Great topic for a video, thanks Madhvi! It's essentially the same as if each group member is an unknown third party. There's no free passes for group members. If you have BCRs (and wow, only 200 groups have ever had BCDRs approved so you most likely do not have BCRs) then the BCRs set out the rules - still no free pass, the BCR is a chunky set of rules.
@PrivacyKitchen I wonder whether you could clarify something for me? Many people have been telling me that a "natural person" i.e. private individual, someone who does not have a business, just a regular Joe, can be considered a Data Controller. I know the DPA quite well but not the GDPR. I would imagine it being highly impractical for private individuals to be classed as Data Controllers but some fairly reliable people have told me this is the case. I can't find anything that validates their opinion.
Individuals can be controllers in very limited circumstances (given the vast majority of personal data processing happens in the context of a legal entity with employees). In GDPR, a controller is the person who determines the purposes and means of the processing. 'Person' can be either a natural person (a human) or a legal person (an LTD, PLC etc). In an employer-employee context, it's normally the employer who determines purposes and means, not the employee enacting that for the employer. But if the employee goes off on a frolic of their own, outside their employee duties, they're likely to be the controller for that. And, outside that employment context, if a person on their own processes personal data for a purpose other than 'in the course of a purely personal or household activity' then the GDPR likely applies to them as a controller.
@@PrivacyKitchen great! I'm eagerly anticipating watching. By the way, I successfully passed the CIPP/E exam, and I must say your videos were particularly helpful in certain areas. Thank you! 😊
For sure! Huge numbers of them in terms of controllers in breach. Here's the official EDPB website rounding up regulatory fines on controllers who breached GDPR: edpb.europa.eu/news/national-news_en. In terms of where people didn't know they were the controller, that's quite rare because you're either saying you didn't know GDPR applied (odd if you process personal data) or generally such rulings are where eg a list provider or recruiter says they're a processor (or joint controller or separate controller) - more about having an argument about what role you had.
@@PrivacyKitchen hmm that’s very helpful, let’s use today’s era as an example right, track and trace app for coronavirus. Would you think NHS is a data controller as they determine the why and how for processing personal data with the track and trace app and then the data processsors would be google, apple ect as they are allowing the app to operate on behalf of the controller. Or would you say nhs apple and google are joint controllers. Just tryna get a clear understanding with a current scenario! Any comment would be helpful
@@ajayxo6712 it's all fact specific but at first blush: NHS controller, everyone else it depends on their access to personal data (if no access, no GDPR role) and then their role
@@PrivacyKitchen thank you that is very informative... Facts are everything... In relation to that list and link you gave would you know any case where a company/person did not report a personal data breach but then was found guilty going against article 33(1) gdpr? Thanks in advance
Looking to achieve GDPR compliance within your organisation? Arrange a demo and free 14-day trial of Keepabl's award-winning Privacy Management SaaS: bit.ly/3xbovxU
i have interview today wish me all the best 🙏
And :D??
This is really helpful. How does intra-group data processing work? For example. Need more guidance on this pls.
Great topic for a video, thanks Madhvi! It's essentially the same as if each group member is an unknown third party. There's no free passes for group members. If you have BCRs (and wow, only 200 groups have ever had BCDRs approved so you most likely do not have BCRs) then the BCRs set out the rules - still no free pass, the BCR is a chunky set of rules.
Thank you Robert! Excellent video. Did you manage to do a more in-depth video about where processors push it?
Thanks Adrian! We've got that scheduled and it's rising to the top of the queue, it's a great topic.
Very informative video - thank you. A video on the importance of a written contract under Article 28(3) would be most appreciated.
Great suggestion, thank you for contributing! Yes, we're looking to do a mini-series on Processors in the new year :)
Merci
Tu peux metez les sous-titres en Francais.
well done!
@PrivacyKitchen I wonder whether you could clarify something for me? Many people have been telling me that a "natural person" i.e. private individual, someone who does not have a business, just a regular Joe, can be considered a Data Controller. I know the DPA quite well but not the GDPR. I would imagine it being highly impractical for private individuals to be classed as Data Controllers but some fairly reliable people have told me this is the case. I can't find anything that validates their opinion.
Individuals can be controllers in very limited circumstances (given the vast majority of personal data processing happens in the context of a legal entity with employees). In GDPR, a controller is the person who determines the purposes and means of the processing. 'Person' can be either a natural person (a human) or a legal person (an LTD, PLC etc). In an employer-employee context, it's normally the employer who determines purposes and means, not the employee enacting that for the employer. But if the employee goes off on a frolic of their own, outside their employee duties, they're likely to be the controller for that. And, outside that employment context, if a person on their own processes personal data for a purpose other than 'in the course of a purely personal or household activity' then the GDPR likely applies to them as a controller.
Amazing videos, using alongside my study for the CIPP/E exam. Did you get around to doing one on joint controllers?
Many thanks! We've not yet but will do :)
@@PrivacyKitchen great! I'm eagerly anticipating watching. By the way, I successfully passed the CIPP/E exam, and I must say your videos were particularly helpful in certain areas. Thank you! 😊
Congratulations!@@Tola_A
Is there any article or case where the data controller has breached or if a data controller didn’t know they were the data controller?!
For sure! Huge numbers of them in terms of controllers in breach. Here's the official EDPB website rounding up regulatory fines on controllers who breached GDPR: edpb.europa.eu/news/national-news_en. In terms of where people didn't know they were the controller, that's quite rare because you're either saying you didn't know GDPR applied (odd if you process personal data) or generally such rulings are where eg a list provider or recruiter says they're a processor (or joint controller or separate controller) - more about having an argument about what role you had.
@@PrivacyKitchen hmm that’s very helpful, let’s use today’s era as an example right, track and trace app for coronavirus. Would you think NHS is a data controller as they determine the why and how for processing personal data with the track and trace app and then the data processsors would be google, apple ect as they are allowing the app to operate on behalf of the controller. Or would you say nhs apple and google are joint controllers. Just tryna get a clear understanding with a current scenario! Any comment would be helpful
@@ajayxo6712 it's all fact specific but at first blush: NHS controller, everyone else it depends on their access to personal data (if no access, no GDPR role) and then their role
@@PrivacyKitchen thank you that is very informative... Facts are everything... In relation to that list and link you gave would you know any case where a company/person did not report a personal data breach but then was found guilty going against article 33(1) gdpr? Thanks in advance
Looking to achieve GDPR compliance within your organisation? Arrange a demo and free 14-day trial of Keepabl's award-winning Privacy Management SaaS: bit.ly/3xbovxU