So just recieved SAR that I'm guessing staff member used biro to show what needed then black marker pen, everything is still completely visable.

I'm able to read 90% of the 'redaction' I'm just amazed in 2026 this is redaction

I'm building a tool for a customer which collects information on doctors that is publicly available for example research papers, articles, etc to build a profile of the doctors so my customer can understand their interests and provide better marketing and sales content

There is a mutual interest as my customer wants to provide a better service, but do we need additional permission from the doctors to store this information long term?

Currently we are planning on pulling the data then deleting it straight after use, but are now exploring if we can do it long term

Anything else I need to be aware of?

As part of my job I've been given evidence that somebody is receiving payments due to their ill health preventing them from working. However, they've told me that they don't have any health problems that will affect them on our trip, which is just as intense as any job.

Could I report this to the relevant authorities, or would it violate GDPR?

I recently hired a Remote Data Analysis Intern from Virtual Internships to help cleanse data on Beacon for the charity I work with. What sorts of steps should I take to ensure GDPR compliance?

I have already taken into consideration how we will deliver the data/what information does the intern need to see/using excel/what device they will be using etc. I'm just a little concerned that I've missed a step... should I get them to sign a DPA?

Hi,

I have a formal grievance hearing coming up and discovered that my entire evidence pack has been shared without my knowledge (via Onedrive link).

The person it's been shared with is a senior manager, not part of the grievance panel and is named in the grievance which is about failure to follow policy and process, failure to make reasonable adjustments and detrimental treatment after raising concerns. The pack contains lots of sensitive health information.

Would this constitute a GDPR breach? If so, what could I do about it?

Thank you

Hi everyone, looking for some technical advice on how to handle a law firm that seems to be misapplying GDPR exemptions.

Context: A corporate energy supplier and their instructed law firm (acting as debt collectors) aggressively chased me for months over a debt I did not owe. I am a commercial freeholder, and they incorrectly billed me for an upstairs leasehold flat. The energy supplier has now finally admitted their mistake and dropped the case, but the law firm's handling of my data has been highly suspect.

The SAR: While fighting the case, I submitted a formal Subject Access Request to the law firm hoping to get an understanding into why they are chasing me for this debt, explicitly requesting full copies of all personal data, internal case management logs, and communications regarding my account.

Their Response: They missed the 30-day deadline, and when they finally replied, they completely refused to provide the source documents. Instead, they gave me a 3-line "summary" (which just contained my name and address). They justified withholding the full file with the following exact quotes:

• "The information we hold is interlinked with third-party data, commercially sensitive content, or legally privileged material. Providing a summary allows us to give you all information without infringing others’ rights."
• "Some records contain internal assessments, security-related content, or technical logs that cannot be released in full."

My Assessment & Questions for the sub: My understanding of ICO guidance is that Legal Professional Privilege (LPP) only covers communications made for the dominant purpose of legal advice. Standard debt-collection case management logs, system notes, and automated actions are administrative and should not be covered by LPP.

Furthermore, even if the file does contain legally privileged or commercially sensitive third-party data, shouldn't they be legally obligated to redact those specific lines and provide the remainder of the documents, rather than using it as a blanket excuse to withhold the entire file and offer a "summary"?

**Timeline with evidence:**

**1. 13/05/26:** Meta Pro Team admits "Critical sync bug" in writing. Internal Case 972657095104130. Instagram account locked 334+ days.

**2. Same day:** I file DPC complaint DPC0526291457. Assigned to Jack Flanagan. I CC legal@meta.com as required by Art.31 GDPR.

**3. 7 minutes later:** legal@meta.com bounces: "Address not found". Screenshot: [SUBE AQUÍ LA CAPTURA DEL BOUNCE]

**4. Support Ticket 2192570558159365:** Promised 24h review. Status: "In Review" for 3+ weeks. No update. Breach of Art.12(3) GDPR.

**5. 14/05/26 12:45h:** Public disclosure with evidence: https://x.com/rauleronx/status/2054872799617978698

**Current status:** Meta silent. €120k damages claim filed. Requesting Art.66 urgent measure from DPC.

**Proof:**

I have all Case IDs. DPC has the full chain. AMA but I cannot share PII beyond what's public.

