I'm attending the EU GDPR Foundations Course, and I would like to have your opinion about the following: consider the question: "Who is responsible for ensuring that the inventory of processing activities exists?" Your answer is: the DPO. I think it is the incorrect one, because a company can choose NOT to have a DPO. Am I right?
EU GDPR requirements
I also have one more question concerning one of the EU GDPR requirements for businesses based out of the EU but provide some goods or services for EU residents - EU representative in one of the Member States. I guess our Company falls under this requirement and we need to hire someone for this position. Our Company provides services for people from all EU Member States. The number of our users is quite dynamic, so today, for example, the most of them are from Germany and after a few weeks from Italy. Could you please advise us, in which Member State it is better to hire EU representative in our case?
Cross border personal data transfer procedure
I am having a hard time understanding the requirements for the cross border personal data transfer procedure. If personal data is stored electronically, yet is only accessible within your organization, does that mean it falls under this policy? As an example, we have an HR system with information on UK employees. HR staff in the US can access this. However, the data is not being sent to a third party; it is all retained within our organization. Is this considered a cross border transfer, or not?
Supplier Data Processing Agreements
If we purchase subscription licenses (such as Microsoft Office 365 or a hosted phone system) from our managed services provider who is acting as the reseller, would we still need to have a Supplier Data Processing Agreement with Microsoft/the phone system vendor or does that responsibility fall on our managed services provider/reseller only?
Controller vs processor
My company has insurance coverage of our employees (Health insurance). I am wondering if the insurance company is to be considered a controller or processor?
Contracts and compliance with GDPR requirements
1) Contracts are part of our business and we need to understand what to do with current active contracts. What will be the practical steps to bring contracts into compliance with GDPR requirements? Do we need to include data protection clauses into all contracts (including employment contracts with residents and non-residents of EU)? In which cases we may not include such clauses (if possible)?
The GDPR “right to be forgotten”
Our company acts as data processor in the social care/health care sector in the UK/Ireland. Does the Data Privacy Act obligation of retention of data get overruled by the GDPR “right to be forgotten” – for example, if a social care services provider are retaining a person’s data for 10 years in line with the UK DPA 1988 and the person in June says they want to be forgotten, then what is the legal advice in the case of healthcare data for data controllers/data processors?
Whilst I understand the need for a variety of privacy notices, is it not more practical to list ALL possible information that may be requested and state that only the minimum set of information, of the superset, will be requested for the specific interaction, contract or communication that is necessary to fulfill the obligations between the parties?
Call recording policy
From what I am reading, if we are doing telephone call recording, we are required by law to have a call recording policy. I can not seem to see one in the pack.
What if our suppliers don’t perform their work in a compliant way? We think it should some penalties or liabilities if they didn’t perform their work in a compliant way. As you know, being a data controller, xxx is at the risk to be liable to pay the fine (Up to a maximum of €20 Million or 4% global revenue/turnover per infraction) in some way if our suppliers didn’t perform their work in a compliant way. So it is a must to have penalties or liabilities clauses somewhere on the suppliers. Am I right?