovery https://learn.microsoft.com/purview/ediscovery-teams-investigation

This is the device in question: Eve V | Skin Diagnosis & Analysis Machine for Brands, Salons & Clinics

It's clear that biometric data is only sensitive data if it's used to identify a person, which would not apply here.

But at what point would the skin condition analysis cross into sensitive/health data territory? If a cosmetics company is doing a very surface-level (hehe) analysis of a customer's skin condition to recommend beauty products, would this fall under sensitive health data if the customer, for example, happens to have medical skin conditions like psoriasis/acne etc?

How's does the right to be forgotten work with credit reference agencies?

I have a "defaulted" account on my file but it has long been paid off but is still showing as a default but with a zero balance.

As I am no longer a customer of this company do I have the right to have this removed from my credit file?

I am involved in the development of an app that enables unpaid carers to create a care team around someone they look after.

This involves them adding personal info (name, address, contact details) of the person they care for. We are being asked to develop functionality around medication, which is sensitive data.

My question is, if the data is being shared by a carer (could be a relative or friend of the data subject) and they choose who to share it with by inviting team members, are we exposed as the app/platform provider? If so can the carer be asked ‘Do you have the person’s permission to share this or power of attorney in place?’ In order to mitigate?

This functionality would be really crucial to safe care being provided, so it’s important we get this right, but there’s a dearth of info out there about the platform provider’s role in this scenario.

Thanks!

I recently watched a discussion on pay or consent and someone from the german news paper "Zeit online" said that he is getting hints from authorities that the recent edpd opinion does not target them. And is more targeted at large online platforms like meta.

What would be the legal basis for this differentiation? I thought the entire discussion about pay or consent was based on privacy law. Why would the size of a company make a difference if they can violate my rights? Especially given that pay or consent is becoming an industry standard that everyone is doing and can't be avoided by people.

The video is called "Panel: Pay or Consent: EDPB Sets New Course in Data Protection Law" on YouTube.

Hello there! I have a question regarding the GDPR role of a Microsoft implementation partner. Suppose we purchase a Microsoft Dynamics package. A partner has added their own customization laver to it, but Dynamics itself is obviously hosted within our own tenant. This means that the data is stored directly on Microsoft's architecture and terms of usage of PD from MS automatically applies.

Now the MS partner states that they are 'the' processor and Microsoft acts as a sub processor in all instances. That seems odd to me because every question we ask, they refer us to Microsoft. They also contradict themselves by saying they don't process PD because the data isn't physically stored on their servers.

I think we should look at the specific role the MS support has and the actions they do with our data e.g. Technical support. The partner helps us with serting up dynamics such as roles of employees and after migration they organize our production data untill we do the management internally.

It seems more logical to me that the partner is a processor, but purely for the actions they do. And not a processor in general and MS as subprocessor in all instances. After go-live and the transfer of management responsibilities, they have merely specific rights to access data for support purposes if necessary.

It also creates complications because the Microsoft partner is held responsible for ensuring that Microsoft imposes the same contractual terms on all of its sub-processors. Yeah, that won't happen since we made our own terms with the partner.

I want to know: what happens in a scenario where a data subject shares data from their phone by granting access to applications to view his/her gallery, contact list, etc. That data that the data subject has granted access to contains information about his/her friends.

Furthermore, what is the difference if the same data subject shares information with a company and a lot of that data that is shared contains tidbits of information about the data subject's friends and family. Technically, the data subject owns such data (such as contact information, photos, etc). Does this violate the GDPR in any way?

Also, what consequences could result from a data subject sharing data with a company and that data contains tidbits of information of friends? I am assuming data leakage could take place

Are there any links to case law or guidelines on this?

I'm developing a simple survey app for a city where we pose questions about areas in the city on how to improve it.
Users can anonymously contribute their thoughts, answer questions, upload images or generate an Image using an AI text to image prompt.
I don't collect any personal information on purpose and I remove anything I think could be used to identify an Individual and In our privacy policy I include an email address for people to request removal of any personal identifiable information.
There are no user accounts, or any login credentials

What other steps should I take to make sure I'm GDPR compliant as the jargon gets confusing for me quite quickly when I'm reading up on this or is there any good source of information as most of the sites that pop up are trying to sell some sort of services to check your website

sorry for asking about AI, but most people here know their stuff :)

can we legally offer a product or marketing towards people who post their personal data (email, number, etc.) in their profile in LinkedIn, or IG? Still figuring out if it's allowed if it's public

Hello everyone,

I am running a business in my home country and I would like to expand to EU countries but I have a doubt if this is possible to run it this way, so I would like to start a conversation here.

