Get FREE 12-month access to the AI-Powered Knowledge Base worth $450
with your ISO 27001 toolkit purchase
Limited-time offer – ends June 27, 2024

EU GDPR - Expert Advice Community



Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Article 37

    I read that an appointment of a Data Protection Officer is obligatory under certain conditions (Article 37), namely:
  • Photograph and Document of Employees

    1. Does a Company need express consent from an employee to use their photograph on the company’s website or to store a photo for communication and adverting purposes and to store a copy of an official document from them (ex: driver license) for the purpose of confirmation of identity?
  • Becoming GDPR compliant

    With data we already use for marketing purposes, what do we need to do to be GDPR compliant? Do we need to opt all data subjects out or is it acceptable to only have new clients opt in on their request?
  • Employees consent

    Under the GDPR, are employees required to sign a consent form in order for the business to process their personal data? Or, is it understand the company has a lawful basis for processing the data due to the following from the GDPR: "(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract"Based on the above, it does not seem employee consent is required in order to do things like providing their data to your payroll provider, which can contain sensitive information. Can you confirm or suggest if I have misinterpreted?
  • Cross border transfer

    I am having a hard time understanding the requirements for the cross border personal data transfer procedure. If personal data is stored electronically, yet is only accessible within your organization, does that mean it falls under this policy? As an example, we have an HR system with information on UK employees. HR staff in the US can access this. However, the data is not being sent to a third party; it is all retained within our organization. Is this considered a cross border transfer, or not?
  • Using DPIA

    1. Is a DPIA required for an employee background check, and for storing sensitive data on an employee?
  • Publishing Privacy Policy

    As we are an outsource contact center provider, we are the data controller in terms of HR, Recruitment etc. putting the Privacy Policy on the website doesn’t seem right to me, as this is also used for prospective new clients? How would this work for us? Same for DSAR requests – our website doesn’t seem the right place to put this information but I don’t know where else we could?
  • Antivirus protection

    I wanted to know do I need any special software for data storage and their security besides the documentation to implement GDPR (besides antivirus I have already installed)?
  • Using personal data

    After I interact with a candidate (interview/ phone interview/ or even if he tells me that he does not want to be contacted again) I will need to store a comment with whatever happened, how it went, what was agreed or discussed - my question is, how can I keep these comments of candidates, would it be feasible to just have his profile stored without any personal information except his name and maybe the link to his LinkedIn profile - this would be solely for professional reasons, we wouldn't want any of my colleagues or even my self to contact that person again in the future without knowing that we did it before and there might be a history?
  • Data Protection Officer

    I'm attending the EU GDPR Foundations Course, and I would like to have your opinion about the following: consider the question: "Who is responsible for ensuring that the inventory of processing activities exists?" Your answer is: the DPO. I think it is the incorrect one, because a company can choose NOT to have a DPO. Am I right?
Page 84 of 97 pages