FAQ's

Yes, you can. The GDPR is explicit on this point. In many ways, it is the best solution because it guarantees independence, you can rely on subject matter knowledge being the best, and it is very cost-effective.

Yes, you can. However, you must be careful that there are no conflicts of interest. For example, the IT Director would not be the best person to take an objective view of system security, and the Marketing Director will be under pressure to create new methods of communication. Also, it is Murphy's law that if the Marketing Director is the DPO, then the data breach will be six weeks before Christmas when his focus is on maximising sales over this period, or if it's the Finance Director the problem will happen just as the financial auditors walk through the door.

No. It is all about the amount of data you process, the type of data you process, or how often you process personal data.

Every organisation, including sole proprietorships, is required to hire at least one person, as a Data Protection Officer, who is responsible for making sure that the organisation complies with the Data Protection Act. 

Organisations must ensure that at least a single DPO's business contact information is available to the public. It can be a general telephone or email address of the organisation.

The DPO can be someone whose work scope entirely relates to data protection. It can also be a person in the organisation who can take multiple responsibilities and fulfil them wisely. Compliance from an organisation with the DPA remains the responsibility of the organisation notwithstanding the appointment of the data protection officer.

 

An organisation stands liable for even a single piece of personal data in its possession. This is related not only to employees' data but personal data of other people such as clients or shareholders. The DPA needs an organisation to hire an individual to be responsible for ensuring compliance with the DPA.

Your Company will be responsible for assuring compliance with the DPA as far as it is kept on collecting, using and disclosing personal data, or has personal data in its possession or control. 

When the online submission is successful, they will send an acknowledgement email on the provided email address. If you don't receive the acknowledgement email, do check your spam folder. 

The does not make it obligatory to inform the ICO of your DPO's details. This will assist DPOs to keep abreast of relevant personal data protection developments.

No, it does not include any fee to register a DPO.

No, there is no need for a company undergoing liquidation to register a DPO.

A dormant company with no business operations need not register its DPO.

The provisions of the DPA came into force on 2 July 2014 and required organisations to designate at least one individuals to be accountable for ensuring compliance with the DPA. If your Company is handling personal data, you should appoint at least one individual as the DPO. 

GDPR says you have to appoint a DPO if:

  • You are a public authority or body (excluding court personnel).
  • Your main activities require large scale, regular and systematic monitoring of individuals.
  • Your activities depend on large scale processing of special categories of data or data relating to criminal convictions and offences.

This is applicable for both controllers and processors. You can appoint a DPO on your wish, even if it is not required to. If you decide to appoint a DPO voluntarily, you must know that the same requirements of that position and tasks apply makes the appointment compulsory.

No matter GDPR makes it essential for you to appoint a DPO, you have to assure that your Company possesses sufficient staff with resources to exempt you from GDPR obligations. Further, a DPO helps organisations to operate within the law. He advises and helps companies to monitor their compliance level. In this way, a DPO plays a crucial job in your organisation's data protection governance structure by helping accountability.

If you are not planning to hire a DPO, neither voluntarily nor because you don't meet the criteria, that would be a good idea to record this decision to help demonstrate compliance with the accountability principle.

  • The GDPR says that a DPO must have an experience and expert knowledge of data protection law.
  • It doesn't specify the correct credentials which they have, but it depends on the type of processing an organisation carries out.
  • So, where the processing of personal data is particularly complex or risky, the knowledge and abilities of the DPO should be correspondingly advanced enough to provide adequate oversight.
  • It would be an advantage for your DPO to also have a good knowledge of your industry or sector, as well as your data protection needs and processing activities.

The GDPR says yes for that, but further tasks and duties, must not result in a conflict of interests with the DPO's core responsibilities.

You can externally contract out the role of DPO. It must be based on a service contract with an organisation or an individual. It's essential to be aware that an externally-appointed DPO should have the same position, tasks and duties as an internally-appointed one.

  • You may appoint a single DPO to act for a group of companies or public authorities.
  • If your DPO covers several organisations, they must still be able to perform their tasks effectively, taking into account the structure and size of those organisations. This means you should consider if one DPO can realistically cover a large or complex collection of organisations. You need to ensure they have the necessary resources to carry out their role and be supported by a team if this is appropriate.
  • Your DPO must be easily accessible, so their contact details should be readily available to your employees, to the ICO, and people whose personal data you process.
  • The GDPR provides that an organisation must appoint a single DPO to carry out the tasks required in Article 39, but this doesn't prevent it selecting other data protection specialists as part of a team to help support the DPO.
  • You need to determine the best way to set up your organisation's DPO function and whether this necessitates a data protection team. However, there must be an individual designated as the DPO for the GDPR who meets the requirements set out in Articles 37-39.
  • If you have a team, you should set out the roles and responsibilities of its members and how it relates to the DPO.
  • If you hire data protection specialists other than a DPO, they mustn't be referred to as your DPO, which is a specific role with particular requirements under the GDPR.

