EU GDPR - Expert Advice Community

Data protection: IT service provider

I am currently doing my own business as a sole proprietorship with IT services. It is interesting for me to know when I need a declaration of consent / AV contract and what exactly has to be in it.
Specifically, it is about issuing invoices, but also storing customer data in an administrative interface, i.e. personal data, and I think that consent is required, necessary passwords for the customer (WiFi, user accounts) as well as license keys and Device specifications.

Has my employer and union broken GDPR?

I am in an ongoing complaint procedure with my employer which is not based on this point but it has been discussed.
I sent a lengthy email to my Union requesting legal aid because my employer was protracting my return to work process following a long period of sick leave. When chasing up the Union I was informed by a rep not dealing with the case directly that another Union rep was speaking to HR about my return to work.
My reaction was confused as I had not asked for this. I wished to be consulted about legal recourse as per my email to them. I reluctantly replied by text "Ok that's good", as to acknowledge at least they were doing something. But my genuine feeling was annoyance as they had acted outside of their remit. I had not expressly asked them to speak to my employer.
I queried the HR manager as to whether he and the Union had discussed my situation in accordance with GDPR. When pressed he stated yes. My main complaint with my employer is not weighted on this point but I am annoyed that matters were discussed that have had influence on proceedings without me present and no documentation to prove/disprove what was said.
Just to reiterate I made no explicit request for the Union to speak to HR and the notification of it happening was made by text on the notion that it was in motion or happening soon. I felt hijacked.
I hope this isn't too long winded or vague. I just want a rough idea of whether or not this is worth getting professional clarification and pursuing.

Appointing LSA

In terms of appointing a LSA - what if the company (UK based) primarily delivered digital services online and didn't deal with any specific EU country; would it be acceptable to appoint an LSA of any EU country (as there is no physical base outside the UK)?

EU GDPR interpretation and transferring data

1. Binding Corporate rules - are these the only way to transfer data from inside the EU to outside the EU (to UK and EU)

2. Which EU region has the toughest interpretation of GDPR?

Implementing GDPR rules in company without DPO

For a small company which can not afford a DPO, how would you advise to implement all the GDPR rules?

Violation of personal data

24/7/2018 the income tax department of *** has entered my company's bank account without any prior notice or our consent and withheld a specific amount of money for taxes owned for almost 3 years. 4/9/2020 this amount was taken again out of my company's account without any consent or prior notice. To date we do not know despite our querries in all tax offices, where did this amont go! Pls note this case was never tried and there is no court order either.
can you please advice if what the tax department has done is ellegal pertaining to the gdpr directive issued 2018.

EU GDPR questions

1. A software development company has developed a software solution where personal data is collected and processed in the cloud - during a pilot period a telecom company is offering this solution to their end clients, however the Terms & Conditions of the software development company are displayed in the application. The question is - what are the telecom company and software development company - controllers, joint-controllers, or something else?

2. Same relationship between software development company and a telecom company like in the first question, only this is not a pilot period any more, and Terms & Conditions are displayed from the telecom company (i.e. the software development company is not visible any more to the end clients) - again the same question - who has which role?
3. If a software solution includes monitoring of movement of elderly persons in their homes for the purpose of medical care, would this require consent from the monitored (elderly) persons since they would not operate the software? The software would be operated by medical professionals. What would be the most practical solution for the consent in this situation?

Is Privacy Shield deemed illegal by European Court of Justice?

I thought Privacy Shield was deemed illegal by the European Court of Justice? 

Data Protection for clients

We're a small company that want to ensure we are gdpr compliant. Are we required to have a data protection policy within our contracts, or is a privacy policy on our website enough?

Mobile app GDPR compliance

Firstly, I want to thank you so much for providing such help. It is really valuable.

I would like to ask you about the following.

Current situation:

I have a mobile application (Notes & todo lists) running on Android that stores & processes data.
- This data could be personal or personally identifiable.
- The app stores the data on the user's device in the app folder that is accessible by the user only.
- We do not collect or store any data in the cloud.
- The app also has google ads. Users are informed and have to give consent before using the app
- There is no requirement for sign up or requests for email, name, passwords, financial information etc.
- Data stored (because it is a notes app) can be personal interests, schedules, names, numbers etc.

What I would like to know:

Considering the app above:
1. If I do not encrypt the data stored in the device am I in breach of GDPR?
2. Do I need to appoint an EU Data Protection representative?
3. Does the GDPR really apply to this application since there is no collection of data and only the user has access to it?

Thank you so much for your help.