EU GDPR - Expert Advice Community

Data controller or data processor

Our company has signed an agreement with IT company for IT support services - to upgrade configuration of our internal ingformation management system and to provide IT support in the case of trouble. It is necessary for The IT company to get remote access to the system, including access to the personal data of employees. The IT company doesn't make any copies or any other actions with personal data. Is the IT company a data processor and do we have to sign an agreement between data controller and data processor according to the GDPR 28 article? Or, maybe it could be another kind of relationships concerning data protection between our company and IT company?

Retaining personal information

I was trying to find the key stakeholders under GDPR.
GDPR doesn't set a timeline on how long you must retain personal information of an employee, but what if we want to hold some of their information for auditing purposes, will this be allowed?

Privacy Policy for internal Employees and Privacy notice on Website

I am confused between the content of the Privacy Policy for internal Employees and The content of the Privacy notice on Website.

Consent of Conference/Online and In-Person Attendees/GDPR

I am working on some terms and conditions for attendance to our online education programs and also in person educational conferences. Some of our members/attendees are protected by GDPR as far as their data/live in the UK. We ask all attendees to accept the terms of registration for the conference to register and attend. If they don't accept - they can't register (it's a contract). As a part of the terms, we require that attendees consent to granting our organization a worldwide, unlimited, perpetual license to use photos/videos and comments from them with regard to the event they attend. We later use these materials in our marketing and education programs.

Does what we are asking conflict with GDPR protections? The reason I ask is because from what I am reading under GDPR, an agency cannot require this kind of consent from a data subject as a term of a contract that, if the data subject does not consent, it's to the subject's detriment.

In the case of my example, the conference attendees/data subjects must attend in order to gain the clinical certifications they are seeking.

Maybe GDPR doesn't govern this type of thing??? But I want to be extra careful and also - we don't want to violate anyone's rights.

Thank you so much!

Personal Data Protection Policy

Hello, I am looking for the Article in GDPR, where it is defined, that a documented Personal Data Protection Policy is mandatory to be compliant. Advisera is referring to Article 24. Isn't a documented DPIA sufficient?

Migrated mailbox and keeping the copy of the mailbox

I am writing to you regarding mailbox migration and keeping the copy for later.
Is it allowed by ISO and GDPR?

SAR REQUEST UNDER GDPR

Hi help me please,
Do you know who to contact to request for SAR under GDPR from Google UK?

DPIA for COVID-19 Remote Work Environment

We are existing customer with GDPR DPO Certification & GDPR/ISO 27000 Toolkit --> Question: Is there any documentation on how to perform DPIA for home workers during COVID-19 pandemic?

GDPR applicability in the UK

Does that mean since UK is no longer under EU, that means GDPR does not apply to them anymore?

Data protection and using WhatsApp

I work for a mental health charity. My staff are now working from home. Can you give me any guidance on what I should be advising? Also is it safe for staff to communicate with clients via WhatsApp?