You must ensure that:

  • The DPO is involved, firmly in every single matter of the data protection.
  • The DPO reports to the highest management level of your organisation, ie board level;
  • the DPO operates independently and is not dismissed or penalised for performing their tasks;
  • you provide adequate resources (sufficient time, financial, infrastructure, and, where appropriate, staff) to enable the DPO to meet their GDPR obligations, and to maintain their expert level of knowledge;
  • you give the DPO proper access to personal data and processing activities;
  • you give the DPO appropriate access to other services within your organisation so that they can receive essential support, input or information;
  • you seek the advice of your DPO when carrying out a DPIA; and
  • you record the details of your DPO as part of your records of processing activities.

This shows the importance of the DPO to your organisation and that you must provide sufficient support so they can carry out their role independently. Part of this is the requirement for your DPO to report to the highest level of management. This doesn't mean the DPO has to be line managed at this level, but they must have direct access to advising senior managers who are making decisions about personal data processing.

The GDPR requires you to:

  • Publish the contact details of your DPO; and
  • Provide them to the ICO.

There is no need to include the DPO's name while publishing his contact details. However, you can select to provide this if it's necessary or helpful for you.

In the following circumstances you ought to provide your DPO's contact details in these circumstances:

  • When consulting the ICO under Article 36 about a DPIA; and
  • When giving privacy information to individuals under Articles 13 and 14.

Many organisations take outsourcing as a more cost-effective rather hiring in-house or a full-time DPO. Many organisations do not have anyone with the required expert knowledge of UK and EU data protection law and practices, which is sufficiently independent of decision making within the organisation. Avoiding such internal conflicts of interest is an essential requirement of GDPR.

Article 39 of GDPR contains an inventory of the minimum tasks must be fulfilled by the Data Protection Officer. The primary task is to monitor the level of compliance of an organisation in accordance with the law and regulatory requirements. Fundamentally, the DPO informs and advises the Data Controller, Processor and Board on data protection issues which include the protection of personal data, assignment of responsibilities, awareness-raising and training of staff. 

Not personally but, the DPO is responsible for advising the data controller and processor on how to ensure that their organisations achieve compliance.

GDPR states that the following requires a DPO: 

  1. Public authorities or bodies. This incorporates organisations which are subject to the Freedom of Information Act in England and Wales and the Freedom of Information (Scotland) Act in Scotland.
  2. Also Organisations whose core activities comprises of processing data of special categories such as personal data showing race or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation and lastly, the data which relates to large scale criminal convictions or violations.
  3. If an organisation's core activities need regular and systematic monitoring of data subjects on a large scale.

The DPO must report to the higher management and have access to the Board to make recommendations.

Yes, as long as it is processing personal data of EU citizens and its Company requires a DPO following GDPR (Article 37). 

Yes, if your data subjects belong to the EU and as directed in GDPR (Article 3). 

The DPO can be an existing employee; however, it can also be shared jointly amid organisations. However, according to a requirement, the DPO have to be independent that is to avoid conflicts of interest or even when a full-time DPO is not required, outsourcing the DPO function is a cost-effective option.

An EU Representative for data protection is a person or organisation appointed to act on behalf of an organisation.  It is a role defined under the General Data Protection Regulation (GDPR), Article 27; which sets out that they serve as the first point of contact for EU Data Subjects and Regulators. 

Under the most basic arrangements, they will liaise with the organisation that has appointed them, forwarding any complaints and responses between the parties. The appointment of a representative also will enable an organisation to comply with the requirements for international transfers, mainly establishing means that enable Data Subjects to enforce their rights.

Under the current guidance from the European Data Protection Board (EDPB), it is not deemed to be compatible with the role. As under GDPR, Data protection officers are required to be given autonomy within an organisation, which is in conflict with the EU Representative as they are required to act in accordance with the mandate outlining their appointment. 

