The toolkit is made for both data controllers and data processors, right?
Our software stores personal data on our infrastructure on behalf of our clients, so we are a Processor. We use Zendesk, a ticketing system, where users can report issues. This system is hosted in the US. In this system we will have email addresses from users, mostly only from our contact persons at clients. So not from all users. Should we regard Zendesk as a Sub-Processor with respect to personal data?
Cross reference between 27001 and GDPR
Is there a cross reference between 27001 and GDPR?
Legitimate Interest Assessments template
Is there any template around Legitimate Interest Assessments?
The Data Processing Agreement
Many of our customers, whom we process data are asking for this DPA. It is my understanding that this DPA is a document that we send to OUR suppliers who process data on our behalf, not for our customers whom we process data for. Can you please advise?
We are a B2B company, which doesn't directly process the data of the end user. Do the same rules apply here for B2B and B2c companies?
Does data belong to the controller or the subject?
In your GDPR training video you outline that "as of the time that the video was created, the United States and Canada was still not recognized as having adequate data protection" Has this change or is this still the case?
User data from 3rd party integrations
Do we need to delete user data from 3rd party integrations? Such as , our users integrate and send their submissions to Google drive, Dropbox or Box. Do we have any obligations to inform 3rd parties about a deletion?
I read that an appointment of a Data Protection Officer is obligatory under certain conditions (Article 37), namely: