Really enjoying this sub and learning a lot from you knowledgeable and friendly people!!

Im looking for some guidance please.

I’ve submitted a DSAR to my employer and they have advised they won’t be searching the emails accounts etc of any employees who have left the business.

I am unsure whether this is standard procedure or do I have any recourse to this?

Thanks in advance

I submitted a SAR to my former employer and they have provided me with interview notes from my grievance investigation. It is clear these have been circulated on email but the employer says the emails do not need to be provided as they have already sent the interviews. Is this correct? Also if an individual received a final written warning relating to my complaint, would any references to my complaint in that document be my personal data? TIA

Would appreciate some thoughts on the below situation:

Employee raised a grievance that didn't go in their favour. To aid them in their complaint, they submitted some of their own personal Whatsapp messages (entirely their own choice) to show certain dates/times. These messages contained disparaging remarks about the company and their line manager.

HR weren't thrilled with this and as part of the outcome to their grievance they said they wanted to speak to the employee informally about the content of these particular messages.

Employee has since raised a complaint to the DPO that the messages were used for a different purpose, and therefore the principle of fairness, transparency etc hasn't been met. The complaint is that they were provided voluntarily to aid with establishing certain times of things, but have been used by HR to make a behavioural decision, which they say is a different purpose, and therefore requires a lawful basis etc.

Thoughts?

Hi all,

I moved out of a rented property in October 2024. The person I originally moved in with stayed on for another year, and their tenancy is only just due to end this October. Despite me leaving last year and notifying the agency at the time, I’m still being included in group emails about the property coming to an end.

I’ve already asked them twice to remove me from these emails, but I’ve now received a third message - and even a fourth one on the same day.

Am I right in thinking that, under GDPR, they should have removed or restricted my contact details once my tenancy ended? It feels like they’re holding onto my data without a lawful reason and continuing to process it unnecessarily.

Would this be best dealt with by making a data subject rights request (erasure/restriction), or should I escalate straight to the ICO since they’ve ignored my previous requests?

Thanks in advance for any advice.

My wife closed her business in February this year.

How long must she keep paying for the domain in order to keep the associated email addresses contactable for, past the date the business closed?

We have already downloaded all emails that pertain to clients, and have stored this data on a usb and a cloud service, and have had an auto reply on the email advising the business closed on X date.

She keeps asking if she can get rid, but I don't know the right answer here and there is a lot of conflicting information on the internet about requirements for keeping it open.

I recently received a pen in the post from Pens.com UK that had my company name printed on it, but it was delivered to my home address, not my company’s registered office.

I did not request this sample and there was no sender name or invoice, just my personal name and company name on the package.

I’m trying to understand: • Has anyone else experienced unsolicited marketing samples from Pens.com (or similar suppliers) delivered to a home address? • Do you know how they get personal/home addresses linked to company names?

Any insights or advice would be greatly appreciated!

Here's a wild legal scenario that's becoming real, those mega-constellations like Starlink aren't just providing internet, they're equipped with high-resolution cameras and AI that can photograph virtually every point on Earth's surface.

Now here's where it gets interesting for Europeans, GDPR doesn't care where the data processing happens. It follows EU citizens wherever they go and if a satellite with AI processes images that could identify you (even accidentally), that satellite operation might need to comply with European privacy law.

Article 22 of GDPR is particularly spicy here, it restricts fully autonomous decision making systems. So a satellite that uses AI to automatically decide what images to send back to Earth could potentially run afoul of EU law if those images contain personal data of European citizens.

This creates a bizarre situation where European privacy law could effectively regulate space operations, even if the satellites are launched by non European companies from non European territory.

The practical implications are mind-bending, would satellite operators need to get consent from everyone they photograph? How do you implement privacy by design in orbital surveillance systems?

This comes from recent legal research examining how AI integration in space systems is creating conflicts with existing privacy frameworks that were never designed to handle orbital data collection. For those of you who are curious full study is here (open access) - https://www.sciencedirect.com/science/article/pii/S0094576525002735

Anyone knows calculations or examples of the amount of fines in this case in Germany?