You will need to appoint an EU Representative if you are an organisation outside of the European Economic Area (EEA) and are processing the data of European Data subjects outside of the EU. This might either be through the course of your own business activities or when processing the data on behalf of another party and thus is part of your obligations to provide data subjects with the ability to enforce their rights.

Though under GDPR Art. 27, exceptions can be made if the organisation falls under one of two categories. If they are not regularly processing EEA Citizen data on a large scale, or if they are a public authority or organisation, then they will not be under any obligation to appoint a representative. 

If you are a company based in a country in which the EU has deemed adequate in terms of its data protection safeguards, such as Argentina, Canada, Israel Andorra, Faeroe Islands, Guernsey, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay, then the transfer of data is permitted without the requirements for extra safeguards in place, such as binding corporate rules, or contracts that establish protections for Data Subjects. But this does not remove the need for a representative, if they lack a presence in the EU or EEA, they will be required to have a representative in accordance with Art 27.

Under Art. 27, which establishes the legal foundation for this role, it also outlines how a representative is to be appointed. They are to be appointed in writing, which will also set out the scope of their mandate. This will at minimum enable them to be the first point of contact for any European complaints. The appointment of a representative, will not absolve the organisation of any liability in relation to their own obligations.

Under Art. 27, it states that representatives need to be based in the member states where the organisation is offering goods and services, that requires the processing of personal data. However, under the guidance from the EDPB, it is stated that if goods and services are being offered in multiple EEA Countries, they will only need to appoint one representative so long as it is in one of the Countries they are offering goods and services in.

California Consumer Privacy Act (CCPA), has created data protection and privacy framework for companies to adhere to when conducting business in California. The main focus of the Act is to protect the data of consumers in California, rather than protecting the overall privacy across the US.

The CCPA sets out various rights and obligations in regards to the collection, and use of the data. Some of those are similar to that of the General Data Protection Regulation; however, in some areas, it is a much lighter touch. Though this might be subject to change dependent on the Attorney General’s recommendations and regulations that add to the rules of using such data, it is advisable however to still update privacy policies in the US, in order to ensure compliance and put into place the procedures and mechanisms to respond to any requests.

Under the CCPA, there is no obligation to appoint someone to advise and assist with the compliance process. However, this doesn’t mean that such an appointment should be ignored, having someone who is in charge of ensuring that the laws are complied with and ensuring that the business is aware of their obligations under the law. And someone to handle and manage the processes in relation to responding to requests from data subjects.

Under the CCPA, there are three key rights that are established for consumers. The first is the right to be informed, which covers being told what data is being collected on them, the purposes that it is being used for, along with informing them of their other rights.

They will also have the right to request that the business disclose what information they hold and the purposes they are using it for and whether they are selling it to third parties.

Consumers also have the right to at any time, opt-out of the sale of their personal information to third parties, which requires the organisation to provide them with a mechanism in order to exercise this right, which is elaborated later in the questions below.

Under the CCPA, there are provisions that set out a right to opt-out for consumers. Under Section 1798.120 of the CCPA sets out that consumers have the right to opt-out of the sale of their personal data.

There is also an additional duty covered later in the CCPA, which relates to the data of consumers who are under age, in which they need to be given the option to opt-in. Which raises a level of complexity when this is being done online, and there are not necessarily accurate ways of verifying a users age, so it arguably is best to provide the opt-out/in the form at the earliest possible opportunity.

Under Section 1798.135, it states that for compliance with the earlier section, they need to provide a clear link on their website titled “Do not sell my personal information” which takes them to a page that enables them to opt-out.

However, the issues outlined regarding ensuring compliance with the various requirements such as having those under a certain age opt-in makes having the option behind a link that isn’t immediately available less compliant. The best practice for these purposes would be to make that opt-out available at first instance, in a similar way, consent is to be collected for the use of Cookies in Europe.

Yes, the concept of the sale of data under the CCPA, is defined fairly broadly. They are covering the disclosure, transfer, and communication of personal information to a third party for monetary or other valuable consideration. To simplify this language and make the situation clearer, if the data is transferred in return for services.

In terms of communication, this can be done electronically, by the provision of physical copies or oral disclosure. Thus if there are cookies that are collecting personal information and sending it to third parties, it could be considered to fall under the sale of data. As marketing, analytics and social media cookies, all provide integration with third-party services that will be making use of the data drawn down for a variety of purposes. It is reasonable to conclude that it S1798.120 of the CCPA does cover third party cookies.

