EU GDPR - Expert Advice Community

Questions about sending resume, cover letter and contact info overseas.

I'm a *** citizen filling out an online employment application with an international company, for a position in the ***. Their website says “We are processing your personal data according to Art. 6 (1) (a) GDPR and Art. 88 GDPR.” It’s the first time I’ve heard about this…

The data in this case would be my resume and possibly a cover letter as well as personal contact information such as address, phone number and e-mail. I searched the company I intend applying to and found out that they have been bought by a multinational company.

I put Art. 6 (1) (a) GDPR and Art. 88 GDPR in my web browser’s search box and was directed to the Advisera website. I read Art. 6 (1) (a) GDPR from your website, which, as I understand it, says the information I supply will be used regarding an employment contract, which sounds reasonable to me.

I read Art. 88 GDPR from your website and I think item 2 says they can share the information I supply across their enterprise with dignity, and transparency. I presume this is on a need-to-know basis similar to how personnel records would be handled here in the United States, am I right?

To do with an application for employment, are there any other parts of the GDPR that I should read? Their website did say “We are processing your personal data according to Art. 6 (1) (a) GDPR and Art. 88 GDPR.” Are there other Articles of the GDPR that I will be bound by?

Art. 88 Item 3 gives the date 25 May 2018, so am I reading the most up to date version of GPR?

GDPR implementation

"A manpower company collects PII data and process visa through Gov. sites and bring the manpower to their company, now the supplier from *** is looking to have GDPR done, how to approach.

Privacy Notice Webinar - EU GDPR Premium Kit questions

1. Tudor Galos mentioned using a four column table in a privacy notice. I didn’t get the column details quickly enough. Were they “category of data subject”, “personal data to be processed”, “purpose”, “legal basis”?

 2. TG also referred to the kit containing granular privacy notice. Did he just mean that you provide different ones for e.g. employees, supplier employees, web users etc?

 3. Our privacy notice should give the supervisory authority a data subject can complain to. We are based in the UK so obviously we give the ICO for UK residents. We process the personal data of EU residents, mainly from Germany, France and Spain. We have appointed an EU Representative with an address in Germany as that is where the majority of the data subjects are. Which EU supervisory authority should be put in the privacy notice?

4. When dealing with a corporate client or supplier, we may well be given the personal data – usually contact details – of other staff members. How do deal with notifying them that we have their details. Commercially, it would be a bit odd if every time we emailed them direct. I could see us upsetting clients!"

Determining necessary security measures

1) From the role of DPO in a Spanish company (provider of Head Hunting and Personnel Search services) that has begun its adaptation to GDPR, how should the actions to be taken be planned in an orderly manner to determine the necessary security measures? , which guarantee the rights of users (candidates who apply for Internet searches and through forms/questionnaires to be completed on the institutional website of the Spanish company) and also the security of the information of their personal data (sensitive because they have health data)?

2) Would there be a document or article published on the Internet that has a mapping between what is required by GDPR and what is recommended by good practices: ISO 27001, ISO 27701, ISO 27002, ISO 27018?

GDPR applicability

Is GDPR applicable on companies that operates outside Europe for example KSA but the company might server European citizens resides there

Data Processing Questions

Firstly, do you offer a European Representative service? If yes, can you send me details of that please?

Secondly, I would like to clarify what is required on a Data Processor’s ‘Record of processing Activities’ form? I've been told by a few sources now that I have to include every client we provide processing services to, with Company Name, contact name, contact email and phone No… is this correct? We have thousands of customers!

If I must do that, then so be it, I will do it, I would just like to confidently confirm this is what I must do.

Email Marketing GDPR

I am looking for B2B partners and was wondering if it is permissible to email them.

GDPR Scope and applicability

We are a US based very small company (4-5 employees) and provide software for collecting data related to plant performance to plants based in US and EU both. 

Now the only personal data we have in our cloud (365 office and outlook) are email id's and names of the employees of EU based plant workers. In some cases we have access to their offical phone numbers. 

So yes we have what can categorize as personal data. But due to the limited customer information that we have would GDPR still apply to us ? and in this case would be act as a processor or controller of PI ? 

General privacy policy/notice vs. entity-specific policy/notice

For a company that has subsidiaries with different processing, is it ideal for them to have a general privacy policy or notice or entity-specific ones?

GDPR intermediary