1. Does a Company need express consent from an employee to use their photograph on the company’s website or to store a photo for communication and adverting purposes and to store a copy of an official document from them (ex: driver license) for the purpose of confirmation of identity?
Becoming GDPR compliant
With data we already use for marketing purposes, what do we need to do to be GDPR compliant? Do we need to opt all data subjects out or is it acceptable to only have new clients opt in on their request?
Under the GDPR, are employees required to sign a consent form in order for the business to process their personal data? Or, is it understand the company has a lawful basis for processing the data due to the following from the GDPR: "(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract"Based on the above, it does not seem employee consent is required in order to do things like providing their data to your payroll provider, which can contain sensitive information. Can you confirm or suggest if I have misinterpreted?
Cross border transfer
I am having a hard time understanding the requirements for the cross border personal data transfer procedure. If personal data is stored electronically, yet is only accessible within your organization, does that mean it falls under this policy? As an example, we have an HR system with information on UK employees. HR staff in the US can access this. However, the data is not being sent to a third party; it is all retained within our organization. Is this considered a cross border transfer, or not?
1. Is a DPIA required for an employee background check, and for storing sensitive data on an employee?
I wanted to know do I need any special software for data storage and their security besides the documentation to implement GDPR (besides antivirus I have already installed)?
Using personal data
After I interact with a candidate (interview/ phone interview/ or even if he tells me that he does not want to be contacted again) I will need to store a comment with whatever happened, how it went, what was agreed or discussed - my question is, how can I keep these comments of candidates, would it be feasible to just have his profile stored without any personal information except his name and maybe the link to his LinkedIn profile - this would be solely for professional reasons, we wouldn't want any of my colleagues or even my self to contact that person again in the future without knowing that we did it before and there might be a history?
Data Protection Officer
I'm attending the EU GDPR Foundations Course, and I would like to have your opinion about the following: consider the question: "Who is responsible for ensuring that the inventory of processing activities exists?" Your answer is: the DPO. I think it is the incorrect one, because a company can choose NOT to have a DPO. Am I right?
EU GDPR requirements
I also have one more question concerning one of the EU GDPR requirements for businesses based out of the EU but provide some goods or services for EU residents - EU representative in one of the Member States. I guess our Company falls under this requirement and we need to hire someone for this position. Our Company provides services for people from all EU Member States. The number of our users is quite dynamic, so today, for example, the most of them are from Germany and after a few weeks from Italy. Could you please advise us, in which Member State it is better to hire EU representative in our case?