EU GDPR - Expert Advice Community



Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Transfer of pesonal data under GDPR

    Hello, our company process customers' personal data for the Client. We are providing consulting services for the customers, including consulting on air transportation issues. If a particular customer asks to transfer his/her personal data to a third party service provider which deals with these issues to assess the possibility of entering into a contract with such customer, this third party service provider would be a controller under GDPR before it enters into a contract with a customer? Or he would be in some different role? Thanks.
  • GDPR Checkpoints in ISO 27001 Audit Checklist

    I purchased the ISO 27001 Audit Checklist and want to know which points / clauses in it are applicable as check point for GDPR.
  • Is consent obligatory for our products?

    1. Do we have to use consent for our product, or can we use legitimate interest as the basis for our processing? 2. If we use consent, are we allowed to deny the user the use of our service if they do not consent? For some background, our product is an IoT device which communicates with our web servers hosted on GCP, to store user emails and device sensor data in order to send out email alerts and provide sensor data visualizations. It also allows user control over the unit.
  • Transfer mechanisms

    When speaking about international organizations: if transferring personal data to the US what transfer mechanisms should be in place. Can you give an example?
  • Potential Customers list (Names and Mail adresses etc.)

    Good morning, I'm working in a small office (3 persons) and I'd like to ask you whether it is ok if I do a list of potential customers (B2B) with names of CEO, Head of department and Mailadresses and so on? Thank you very much in advance.
  • Recruitment

    I ask you to answer the following questions: 1. Do applicants have to submit a declaration of consent so that recruiters can process their data for the application process? This is a recruiter who does not hire applicants himself, but rather places what is known as direct placement with an employer. 2. Can the recruiter request a driver card and a copy of the driver's license from the applicant if he wants to refer him to a haulage company? The recruiter wants to check the validity of the documents. The recruiting process takes place exclusively online. The recruiter is the person responsible within the meaning of the GDPR. In the first step, he searches for applicants in his own name. This is a job for a professional driver and a direct placement. The applicant will be hired by the shipping company. How do you behave correctly as a recruiter in this case? 3. Recruiting takes place online only. The applicant would have to send the documents such as ADR license, driver card and driver's license by email. Is the following clause sufficient to process this applicant's data: "With this declaration I consent to the collection, storage and processing of personal data about me as part of my application process and being transmitted to potential employers?" Submit customers? Does this declaration of consent have to explicitly mention that the driver's license will be processed? It is a job advertisement for a professional driver. 4. Can the recruiter request a copy of the applicant's identity card? The recruiter needs the ID number and series in order to conclude an employment contract with the candidate. How should the recruiter behave GDPR-correctly in this case? The intermediary has no personal contact with the applicant. The applicant would have to send the data by email. 5. How should the recruiter behave if the applicant sends him an unsolicited copy of his ID or a copy of his driver's license by email? 6. Can the recruiter ask for the same candidate data as the employer? The recruiter does not hire the candidates himself. 7. The recruiter is looking for suitable candidates for more than 6 months. The application process takes longer than 6 months. When do the applicant data have to be deleted in this case? The job advertisement is z. B. online for 8 months. When does the 6 month deletion period for applicant data start counting? 8. How long do you have to keep the recruitment contract between the customer (the potential employer) according to the GDPR? 9. How long should I keep the employment contract between the candidate and the recruiter? This is not an employment contract. The placement is free of charge for the applicant. The recruiter receives the commission from the agent. 10. I observe with various recruiters that you immediately note in the job advertisement that the applicant should send his résumé including a copy of his driver's license and a copy of his driver's card. Is this allowed? The recruiter is not an employer in this case. 11. Can I ask for a photo of the applicant?
  • GDPR Compliance questions

    I got some questions about GDPR compliance. I would like to know how we can make our company compliant on the technical and organizational side. We use Microsoft Office and a Software As a Service (Saas) ERP named Odoo. How can we use these tools in a way to be GDPR compliant. On the technical side I suppose we can't do much. However on the organizational side I think we are supposed to make the difference. I was thinking about restrictions to some shares, create leaving and arriving procedures for collegues. What I am worrying about is how to manage client data. Would it be enough to leave them on our professional laptop or do they need to be on the share with limited access? If you need more information in order to understand my questions I will be happy to provide them.
  • What is considered personal data for survey company

    We are a company that performs in-depth surveys. 1. When we collect data on ethnicity (without collecting any other personal data), is this considered as personal data according to GDPR? 2. When we record session cookies, is this considered as personal data according to GDPR? 3. For some clients we do in-depth interviews, and we record either videos or images of the interviewees; we send those videos or images in aggregate form to the client (we send no other  personal data), and we do not keep track of which part of the video or which image displays which interviewee. If an interviewee wishes her personal data to be deleted, how is this to be executed on our client side if neither we nor they know which part of the video / which photo belongs to this interviewee?
  • Remote Working and Accessing EU data from outside the EU

    We are a EU based company and could have an employee based outside the EU who would be remote working. They would be accessing their PC within the office enviroment by remote desktop connection and accessing client Databases/CRM's that contain data on EU residents. The clients would be the Controllers of the data and we would be the processor. Would this be classified as a transfer to a third country? If so what measures would we need to put in place?
  • Filling out documents in integrated toolkit

    We decided not to implement ISO27001 in the next 6 months, but we want to implement GDPR now. I need the separate toolkit for GDPR if it's possible. Thanks.
Page 8 of 94 pages