Where a new, and formerly not envisaged purpose for using previously collected data defined, and where the original purpose was covered by a "blanket" legal ground, such as “legitimate interest" and so is the new purpose, is it still required to acquire consent from the data subjects. (as suggested in the template Privacy Policy). Or would an update to the Privacy notice for the particular processing activity be sufficient?
Data processors
Is there a version of the GDPR document package, or additional documents that are intended for data processors? I purchased the original EU_GDPR_Documentation_Toolkit, but I really only see documents for data controllers.
Company data
We have already resolved the question about customers in B2B environment, but why doesn't appear in the scope the "customers employees" category..? What the difference between “customers" and “suppliers" from this point of view of their employees..?
DPIA
1. How to conduct PIA or DPIA?
EU GDPR document
In document 6.2 the title reads "Standard contractual clauses for the transfer of personal data from the Community to third countries (controller to controller transfers)- “the community” would appear to need to be changed to “Company”. Please can you confirm.
EU GDPR questions
1. My question is what documentation do we require and what are our responsibilities for both managed and unmanaged services.
ID Verification
What would be the appropriate method of verifying the ID of the person who submits a DSAR, more specifically, if the request isn’t done in person (ie. by phone or e-mail)?
Audit team
Instead of using an external 'independent' audit team from a third party, can we setup an internal audit team that is separate from those who currently manage our security, IT and GDPR processes to audit how well our company is implementing and adhering to our GDPR policies?
Exeptions
In section 7 of the DSAR Procedure document I have some questions.
Controller/Processor and DPO
Our company provides a School Information/Management System to schools worldwide. The schools determine what data they want to collect about the families/students and how they will use it in regards to the operation of the school. We develop, maintain and operate the database where all of this information is stored and accessed by numerous entities in the school and including parents. Employees from our company also access the school site to help in training, importing data into our system, and of course customer support.