I am having a hard time understanding the requirements for the cross border personal data transfer procedure. If personal data is stored electronically, yet is only accessible within your organization, does that mean it falls under this policy? As an example, we have an HR system with information on UK employees. HR staff in the US can access this. However, the data is not being sent to a third party; it is all retained within our organization. Is this considered a cross border transfer, or not?
Using DPIA
1. Is a DPIA required for an employee background check, and for storing sensitive data on an employee?
Publishing Privacy Policy
As we are an outsource contact center provider, we are the data controller in terms of HR, Recruitment etc. putting the Privacy Policy on the website doesn’t seem right to me, as this is also used for prospective new clients? How would this work for us? Same for DSAR requests – our website doesn’t seem the right place to put this information but I don’t know where else we could?
Antivirus protection
I wanted to know do I need any special software for data storage and their security besides the documentation to implement GDPR (besides antivirus I have already installed)?
Using personal data
After I interact with a candidate (interview/ phone interview/ or even if he tells me that he does not want to be contacted again) I will need to store a comment with whatever happened, how it went, what was agreed or discussed - my question is, how can I keep these comments of candidates, would it be feasible to just have his profile stored without any personal information except his name and maybe the link to his LinkedIn profile - this would be solely for professional reasons, we wouldn't want any of my colleagues or even my self to contact that person again in the future without knowing that we did it before and there might be a history?
Data Protection Officer
I'm attending the EU GDPR Foundations Course, and I would like to have your opinion about the following: consider the question: "Who is responsible for ensuring that the inventory of processing activities exists?" Your answer is: the DPO. I think it is the incorrect one, because a company can choose NOT to have a DPO. Am I right?
EU GDPR requirements
I also have one more question concerning one of the EU GDPR requirements for businesses based out of the EU but provide some goods or services for EU residents - EU representative in one of the Member States. I guess our Company falls under this requirement and we need to hire someone for this position. Our Company provides services for people from all EU Member States. The number of our users is quite dynamic, so today, for example, the most of them are from Germany and after a few weeks from Italy. Could you please advise us, in which Member State it is better to hire EU representative in our case?
Cross border personal data transfer procedure
I am having a hard time understanding the requirements for the cross border personal data transfer procedure. If personal data is stored electronically, yet is only accessible within your organization, does that mean it falls under this policy? As an example, we have an HR system with information on UK employees. HR staff in the US can access this. However, the data is not being sent to a third party; it is all retained within our organization. Is this considered a cross border transfer, or not?
Supplier Data Processing Agreements
If we purchase subscription licenses (such as Microsoft Office 365 or a hosted phone system) from our managed services provider who is acting as the reseller, would we still need to have a Supplier Data Processing Agreement with Microsoft/the phone system vendor or does that responsibility fall on our managed services provider/reseller only?
Controller vs processor
My company has insurance coverage of our employees (Health insurance). I am wondering if the insurance company is to be considered a controller or processor?