Questions tagged [eu-data-protection]

The Data Protection Directive is a European Union directive which regulates the processing of personal data within the European Union. It is an important component of EU privacy and human rights law.

The right to privacy is a highly developed area of law in Europe. All the member states of the European Union (EU) are also signatories of the European Convention on Human Rights (ECHR). Article 8 of the ECHR provides a right to respect for one's "private and family life, his home and his correspondence", subject to certain restrictions. The European Court of Human Rights has given this article a very broad interpretation in its jurisprudence.

In 1980, in an effort to create a comprehensive data protection system throughout Europe, the Organization for Economic Cooperation and Development (OECD) issued its "Recommendations of the Council Concerning Guidelines Governing the Protection of Privacy and Trans-Border Flows of Personal Data". The seven principles governing the OECD’s recommendations for protection of personal data were:

  1. Notice—data subjects should be given notice when their data is being collected;
  2. Purpose—data should only be used for the purpose stated and not for any other purposes;
  3. Consent—data should not be disclosed without the data subject’s consent; Security—collected data should be kept secure from any potential abuses;
  4. Disclosure—data subjects should be informed as to who is collecting their data;
  5. Access—data subjects should be allowed to access their data and make corrections to any inaccurate data; and
  6. Accountability—data subjects should have a method available to them to hold data collectors accountable for not following the above principles.
17 questions
5
votes
2 answers

Should I email contents of a https form submission

I am building an online registration form for a voluntary organisation in the UK and am considering data security measures. The form will be served up over https and there may be an optional payment fee involved. We are using Stripe.js to handle…
4
votes
3 answers

Security problem with confirmation email

I have an app, and when they first login, I send a classic confirmation email. When users need to reinstall the app, sometimes users send messages to our support saying: "I don't remember the email used to register my account, how can I have the…
4
votes
1 answer

New EU Data protection Law and small businesses

I'm aware of the new EU law changes regarding data protection. As a security consultant for an IT company who manages multiple other companies systems, i was hoping someone might be able to clarify a few things for me. 1) I'm aware that the new law…
IngenuIT
  • 43
  • 3
3
votes
2 answers

How can I protect data in SQL tables?

Inspired by the many data leaks where whole databases/tables with personal user information were leaked, what are best practices to protect those assets? I‘m especially concerned if someone was able to get access to backend code (which definitely…
dmuensterer
  • 1,144
  • 4
  • 13
3
votes
3 answers

Does GDPR apply for volatile data

GDPR aims to set standards (and requirements) on how sensitive data should be stored. Although, I couldn't find any information on how (or if even) GDPR applies for sensitive data in a volatile state. As an example, what if we are in the process of…
2
votes
1 answer

Does an email newsletter form on a HTTP-only website constitute a GDPR violation?

Problem: I am part of a non-profit club that has a form on the website for signing up for an email newsletter. The website (and thus form) is only available through through HTTP. HTTPS is not available on current infrastructure. There is no other…
max
  • 121
  • 4
2
votes
1 answer

Should we confirm other personal details before security questions during password resets?

I've been tasked to work on a password reset tool for my company website. This tool is for a support person to provide a new reset password over the phone in case the customer does not receive the email or is locked out of their email account. Now…
2
votes
1 answer

Can a user login credentials and/or secret questions be considered PII under EU regulations?

European Union is one of the most regulated places on how to deal with Personally Identifiable Information. I was going to answer this question by saying that he had to hash the user password because of EU regulations, but I am not so sure. So, of…
Mindwin
  • 1,118
  • 1
  • 8
  • 15
2
votes
1 answer

Under UK data protection act, who is reponsible for ensuring the data is transmitted to the data processor securely

Preamble: I'm being reference-checked by a company. This company has asked me to send them my personal details (like NI numbers) via email (unsecured; unencrypted: big no-no). (To avoid side-tracking the question, I contacted the company and we came…
KidneyChris
  • 685
  • 1
  • 5
  • 7
1
vote
0 answers

Billing Information and Right to be Forgotten under GDPR

This question is from a SAAS point-of-view. If a user exercises their Right to be Forgotten under GDPR, what happens to their billing information? Good practice suggests you should delete card info as soon as a customer cancels their account, but…
shivam
  • 119
  • 4
1
vote
1 answer

Storing e-mails on private servers and getting consent from data subjects (EU GDPR)

My initial reading of the GDPR doesn't seem to cover cases of consent with regards to inbound e-mails. If I run a corporate e-mail server and store all incoming e-mails on it, I'm storing private data of data subjects (natural persons). Am I in…
1
vote
0 answers

certification to get in order to save PHI for European businesses

I work in a digital health company that will likely save personal Health information. I am conflicting what certification I best get in order to best meet the needs of business partners from Europe. Of course there are different requirements for…
WebQube
  • 129
  • 4
1
vote
1 answer

sensitive assets identified and properly protected

I am going through the IASME cyber essentials questionnaire and one of the questions is are all sensitive assets identified (eg protective marking) and properly protected? I have googled protective marking which refers to the governments level…
Anonymous5642
  • 65
  • 1
  • 5
1
vote
1 answer

Icons/Symbols according to GDPR

According to Article 12(7) of the European General Data Protection Regulation 2016/679 there shall be standard icons for making data collection more transparent for data subjects (end users): The information to be provided to data subjects…
eckes
  • 962
  • 8
  • 19
1
vote
2 answers

Technical requirements applicable to IT department for GDPR

In order to prepare for GDPR, what is required from an IT department to ensure Data protection for the business.
1
2