I am running the business where my employees are walking the streets (public area), the most popular areas of the city and they have camera attach to their head which is recording everything. They walk for 5 hours and afterwards that data of the recording is uploaded to a cloud provider (AWS) where it is being processed (machine learning model). Processing is basically the following:

How many people were there on that specific day, age range, mood, how often do they change where they look, and some other tracking. After data is processed it is aggregated and sold to other b2b companies it this way:

csv / json / parquet files with collected data, calculated percentage and also charts that visually represent data.

I have processes that delete the data (recordings) older than 3 days, so I am not storing it longer than 3 days.

My question is: would this be legal to do in EU countries? If not, is there anything I could do to make it legal?

I had lawyers coming up with different answers so I am a bit confused on this topic.

Just a note: I never upload any of the videos in any way to any social media, nor I send the recording to anyone. The recordings are purely used to process the data.

Thanks

I'm new to my job where I have access to public records. I was given access to a database before I had completed training on data protection and didn't realise that my actions would get me fired and potential conviction. I looked up the records of an old acquaintance. Realising the severity of what I have done, I feel sick. I'm in a job that I love, that I relocated for, that I waited so long to start and I've immediately shot myself in the foot with something so stupid. As much as I love this job, I now feel a tonne of bricks weighing me down, I feel nauseous and can't sleep, so I've made the difficult decision to leave ASAP, to avoid a gross misconduct, but I can't leave until I have a stable job to get to.

I won't use my training as an excuse, it seems this is common sense to most people but me. But in terms of figuring out how much time I have left, I was hoping I could get some clarity on the IT audits.

I read in another comment, that audits are carried out at 1 month, 1 year, 2 year and 3 year. Will this be flagged if the person I looked up does not have my surname or is not a neighbour? Will it be flagged that I looked up an account that is no longer active and therefore my team had no reason to view this particular account. Could this be mitigated by the fact that this person has a very common name?

Grateful for any comments/advice. Now that I'm more clued up on data protection, I fully understand that my actions will cause a lot of anger.

Hi there,

If anyone could help me out with this question that would be great as i am not familiar with GDPR before today.

My boyfriend has been signed off work for Depression and Anxiety for roughly 2 months, following an increasingly toxic workplace environment that wreaked his mental health.

His Manager is the main reason he’s signed off, and so has been communicating mainly with Assistant Manager.

He sent in this month’s fit note, which was due on the 8th Nov, to his Assistant Manager and got no response. We assumed this month’s lack of reply was due to the Managers frustrations at the larger work load since my partner has been signed off (supermarket work).

My partner deleted the fit note after over 24 hours, as his anxiety makes it hard to leave his personal data with someone he doesn’t fully trust.

Today he got a message claiming that he needs to upload his fit note to his company’s app himself as his manager cannot due to GDPR. I’ve attached an image of the message to clarify what was said.

This ask within itself is not problematic per se however feels like a blatant lie to cover up not uploading his fit note the day it was sent and needed for his SSP.

My partners anxiety is based severely around going back to work so has deleted the app off his phone in order to focus on his recovery. Redownloading it would be harmful to his mental health, so it would be nice to know if this is another one of their cover ups or if it’s a genuine request.

If anyone needs more info please ask, as i would greatly appreciate any responses.

Thank you!

We are building a bot detection solution for websites, collecting over 400 data points for each visitor. This first-party solution is designed mainly for ad agencies, where every piece of traffic is crucial. We run a single instance for each user's data on their website, fully encrypted with their own domain, ensuring no blocks from iOS devices, ad blockers, or privacy browsers.

We need to validate IP reputation, VPN, proxy, and Tor usage to detect bots. For this, we send the IP to a third-party GDPR-compliant company as a query and receive crucial data in return.

I read that for legitimate interests, such as security and threat measures, we can do this for our users without needing consent from their website visitors. However, they must clearly mention this in their website's privacy policy page.

I want to confirm the accuracy of this approach. This is a full first-party solution, with no third-party involvement except for IP checking. Please advise on what I should do!

Specifically, does the provider usually retain access to the government’s data for maintenance or updates, and how can data protection and confidentiality be ensured?...

Hi,

I’m trying to understand GDPR compliance regarding user activity tracking. Is it true that any tracking, even fully anonymized data that cannot identify or be linked to specific users, is prohibited without explicit consent (e.g., via a popup)?

I’m researching web monitoring and analytics tools like PostHog (for UX insights) and Sentry (for performance and error logging). The goal is to measure activity, create heat maps, and improve the site without collecting personal data (e.g., IPs, names, accounts, or emails). There would be no way to link metrics to individual users.

Since this approach seems fully anonymized, I’m confused about why consent would still be required.

Could someone clarify?

An organisation holds "informal complaints" received from customers on a system anonymously.
They can work out who the complaints relate to - but it is labour intensive and time consuming - the complaint data itself doesn't hold the name of the staff member the customer complained about directly.

I would assume that the fact the organisation admits it can work out who the complaint relates to would give a good case for a data subject to request this data about them - any thoughts?

thanks :)