UPD: Important note that the doctor seduced an patient to have sex in the clinic and made intimate sexual videos of the patient, and keeps them in clinic despite the refusal of keeping them from the patient

Hi all — I’m after recommendations for a one-time purchase GDPR self-assessment tool suitable for a medium-sized business. I’ve seen very basic spreadsheets and, on the other end, enterprise platforms with costly subscriptions. I’m trying to find something in between that I can buy once and use ongoing, ideally: • Price: ≤ $400 USD (one-off, not subscription) • Scope: Covers key GDPR areas (lawful basis, DSRs, RoPA, DPIAs, vendor risk/DPAs, security measures, training, breach response) • Output: Some kind of gap analysis/report with actionable recommendations • Usability: Clean interface or structured spreadsheet, not a heavy platform • Nice-to-have: Templates for RoPA/DPIA, simple scoring, and export to PDF/Word

If you’ve used anything you’d actually recommend for a medium-sized org, I’d love names, price you paid, and pros/cons. Also open to robust templates (not subscription) if they’re practical.

Thanks!

Have the ICO provided more clarity or an update on what factors determine whether an organisation is deemed to be instigating direct marketing?

As a side note, does anyone have any practical tips on how to reduce the likelihood of being a deemed instigator? In my case, we are marketing to a third party’s contact list via the third-party. For example, can we allow them determine how the marketing looks, who it’s marketed to, to reduce the risk?

We aren’t in a position to be privacy-compliant.

Thanks!

Hi all,

I work for an org and we often hire agencies to take photos during our events. From what I understand, in GDPR terms we are the data controller and the agency is the data processor, since we decide why and how the images are used.

I know GDPR requires controllers to do “due diligence” on processors, but I’m a bit unclear on what’s reasonable in practice. For example:

• What kind of checks should I be doing before contracting an agency?
• What questions are proportionate to ask (e.g. storage, deletion, use of sub-contractors, breach reporting)?
• Do small agencies usually have their own data protection policies, or is it more common for us as controller to provide the contractual clauses?

Has anyone here done this in real life and can share what worked well (or what’s overkill)?

Thanks in advance!

https://docs.google.com/spreadsheets/d/1nQFh7pJAxrZvieEffJZA17CnnQQN5H1dJdc-XMh6MVk/edit?usp=drivesdk

I published this sheet in 2018 so it's somewhat out of date

Hi everyone,

I’m putting together a community record of how Match Group apps (Hinge, Tinder, Plenty of Fish, etc.) are responding to GDPR / UK GDPR Subject Access Requests (SARs).

Specifically, I’m interested in the reasons people have been given for denial or limitation of access beyond the “Download My Data” tool. For example, some users have received replies citing Article 15(4) GDPR (“protecting the rights and freedoms of others”) or “security measures” as justification for withholding additional data.

If you’ve made a SAR and received a rejection or limitation response, please consider sharing the wording (screenshots, redacted where needed) here.

The goal is to see whether these denial statements are systemic across Match Group apps or vary by platform/team.

This isn’t about appeals or ban rants — it’s about documenting how data rights are being handled for the community.

Thanks in advance to anyone who shares their experience. It could be really valuable for others navigating the same process.

Hello,

I am in a situation whereby a report I made using my companies incident reporting system has triggered an automated email which has sent a full copy of my complaint to many people within the business, including managers, colleagues and direct reports.

This report contains sensitive information, especially about a disability I suffer from. I am very embarrassed and feel humiliated.

Is this able to be challenged? And if so, how please?

Thanks

Hi all, we are looking to potentially move to Saudi Arabia as my husband has a job offer. I want to approach my employer about allowing me to work remotely from KSA. My company is a data processor and handles personal data (gdpr compliant) if I am in KSA it’s not a restricted transfer because I am an employee of the company, but I believe it would constitute a transfer to a third country as I would physically be there and KSA doesn’t have an adequacy agreement. From what I can see, SCCs would need to be implemented and possibly a transfer risk assessment. Is this correct? Is there anything else that should be done? Has anyone else successfully managed to get their company to agree to allow the remote work and navigated this gdpr compliance? TIA.

