Many thanks! Keep the feedback and suggestions coming!

Thanks so much for your comment!

Gaymen

​@PrivacyKitchen you Gaymen 0:10

KeithJpoones-q7r

Hi, many thanks for your great comment! On consent being tactical not strategic - we mean that it can be withdrawn at any time by the individual and no longer relied on from that point forwards, so if you're eg looking for a legal basis for delivering a product someone has bought, you'd best use necessary for contract. When identifying an appropriate legal basis, there may be more than one available but you'll tend to find one stands out as most appropriate. Don't just go for consent without looking at the other equally valid - and potentially much more appropriate as per our example above - legal bases available. Hope that clarifies it.

@@robertbaugh1103 Ah yes, thank you, that's clear now. Anyone can withdraw consent anytime but all the processing before their withdrawal date remains lawful - got it. Thank you so much again, your videos are a lifesaver for solopreneurs like myself ! I hope you are well and wishing you all the best going forwrads too :)

​ KeithJpoones-q7r 0:10

Many thanks! You could say it's 2. We say 3 as Art 10 separates out keeping a comprehensive register into its second sentence, so we follow that lead and the first 2 are in the first sentence of Art 10: any processing relating to criminal convictions and offences or related security measures is either under official authority (1) or as set out in law (2). And the third is the second sentence of Art 10: Any comprehensive register of criminal convictions shall be kept only under the control of official authority. As above, you can say 2 legal bases but we think it reflects the separating out of the comprehensive register part to say 3.

@@PrivacyKitchen Thanks! Definitely agree. I would say it's important not to forget to then go on and identify the appropriate DPA 2018 Schedule 1 condition (in the UK at least!)

@@KirkpatrickSounds For sure for those for whom the UK DPA applies - and others should definitely check their national laws too.

Hi there. We do provide a full range of services (our Keepabl SaaS platform, Privacy Policy Pack and Privacy Kitchen training), however we don't provide advisory services. We'd be delighted to recommend consultants and lawyers to you that we work with if you'd like to email us at hello@keepabl.com? In terms of your comment, what we can say as a general comment not specific to your situation (and this obviously isn't legal advice) is that a processor losing personal data of a controller may be an availability breach if no other copy is available when needed and, if you decide that, you'd move on to look at risk to the data subjects and then whether you need to notify regulators and individuals or not - and not just because of GDPR, it may just be the right thing to do, or it may not be necessary. Controllers can't abdicate responsibility to processors so it's on the controller to ensure backups etc are in place.