For failing to comply with the CCPA, there are penalties set out under Section 1798.150, in regards to the damages that would be paid out. The amount can vary between $100 and $750, per customer and per incident. This enables the penalty to stack, based on the severity of any breach. Therefore ensuring that the basics are in place, such as policies and understanding the obligations is crucial to avoid this.

Once a representative has been appointed, there are several things that need to be done. The first thing is to list the representative and their contact details under the privacy policy on their website, in order to enable them to be contacted. 

The scope of the appointment, which will outline the representative’s duties and obligations, will also require some coordination on other matters. This will require some initial coordination to set up lines of communication and policies for the verification of and Data Subject Requests, and how regulators should be communicated to, along with the requirements to disclose any confidential information that has been requested. By having these arrangements set out at the start, it will enable swift responses to Data Subjects and regulators.

Yes, however, this is also dependent on whether or not you maintain a presence within the EU. If you are just providing goods or services, which requires the processing of EU Citizens’ personal data without having an EU presence, then you will be subject to the obligations under Article 27. However, these obligations will not be immediately imposed on the exit date of the 31st of January.

After the end of the transition period, EU Representatives based in the UK will no longer be able to provide their services for Europe as a whole. As the UK will no longer be part of the EU, this will even be the case if the UK leaves with an agreed deal shaping the future relationship with the EU.

The current approach in the UK, from both the government and ICO, indicates retention of many of the data protection principles in the pursuit of an adequacy decision at the end of the transition process. In light of this approach, the ICO in its guidance on this states that for organisations outside of the UK without a presence will require a Data Protection Representative for the UK and a separate one for the EU.

Congratulations! You are one step closer to cookie compliance. You will receive the following notifications via email:
• Purchase invoice
• Link to your Seers account with login credentials
• Welcome email

The Free edition of Seers Cookie Consent includes a basic level of consent with 100 subpages.
• Cookie Banner
• Short scan report
• One time domain scan
The Free Edition does not include the following features available in our other plans:
• Advanced Banner & Customisation settings
• GDPR & CCPA Templates
• Customizable Scan Scheduling
• Consent Log
• Geolocation Rules
• Auto multilingual detection
• Multilingual Banner and Policy
• Consent Log Report
• Customised Logo
• 25 Banner Design presets
• Cookie Policy
Once you’re ready to upgrade your Free Edition subscription, register into the Seers or checkout directly on the Pricing Page account will be updated within seconds.

Most users easily implement the solution on their websites within minutes.
If you run into any questions or need help, you can always contact us at support@seersco.com.
We also offer paid Quick Start programs that provide one-on-one support with a Seers Expert to guide you through setup and implementation.

We are one of the only solutions that allow you to scan unlimited pages in all paid plans.

We accept all major credit cards and also allow you to pay via Bank Transfer. If you’re interested in paying via Bank Transfer, please submit a request via the email support@seersco.com.

You can upgrade your subscriptions at any time.

Yes, you can delete your account according to terms and conditions of plan you have chosen.

We offer different plans according to your needs. Also, if you pay annually,y you can get the same plan with a discounted amount.

We accept Credit/Debit cards.

We are providing a 14 Day Free trial. In this time if you cancel you will not be charged.

Except where it is mentioned the taxes (VAT, Sales taxes and others) are not included

Your payment will be listed on your bill as Seersco followed by the amount quoted on our site. If necessary, your card issuing bank will convert this amount into your local currency at the current exchange rate.

You can also pay by PayPal.

Yes, you can upgrade from your user account. Or contact us at Support@seersco.com

Our products are priced to be affordable. We are already providing products at competitive prices.

We accept Credit/Debit cards. You can also pay by PayPal.

We are providing a 14 Day Free trial. In this time if you cancel you will not be charged.

Except where it is mentioned the taxes (VAT, Sales taxes and others) are not included.

Your payment will be listed on your bill as Seersco followed by the amount quoted on our site. If necessary, your card issuing bank will convert this amount into your local currency at the current exchange rate.

You can also pay by PayPal.

You  can choose according to the needs of your business

Our products are priced to be affordable. We are already providing products at competitive prices.

We accept Credit/Debit cards. You can also pay by PayPal.

We are providing a 14 Day Free trial. In this time if you cancel you will not be charged.

Except where it is mentioned the taxes (VAT, Sales taxes and others) are not included.

Your payment will be listed on your bill as Seersco followed by the amount quoted on our site. If necessary, your card issuing bank will convert this amount into your local currency at the current exchange rate.

You can also pay by PayPal.

You  can choose according to the needs of your business.

