Article 6 GDPR: the 6 legal bases & 9 top tips 

Thanks so much for your comment!

Many thanks! Keep the feedback and suggestions coming!

Many thanks! You could say it's 2. We say 3 as Art 10 separates out keeping a comprehensive register into its second sentence, so we follow that lead and the first 2 are in the first sentence of Art 10: any processing relating to criminal convictions and offences or related security measures is either under official authority (1) or as set out in law (2). And the third is the second sentence of Art 10: Any comprehensive register of criminal convictions shall be kept only under the control of official authority. As above, you can say 2 legal bases but we think it reflects the separating out of the comprehensive register part to say 3.

@@PrivacyKitchen Thanks! Definitely agree. I would say it's important not to forget to then go on and identify the appropriate DPA 2018 Schedule 1 condition (in the UK at least!)

@@KirkpatrickSounds For sure for those for whom the UK DPA applies - and others should definitely check their national laws too.

Hi there. We do provide a full range of services (our Keepabl SaaS platform, Privacy Policy Pack and Privacy Kitchen training), however we don't provide advisory services. We'd be delighted to recommend consultants and lawyers to you that we work with if you'd like to email us at hello@keepabl.com? In terms of your comment, what we can say as a general comment not specific to your situation (and this obviously isn't legal advice) is that a processor losing personal data of a controller may be an availability breach if no other copy is available when needed and, if you decide that, you'd move on to look at risk to the data subjects and then whether you need to notify regulators and individuals or not - and not just because of GDPR, it may just be the right thing to do, or it may not be necessary. Controllers can't abdicate responsibility to processors so it's on the controller to ensure backups etc are in place.