GDPR Resources

Blackbaud - Webinar FAQ GDPR

Issue link:

Contents of this Issue


Page 3 of 3

4 Q: On the wealth screening point, you provide an opt-out in your draft wording. Under GDPR shouldn't this be an opt-in? A: Many customers are relying on legitimate interests to justify their use of wealth screening, and as such, an opt out would be appropriate. Please see our article " It's Not All About Consent—Using Legitimate Interest and the Other Legal Bases" for more discussion on the legal bases. Q: If we collect data for performance of a contract, how do we deal with the right of erasure when the contract is still ongoing? A: Each controller has to determine for itself how it will respond to exercises of the right of erasure. GDPR provides that controllers must only erase data if (a) the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed; (b) consent is the only legal basis for processing, when the individual withdraws consent; (c) processing is based on legitimate interest, when the individual objects to the processing and there is no overriding legitimate interest for continuing the processing; (d) the personal data was unlawfully processed (i.e. otherwise in breach of GDPR); (e) the personal data must be erased in order to comply with a legal obligation; or (f) the personal data is processed in relation to the offer of information society services to a child. Q: Is organisational personal email considered personal data? A: There is no distinction between B2B and B2C within GDPR; as long as the personal email identifies a natural person, it is "personal data" as defined in GDPR.. Q: Is a DPO the same as a data controller? A: No. A data controller is the person or entity who determines the purposes and means of processing. The DPO is the data protection officer, a person appointed by a controller or processor who will have certain tasks and responsibilities with respect to an organisation's data protection practices, as set out in Section 4 of GDPR. Q: Does the right to object to processing for statistical purposes include situations where the data is anonymised? A: From Recital 26 of GDPR: "The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes." Q: Can we 'refresh' legitimate interest in the same way we would look to refresh consent to make it GDPR compliant? What would this look like? A: You can certainly re-conduct your legitimate interest assessments to ensure that any changes in your data protection practices haven't changed the analysis or results. Q: Right of erasure. Do we have to delete their whole record, or just the contact details (address/phone etc)? A: The right of erasure requires controllers to erase all personal data. Your organisation must determine what fields it holds that constitute personal data subject to erasure. It is perfectly suitable to delete all the personal data out of a constituent record and retain data that does not identify an individual, like a unique constituent ID. Q: On 'purpose' Description of automatic decision-making, logic involved and consequences of such processing on the individual. How does this affect a non-profit SaaS organisation that is a processor of people's data collected by other non-profits via surveys. A: The controller of the data will need to inform data subjects about automatic decision-making it conducts.

Articles in this issue

Links on this page

view archives of GDPR Resources - Blackbaud - Webinar FAQ GDPR