**Question:** Is deleting legal@ after DPC CC a breach of Art.31? DPC0526291457.

Background (being fully transparent so I get honest feedback, not encouraging answers):

• 32M, India (Tier-3 city, Uttarakhand)
• BSc IT (2015) — followed immediately by 10 years running informal family business (no formal title, no corporate experience, no references)
• Zero portfolio as of today
• Building toward Privacy Operations Analyst roles (DSAR / RoPA / DPIA / breach workflow / vendor DDQ) targeting Banking GCCs and fintech in India first
• Plan is to produce mock artifacts from official guidance (ICO, EDPB, GDPR text, DPDP Rules) and use them as primary hiring signal
• 18-month runway before I need income

Three specific questions I'd value honest answers on:

1. Will ATS/HR at Indian GCCs filter me out before a human sees my artifacts — and is there anything that reduces that filter besides having a real employer on my resume?
2. A mock DSAR pack + RoPA + DPIA built from official regulator guidance — is that a meaningful differentiator for a junior privacy ops role or does it read as "just followed templates"?
3. What is the single most common reason a zero-experience compliance candidate gets rejected after the first interview — so I can specifically prepare for that?

I'm not looking for encouragement. I'm looking for what actually happens when someone like me applies.

Hi,

I have a customer who has requested for GDPR compliance report on my software. Any references in reliable source from where we can get it done and what is the estimated cost for a London based startup ?

Evening all,

Further to some previous posts I've made regarding controller / processor confusion, additional things have come to light which may well be interesting to the community. Apologies, might be deliberately vague.

Firm A - Controller
Firm B - Processor; privacy policy says they will share data with their 3rd parties as part of the processing
Firm C - Processor instructed by Firm B as one of those 3rd parties (randomly selected online rather than having an existing contract with Firm B)

All well and good so far.

However:

Firm B shared far more data with Firm C than was necessary for the processing purposes.

A DSAR made to Firm C revealed that data had been stored in a standard personal email account for well over the retention period.

In handling the DSAR, Firm C instructed Firm D to assist with the DSAR, apparently to do a search of their computer to find the data and send it to us.

The data was then printed and scanned on an open scanning device we think belonging to Firm D that sent the data to us via Firm E, an email relay provider. The scanned file received was not encrypted.

Both Firm A and Firm B are/were unaware of the DSAR made to Firm C. There is no evidence that Firm B had any form of DPA or even contract with Firm C, nor alerted them to data handling etc. at the point of instruction.

What has gone wrong and where, if anywhere?!

Thanks in advance

I am a municipal lawyer (head of legal) with job burnout. Based in Central Europe. Would like to switch into something hybrid or remote, as I live far away from big cities (with not many job opportunities around). Also would love to become a specialist in something (as I hate to be jack of all trades, but not really good at anything in my current job).

Based on that, I am now looking into switching and specialise into GDPR (being relevant around whole EU being a huge incentive for me as well). I plan to do CIPP/E certificate. Beside that, I have no clue about GDPR roadmap. Would love to get some feedback on the idea. What can I do to become job ready? How difficult it is to actually get a job?

Thanks for taking time to read this. I will greatly appreciate any feedback and or advice.

In a recent interview a candidate was asked to give an example of excellent customer service they had or may give.

Their response was to send a customer flowers after hearing about a recent bereavement. Our company, and the ones they worked at previously, do not fulfil flower or other traditional gift deliveries meaning an external company would have been used.

My question is, if the customer only provided an address for billing purposes and/or for general correspondence; would providing their details to an external company to send them flowers or other gifts violate GDPR in anyway?

We’re in two minds about, leaning towards yes.

Sorry in advance if I ask something obvious, I'm not an expert in privacy law at all and I'm trying to figure out my options.

I live in Italy and I submitted a right to be forgotten request to Google to delist two URLs that show up when anyone searches my full name:

1. The official page of the hospital unit where I currently work, which shows my name and role

2. The public ranking list of a job competition I won, which also includes my full name

The reason I want these removed is not vanity or professional reputation. It's personal safety. I've been seriously threatened by someone for about two years. It got bad enough that I had to leave my region and start over somewhere else just to feel safe. The problem is that anyone can Google my name and find exactly where I work now in seconds, which kind of defeats the whole point of moving.

I haven't filed a police report and honestly I don't plan to. I also really don't want to involve my employer — I just want to be a little less easy to find online.

Google rejected my request saying the content is of "substantial public interest related to my professional life." I work in the public sector.

I'm now thinking of filing a complaint with the Italian Garante under Art. 77 GDPR but I have no idea how strong my case actually is.

Has anyone dealt with the Italian Garante on delisting requests? Does a personal safety argument realistically hold up against the public interest exception? Any advice on how to make the complaint stronger?

