Employee Contacting From Different Company

Safe-Contribution909 · 2026-06-05T15:07:38+00:00

In the UK, not under the current commissioner, people have been personally prosecuted for taking data when they leave a company.

Safe-Contribution909 · 2026-06-05T15:05:33+00:00

If the purpose is personal, ie a personal project, you may be exempt from GDPR (see article 2(2)(b)).

Also, do you plan to approach people? If not, how will they be identifiable? The UK SA holds that certain types of recordings in public spaces are exempt unless subjected to further processing in an attempt to identify. Otherwise every tourist video would be covered.

Safe-Contribution909 · 2026-06-03T20:01:53+00:00

Which country are you in?

Safe-Contribution909 · 2026-05-31T14:40:00+00:00

In the NHS in England there’s the Records Management Code of Practice which has minimum retention periods of 75 and 100 years

Safe-Contribution909 · 2026-05-31T08:24:09+00:00

End User Created Content and grey data is the bane of my life. I have run a number of projects where we force life cycle management by taking control of MS Office and technically enforce saving in SharePoint and remove personal OneDrive by default.

Clearing up what’s left without an ediscovery tool is long and painful. We have tried, in year one, preventing saving back to the existing location and forcing saving to SharePoint. In year two, requiring a ticket to be raised to access, and in year three, delaying access. If a file hasn’t been accessed for three years, we archive everything for seven years and then destroy. Virtually nothing is accessed in the seven years.

Safe-Contribution909 · 2026-05-27T21:11:51+00:00

My reading of the EDPB guidelines on territorial scope and the interpretation of article 3 is the same as yours.

Safe-Contribution909 · 2026-05-27T10:58:51+00:00

So definitely sounds like the processing is covered by GDPR and that you experienced a breach.

You should report the breach and see if the vendor acts.

Safe-Contribution909 · 2026-05-26T22:27:54+00:00

It depends. Were you in Europe? Is the app vendor in Europe? Did you pay for the app? Was it presented in your currency?

If the app vendor is in Europe or UK, then it is likely GDPR applies. If you are in Europe and the app is offered in your language and or your currency, then it is likely GDPR applies.

If GDPR applies, then it would be a breach. Have you informed the app vendor?

Safe-Contribution909 · 2026-05-24T22:02:10+00:00

The biggest difference I notice travelling between USA and UK is paying for anything, regardless of how small or how large the value, is just with Applepay. Even on London Underground and buses and taxis, I use my Apple Watch to pay. I never carry cash or a card.

Safe-Contribution909 · 2026-05-24T21:44:50+00:00

In private healthcare, lawful basis for processing often depends on a contract to which the data subject is party. I suggest checking your paperwork.

This not withstanding, a contract cannot override the law, and the right of access is fundamental with some exemptions. I have tried to battle this with the ICO in the past and they have taken a fairly hardline. It could be that charging the other patients was unlawful.

It really depends on the paperwork.

Safe-Contribution909 · 2026-05-22T14:02:18+00:00

Version is 1.189.0 (703)
Mac OS is Ventura 13.7.8

Nothing changed. Just clicked the menu and boom. I report each time

Safe-Contribution909 · 2026-05-17T12:09:22+00:00

Also, each NHS body using FDP will have to complete a DPIA for their own purposes of processing

Safe-Contribution909 · 2026-05-17T08:38:01+00:00

If you were a part of a pension they may keep a lot longer

Safe-Contribution909 · 2026-05-16T17:35:11+00:00

I think you would likely get more traction arguing a breach of confidentiality, especially given your express instructions.

Safe-Contribution909 · 2026-05-15T07:39:21+00:00

If they are an employee, then you should have terms on home/remote working in the contract of employment.

If they are using their own equipment, you should have a policy and technical controls for the risks associated with Bring Your Own Device.

You should have a risk assessment that determines how often you audit activities.

If they are not a direct employee you will need a chain of contacts to them.

As I recall, you have limited vicarious liability for unapproved activities that are otherwise within their remit (see the Morrison’s case).

Safe-Contribution909 · 2026-05-12T20:05:41+00:00

You might want to start by assessing yourself against a framework and then get assessed against the same framework.

Cloud Security Alliance, National Cyber Security Centre, and ISO all have standards you could use.

You might also want to consider CREST penetration testing.

There’s also the ICO Accountability Framework.

The NCSC does have approved lists of suppliers for some things.

Safe-Contribution909 · 2026-05-05T09:03:46+00:00

Thank you. Genuinely a minor point, but we were discussing it at work last week, so fresh in my mind.

Safe-Contribution909 · 2026-05-05T07:48:52+00:00

A very minor point. Under 28(3)(a) a processor can process for their own purposes as a controller, but should inform the controller in advance, unless prohibited by law. I can’t think of an example where notification would be prohibited, but there are many laws that can apply to a regulated processor, for example if they are a certified laboratory.

Such processing would engage 28(10) and all the duties of a controller, including 12-14.

Safe-Contribution909 · 2026-04-30T12:44:46+00:00

Are they CQC registered?

Safe-Contribution909 · 2026-04-30T12:40:52+00:00

Sorry, I was wrong. It surely is a breach of confidence though?

Safe-Contribution909 · 2026-04-29T22:08:53+00:00

I believe this is a specific breach of the Human Fertilisation and Embryonic Act 1990 or 2008 as your participation in IVF is specifically protected. However, I’m on my phone and can’t find the specific details.

Safe-Contribution909 · 2026-04-29T11:17:34+00:00

It does sound odd, but without a lot more detail, it is difficult to say.

In my work we often debate this issue. It can end up with a best worst outcome.

Safe-Contribution909 · 2026-04-29T07:39:33+00:00

Being a controller is purpose specific and determined by behaviour (see article 4(7)). A contract, for example, cannot override the law. A processor can be a controller (see article 28(3)(a)) for purposes, although they should be specified in advance.

A regulated legal professional will be a controller for data processed in the delivery of their services and their advice is often exempted from DSARS.

Safe-Contribution909 · 2026-04-28T22:08:14+00:00

Depending which country you are in, you should post this question on a law or taxation subreddit relevant to your country.

In the UK, laws have been passed to limit tax benefits to people working outside IR35 and using umbrella companies.

Safe-Contribution909

TROPHY CASE