Quick GDPR question

kbell · 19-04-2019 3:22pm #1

In my local gp’s waiting room, there’s an automated check in terminal, where you are prompted to select either,gp appointment or bloods appointments
You then enter your date of birth.
Your name, the gp’s name and appointment time now pops up on the screen.
This screen is fully visible by everyone in the waiting room who now knows your name,
Dob,and gp.
Is this practice breaching GDPR regulation by having this info on display ?

Allinall · 20-04-2019 11:01pm

kbell wrote: »

In my local gp’s waiting room, there’s an automated check in terminal, where you are prompted to select either,gp appointment or bloods appointments
You then enter your date of birth.
Your name, the gp’s name and appointment time now pops up on the screen.
This screen is fully visible by everyone in the waiting room who now knows your name,
Dob,and gp.
Is this practice breaching GDPR regulation by having this info on display ?

If you know the information is publicly visible, how could there be a breach?

You willingly put the information on display.

Credit Checker Moose · 20-04-2019 11:10pm

Is there an option to check in manually via a manned desk?

Mrs OBumble · 21-04-2019 12:48am

Credit Checker Moose wrote: »

Is there an option to check in manually via a manned desk?

Or an option to go to a different practice.

kbell · 21-04-2019 11:29am

Lads, a simple yes or no would suffice, I’m well aware of the options available, this is just a general observational question.

the_pen_turner · 21-04-2019 12:02pm

I would say no.
They are using your data that you intentionally handed over for its intended purposes of identifying you on the waiting list.

peannoir · 25-08-2019 12:10am

Hi all,

I cannot seem to be able to start a new thread so going with my query in this one. Hoping someone can give me a little advice. I'm a bit worried I might have made a major blooper. Long story short. I recently started doing some photography, specifically sports photography, strictly as a hobby. All going grand until the last day. I had a private message from a sports club about sending on pictures. I was rushing and sent them a link to the drop box account that I had their pictures in. Unfortunately I attached the wrong link and sent them pictures from another club. Most worringly, it was a kids event. They alerted me to the error and I am pretty sure they will not make any issue about it but I am wondering if anyone could advise me on what I should do. The added issue is that it is a GAA event and they have their own rules. I dont want to involve the club that has so kindly allowed me to go to their grounds and photograph, as this error was totally on me but I will probably have to let them know anyway as one set of kids was from there. I'm thinking I should also contact the other club as well. Am I making too big of a deal of it? Should I just let it go or should I get my version in first? The club I sent the pics in error to are from the same county and the clubs would be familiar with each other. As I am trying to get my feet in the door so to speak, I am really annoyed at myself for making such a stupid mistake. Any advice would be much appreciated. TU

randomchild · 27-08-2019 2:54pm

TU - A caveat to GDPR is that it does not apply to people processing personal data in the course of exclusively personal or household activity. Given this you have you not breached it given that your photography is a hobby and you dont charge for the service.

Given the tight connection and the fact that these are children I would suggest you contact the club however, try and get confirmation from the other club that no images were downloaded and the link to the dropbox has since been deleted before you do.

Irishphotodesk · 27-08-2019 6:52pm

peannoir wrote: »

Hi all,

I cannot seem to be able to start a new thread so going with my query in this one. Hoping someone can give me a little advice. I'm a bit worried I might have made a major blooper. Long story short. I recently started doing some photography, specifically sports photography, strictly as a hobby. All going grand until the last day. I had a private message from a sports club about sending on pictures. I was rushing and sent them a link to the drop box account that I had their pictures in. Unfortunately I attached the wrong link and sent them pictures from another club. Most worringly, it was a kids event. They alerted me to the error and I am pretty sure they will not make any issue about it but I am wondering if anyone could advise me on what I should do. The added issue is that it is a GAA event and they have their own rules. I dont want to involve the club that has so kindly allowed me to go to their grounds and photograph, as this error was totally on me but I will probably have to let them know anyway as one set of kids was from there. I'm thinking I should also contact the other club as well. Am I making too big of a deal of it? Should I just let it go or should I get my version in first? The club I sent the pics in error to are from the same county and the clubs would be familiar with each other. As I am trying to get my feet in the door so to speak, I am really annoyed at myself for making such a stupid mistake. Any advice would be much appreciated. TU

Official response would be to inform the office of data protection of the possible data breach, outline the issue and let it with them , it's highly unlikely anything will come of it.