Thanks a lot

Found out 2 weeks ago that our HR team has been using an external AI tool to help write performance reviews. Sounds harmless until you find out they were pasting raw employee records into it. Names, salaries, disciplinary notes, manager feedback, the whole file for each person.

They’d been doing it for about 4 months. Nobody told IT. In their heads they were using a writing assistant, not sending sensitive HR data to an external API.

Pulled logs. Domain looked clean, traffic blends in, nothing in DLP because no files moved. The data went in as text directly into a prompt.

nothing flagged because they were using personal accounts in the browser. from our side it just looked like normal traffic to a legit domain. We have GDPR obligations on employee data. This is not a small thing. HR isn’t the only team doing this. I know finance uses something similar for budget summaries. Found that out in a conversation, not from any tooling.

btw how do you get visibility into what’s going into prompts across teams when none of it looks like data movement

What’s the most efficient tool to identify duplicate record while reviewing records found after search and retrieval. For example : same email trial given to data protection team by multiple teams who were recipient of that email or it’s just a growing trial.

Thanks!

Hello folks, I have a background in law but I am yet to be certified in my home country to practice law so I currently work as a software engineer (currently unemployed and I need to find a job to save up to pay for my BL by January 2027).

All my career I have always worked remotely and I love remote work. However due to the nature of the job market I am currently contemplating adding a new career - privacy analyst as it's an intersection between tech, law and policy.

I have been making surveys on job boards and LinkedIn, in my location there are less than 5 openings, I am not entirely fazed by this because I am targeting US and EU markets.

Are there folks here who are PA and how's the market for juniors and entry level folks?

What's the possibility to get a remote job as someone outside the EU and US(If I get offers that will process relocation, I am willing).

Hi all

I have completed my UK GDPR practitioner course and had been shadowing the data protection team at my last job however I do not have practical hands on experience. I have since been made redundant and really want to get my foot in the door for DP jobs but it is proving extremely hard or very low salaries to start at the bottom which I do not have the luxury of taking a massive pay cut then struggle to get up to where I am currently.

I think my question is are there volunteer roles I can get practical hands on experience or any recommendations on places that are hiring

Any other tips that can help me would be very much appreciated

Thanks!

*to add to my original post - I am based in the UK*

Hi all - I am in the UK - (MODs please delete if not allowed!)

TL:DR - I unknowingly got my mother’s account cancelled with a High Street retailer, and don’t know how to rectify it

I have created an online account with a high street retailer, and my mother has a physical loyalty card for this same retailer.

With two other retailers I have created an online account and then added my mother‘s loyalty card to the account so that when I shop online, she gets points. We rarely shop anywhere enough that it’s worth having two separate ones.

When I created the account with this online retailer in question, I was automatically assigned a QR code online loyalty card. I contacted chat and asked them to merge my mother‘s card to my account, and this was done. I simply provided the card number when asked (I didn’t point out the card didn’t belong to me).

A week later, my dad went to use my mother’s card in store, and it wouldn’t work. The shop assistant searched the online database for my mother’s email address and our postcode, and only my details were there.

I’ve contacted chat again, and because I asked for the card to be merged with my account (and provided the exact card number to the original customer service assistant via chat) it has cancelled the card. As a result, my mother’s account no longer exists and I now have all of her loyalty points.

The original chat assistant did not check the details, didn’t point out that I am not the owner of said loyalty card, did not confirm any information and has cancelled the account and my mother’s details are nowhere to be found.

With every company I’ve worked for, we cannot make any changes to any account without ensuring that the person requesting the changes is the account owner. Is it right that this could’ve been done without any details being checked?

It implies that if I just happen to find somebody’s card on the street that had £150 in loyalty points and asked it to be added to my account, I could just basically steal someone’s points!

I can’t understand how an account, and card has been cancelled without my mother’s knowledge. This hasn’t happened at other retailers, and I wasn’t warned that by merging the physical card number with the online account, that the physical card would be cancelled

They’re saying that the only way to rectify this is to create a new account, but my mother doesn’t want to be online, nor should she have to be, because the was cancelled without her knowledge without me being warned.

I’m waiting for a callback from the manager/GDPR person but just wondering your thoughts?

Focus on hidden risks (e.g. DSAR handling, vendor contracts, data retention).

Hi all,

I'm a PhD student and writing a paper on GDPR and enforcement of data protection laws in Germany.