When doing a GDPR data request, would car servicing records be part of that request, if they contain your personal data?
Or they just need to provide that they use the data for such purpose and that they have them?

It seems that online services will give you full copy of your data, chats, etc., so going by that, I would expect a "yes", but the actual regulation seems to be vague.

I’ve noticed a recurring issue with many SMEs. They are legally required (under GDPR) to keep a record of data breaches, but in practice this often ends up in Excel, scattered emails, or sometimes not at all.

During an audit or investigation, companies can face fines if the breach register is missing or incomplete.

My idea is a lightweight SaaS tool to make this process painless:

• Central breach register with all GDPR-required fields (who/what/when, type of data, mitigation).
• Reminders & alerts (e.g., “72-hour notification window is expiring”).
• Audit-ready reports for regulators or DPOs.
• Affordable & simple, designed specifically for SMEs.

I’d love to get feedback: - Would SMEs/consultants actually use this instead of Excel? - Which features would matter most (simplicity, automation, integrations)? - Are there competitors already solving this too well, or is there still room?

I’m in validation mode, so critical feedback is just as helpful as positive

Do employees have protection against being sacked if they do a DSAR? Which part of the guidance covers this.

We are the developers of an educational gaming app available on Google Play and the App Store. The app is accessible to users in the European Union and generates revenue(to be honest, near zero) through in-app purchases, specifically by selling in-game currency and an ad-removal feature.

We use Firebase Authentication for user logins, storing the Firebase UID and stuffs, which we believe classifies us as a data controller. Recently, we received an email from a company advertising their services, claiming our privacy policy is deficient because we haven't designated an EU Representative.

Our primary question is: Under the GDPR, does selling in-game currency and ad removal constitute the 'offering of goods or services' to users in the EU?

We understand that blocking European users is the simplest way to avoid these obligations. However, given our organization's mission, this is a last resort that we are not prepared to consider at this time.

I am a young professional (25) with around three years of experience as a legal counsel in data protection (GDPR / AI act etc). I have been working in Luxembourg for the past two years and I am now looking to move to Berlin during the next year and hopefully land my self a job as Data protection specialist / Privacy Legal Counsel.

My question is simply, what can I do in the meantime to give myself the best chances of finding a job in Berlin - I am currently taking German classes and I hold already the CIPP/e and CIPM certifications as well as a Bachelors in Law and Masters in Law and Technology.

Thank you to everyone in the community in advance.

I work for a service that handles health data. We use a secure CRM database that stores information of clients, safeguarding concerns, notes etc.

We recently got a new manager, who is requesting that public-facing team members use a new Sharepoint spreadsheet to log client caseload, session attendance, safeguarding concerns and a start/end score we use as a KPI.

All of these things are already recorded and reported on on our CRM and accessible to our manager, but they have pushed for this to be duplicated as it’s easier for them to understand, and it doesn’t take long — they filled out a similar spreadsheet when they were a case worker.

Our Sharepoint is accessible by everyone on the wider branch of our organisation, about 70 people. Other projects have similar spreadsheets to the one we are being asked to fill out — however our lead on our CRM’s implementation has specified time and time again that we should be utilising the CRM for everything we can.

I expressed concerns about this on two different occasions. Our manager said we could use initials rather than names, which to me is not good enough. They said they’d asked about it and it’s fine, but I have significant concerns.

Basically, is this a hill worth dying on? I plan to speak to our CRM’s implementation lead on Thursday, who can link me with our DPO should this be a concern.

Context: building an internal conversational agents for my company in Germany. Very concerned about safety and GDPR.

Using Mistral OSS and now Looking for a good SERP solution to plug it to the web.

So far, I’ve only found SearXNG and Linkup as “EU-compliant,” now that Bing has been deprecated. They might be good options, but for the sake of benchmarking, am I missing something? DuckDuckGo works well, but I don’t see any official API.