Unofficial response ... Why make a mountain out of a molehill? It's unlikely that your images have been seen by too many people, if someone wants to make an issue out of it, they will, learn from the experience and create password protected folders or send images via WeTransfer.

To be honest, I think you have nothing to worry about ... Get on with life...feel free to post in the photography section of boards to get advice on shooting and the legal aspects of photography, happy shooting

Robbo · 28-08-2019 9:20am

randomchild wrote: »

TU - A caveat to GDPR is that it does not apply to people processing personal data in the course of exclusively personal or household activity. Given this you have you not breached it given that your photography is a hobby and you dont charge for the service.

Given the tight connection and the fact that these are children I would suggest you contact the club however, try and get confirmation from the other club that no images were downloaded and the link to the dropbox has since been deleted before you do.

The jurisprudence of the CJEU is quite firm that the "household exemption" is narrow. It is highly unlikely that the OPs activities would fall under this exemption. Money doesn't enter into it, the fact is the OP is showing up at regular times, taking photos and then distributing them, which would make it data processing that is outside the "household exemption".

OP, if the GDPR is of concern, you need to give consideration to your choice of cloud provider. Most free offerings wouldn't offer you the guarantees needed that the data would stay within the EU. Paid offerings often sell this as a feature or option.

randomchild · 28-08-2019 3:33pm

Robbo wrote: »

The jurisprudence of the CJEU is quite firm that the "household exemption" is narrow. It is highly unlikely that the OPs activities would fall under this exemption. Money doesn't enter into it, the fact is the OP is showing up at regular times, taking photos and then distributing them, which would make it data processing that is outside the "household exemption".

I would disagree with your assessment, even if as you note the exemption is narrow under Rynes.

"This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity."

It seems clear to me that that money very much enters into it as that is what would make the activity a commercial activity and the poster clearly stated this is not a professional endeavor. They are distributing the photos not for profit, or as a service to other outside the organisation. OP never mentioned showing up at regular times, I took it that they were doing this on an ad hoc basis, not turning up at regular intervals, which would square the facts of the matter more with Rynes.

tawfeeredux · 29-08-2019 12:43pm

Rather than start a new thread, I hope the OP doesn't mind me piggy-backing with another quick GDPR question.

I work for an Irish company that processes data on behalf of a number of Irish organisations. One of those organisations has sent us the Standard Contractual Clauses in addition to a Data Processing Agreement. My understanding is that the Standard Contractual Clauses apply when data is being transferred outside of EU and the destination country is not on the EU's approved list of countries with adequate levels of data protection. We are an EU-based company and we do not send the data outside the EU for sub-processing. So do we need to sign the Standard Contractual Clauses in this scenario?

Riskymove · 29-08-2019 1:29pm

tawfeeredux wrote: »

. So do we need to sign the [/SIZE]Standard Contractual Clauses in this scenario?

are you in the UK?

Many orgs are preparing for a possible no deal Brexit

you are correct that SCCs are used to enable the transfer of personal info to a third country

https://www.dataprotection.ie/en/organisations/international-transfers

tawfeeredux · 29-08-2019 1:41pm

No, we're Irish based, as are all the organisations that use us as data processors. There's no UK-based involvement at all or any other non-EU involvement. To my understanding, there's no need for the SCCs.

Riskymove · 29-08-2019 1:52pm

tawfeeredux wrote: »

To my understanding, there's no need for the SCCs.

agreed

Quick GDPR question

Comments