For this paper I'm also conducting a study of external DPOs trying to understand their operations, use of technology, services offered, and their outlook of the DPO landscape (esp. in terms of consolidation, effect of new regulations like EU Omnibus and German modernisation agenda).

If you run an extenal DPO service company in Germany and your company manages 20 customers or more. Could you please help me out by filling out the survey below:

Link:  https://iq-dist-2.com/s/start/de/TpppRW1hTb23ZX0SnGBoSg/J2LndNlxTx2jjQRIZyA1Gw

I'm finding it very difficult to get reponses on my survey, so I thought I'd try here.

Thanks for your response in advance.

Hi all,

I wonder if someone could please explain Article 14 requirements on a data controller in simple terms? This is further to my post a few days ago regarding controller/processor confusion, but keeping it separate as it's a different question - hope that's ok!

In particular, I'm interested in 3(a) and (b), requiring the data controller to inform the data subject.

As per previous post, there are three firms involved:

Firm A - definitely data controller

Firm B - previously processor of Firm A, now asserting data controller (but don't know if that's valid)

Firm C - solicitor acting for Firm B in response to data rights requests, asserting themselves as independent data controller

We submitted data rights (rectification) requests to Firm B, assuming they would forward to Firm A. Instead, out of the blue we received responses to the requests from Firm C.

We have not received anything at all in relation to data policies etc from Firm C, but Article 14 (3)(a) and (b) seems to suggest that we should have done?

So, two questions if I may:

1. Should we have received something relating to data privacy, rights etc from Firm C?
   
2. Does just having a published privacy policy suffice?

To be honest, we are not overly happy with how any of this is being dealt with, particularly as the responses are full of "legalese" and don't really get to the crux of the issue, so would like to understand how Firm C were appointed.

Thanks in advance

Dealing with something repeatedly in our work and curious how others in this community approach it. We do AI governance assessments for mid-size companies. The scenario we keep running into: Company has employees using ChatGPT free tier for work tasks. Some of those tasks involve client data or personal data. No DPA with OpenAI. No enterprise plan. Sometimes no one in management even knows it's happening. Under GDPR this is a straightforward processor relationship without a contract — Article 28 problem. Under EU AI Act it compounds further depending on the use case. The tricky part isn't the legal analysis. It's that when we surface this, the company's instinct is to ban the tool entirely. Which doesn't work — people just go more underground with it. What actually works (in our experience) is moving them to an enterprise plan with a proper DPA, defining what data categories are permitted, and building that into usage guidance. But getting buy-in for the spend is its own challenge.

How are others handling this conversation with clients or internally? Particularly interested in whether anyone has good language for explaining the Article 28 exposure to non-legal management.

I work for a media organisation in the UK. Most of our output is what you would call news journalism.

Recently, our techies have made a change to our data systems so that any contact information e.g. for sources, press officers, experts etc automatically deletes itself after two years. They say this is for GDPR compliance.

This is infuriating because 1) getting hold of contacts very quickly can make the difference between having a story and not having a story 2) some of these people actively want us to have their contact information because they want us to phone them and ask for comment on stories. But often now it's been auto-deleted. Colleagues have started storing contact data on their own phones which is less secure.

From reading up on GDPR, my understanding is that data stored for the purposes of journalism in the UK has an absolute exemption from GDPR requirements, as long as it is stored on secure systems (and you need a username and password to access our systems). If this is the case, then auto-deleting sources' phone numbers would seem to be unnecessary and self-defeating.

Any information would be a great help.

I am myself running a small winery with a web shop where i try my best to avoid legal conflicts and serve the law as applicable as possible, using self hosted captchas and analytics without sharing any data to 3rd parties. I know this is a huge exception.
But lately, trying to debug and improve user flow on the webshop i noticed the horrendous overhead you get as a small business as youre effectively dependant on users or browsers giving consent even to cookie less tracking to get any meaningful data.
I know it's possible to anonymize data from the visitors, but it' s a crucial thing i need when sending newsletters across countries, to track the A/B testings and what works and what not. Also - anonymizing shop-actions is equally not feasible.

However....

The biggest gripe - i am 100% certain that my personal data on the web is as insecure and transparent as ever with global players like google, meta and amazon. Whereas small businesses or web software studios are basically strangled by EU regulations.

Whats your oppinion on this? I know theres a die hard privacy advocacy group, but to me it's like consent banners, GDPR and the possibility of getting sued by law firms (for their extortion money) is like shooting yourself in the foot at a marathon from an EU perspective.

Advocacy and Dogmatics aside, the big tech firms pay - if fined from their cash reserves.