Our products are priced to be affordable. We are already providing products at competitive prices.

Yes, You can reach us at support@seersco.com

We accept Credit/Debit cards. You can also pay by PayPal.

We are providing a 14 Day Free trial. In this time if you cancel you will not be charged.

Except where it is mentioned the taxes (VAT, Sales taxes and others) are not included.

Your payment will be listed on your bill as Seersco followed by the amount quoted on our site. If necessary, your card issuing bank will convert this amount into your local currency at the current exchange rate.

You can also pay by PayPal.

You  can choose according to the needs of your business.

Our products are priced to be affordable. We are already providing products at competitive prices.

We accept Credit/Debit cards.

We are providing a 14 Day Free trial. In this time if you cancel you will not be charged.

Except where it is mentioned the taxes (VAT, Sales taxes and others) are not included.

Your payment will be listed on your bill as Seersco followed by the amount quoted on our site. If necessary, your card issuing bank will convert this amount into your local currency at the current exchange rate.

You can also pay by PayPal.

Our products are priced to be affordable. We are already providing products at competitive prices.

We take credit and debit cards as a preferred mode of payment. However, you can pay via Bank transfer and PayPal by Contacting US <https://seersco.com/contact>

Contact Us on <https://seersco.com/contact>, and we will quote you with the package according to your requirements.

 We don’t have any hidden charges. See our cancellation terms and conditions <Terms of us>. 

If your website changes cookies more often, we would suggest you go with our ‘’best value’’ PRO plan which has a monthly domain scan ratio.

No, if you wish to add subdomains then you have to upgrade to the standard plan for five subdomains, PRO package for best value which allows 25 subdomains.

Yes, if you choose between standard, pro and premium packages, one of our support staff will assist you in implementing the solution.

If you choose the free plan, you will not get: customer support, customisable banner, geolocation, cookie policy, consent log and only allowed maximum one domain on the free package.

The solution is free with limited features. You don't need to provide any credit card or payment information in order to access the free version.

We take credit and debit cards as a preferred mode of payment. However, you can pay via Bank transfer and PayPal by Contacting US <https://seersco.com/contact>

Contact Us on <https://seersco.com/contact>, and we will quote you with the package according to your requirements.

We don’t have any hidden charges. See our cancellation terms and conditions <Terms of us>

Yes, you only have to pay once for any number of staff you want to train.

Yes, the staff will get a certificate after a successful completion of assessment questions.

Our GDPR Staff eTraining will cover:

  • How to identify data
  • Handling Personal Data
  • How to appropriately handle personal data
  • Assess that the learning objectives of the training have been achieved.

We take credit and debit cards as a preferred mode of payment. However, you can pay via Bank transfer and PayPal by Contacting US <https://seersco.com/contact>

Contact Us on <https://seersco.com/contact>, and we will quote you with the package according to your requirements.

We don’t have any hidden charges. See our cancellation terms and conditions <Terms of us>

Yes, if you choose between Silver, Gold and Platinum packages, one of our customer support staff will assist you in implementing the solution.

If you choose the free plan, you will only get: GDPR audit. You will need to upgrade to get Cyber Secure, Policies Pack, Templates Pack and PECR Audit.

We take credit and debit cards as a preferred mode of payment. However, you can pay via Bank transfer and PayPal by Contacting US <https://seersco.com/contact>

Contact Us on <https://seersco.com/contact>, and we will quote you with the package according to your requirements.

We don’t have any hidden charges. See our cancellation terms and conditions <Terms of us>. 

Yes, if you choose between any packages, one of our support staff will assist you in implementing the solution.

If you choose the free plan, you will only get the single user to access the DPIA dashboard with a limited number of assessments and templates.

The solution is free with limited features. You don't need to provide any credit card or payment information in order to access the free version.

With our best value Enterprise package, you can manage 250 requests per month, 50 requests in the medium package and only 20 requests in the free package.

We take credit and debit cards as a preferred mode of payment. However, you can pay via Bank transfer and PayPal by Contacting US. <https://seersco.com/contact>

Contact Us on <https://seersco.com/contact>, and we will quote you with the package according to your requirements.

We don’t have any hidden charges. See our cancellation terms and conditions <Terms of us>. 

Yes, if you choose between any packages, one of our support staff will assist you in implementing the solution.

If you choose the free plan, you will only get the single user to access the Subject Request Management dashboard and can only manage 20 requests.

The solution is free with limited features. You don't need to provide any credit card or payment information in order to access the free version.