We are a software supplier. Via our application a lot of data is stored in our databases, but we're not the ones processing the data. The input and output of data will be done by our customers. When I look at the 01.1 document a lot of questions are about processes to take care of personal data like adding, removing or anonymize. How does a software supplier normally integrate these standards? We cannot force each customer to ask permission to their professionals before they enter data. And if we could it is almost unverifiable.
Documentation of processing activities
I am taking a look at the “Documentation of processing activities” at the moment. The requirements seem quite clear, what I am not entirely clear about is the way, we can get receive e.g. the sign-off from our (very many) data controllers, their DPO data, confirmation of data processing agreement etc. Does all of this need to be written (on paper)? Are digital forms acceptable? What digital forms are good? ParentPay have about 9000 customers, all of which are data controllers, and who we process data for. Would it be sufficient to ask them to “tick a box” in an online form, and confirm who their DPO is? Or does that process need to be somewhat more robust? Would we need to apply a form of proof of identity before accepting their submission?
Comparison of the different GDPR articles
I was wondering if you know of a website that compares the different GDPR articles / recitals / derogations for different countries like UK, Guernsey, Jersey against the EUGDPR itself?
EU GDPR procedures
Kindly advise from where I can trace procedures or forms relating to Information & Access to Personal Data as outlined in Article 13 & 14 of the GDPR; Rectification Procedure; Data Minimization Procedure; Erasure Procedure as authorized from the data subject; Disposal of personal data procedure after retention period; Special categories of personal data procedure; Records Management Policy; Restriction of Processing procedure; Profiling procedure; Right to object procedure; Reference letters procedure; Direct Marketing procedure regarding Opt In.
Supplier Data Processing Agreement
I went through the toolkit and I cannot seem to find clauses which I should insert in contracts such as contracts of service, contracts for the purchase of a service or good, contract between us as a controller and respective processors etc. Could you please guide me?
Does GDPR require the use of encryption for protecting/securing personal data? Aside from encryption, pseudonymization, and anonymization, are there other “acceptable” mechanisms for securing the data that’s GDPR-compliant?
We know that best practice is to not have production data in non-production/development environments. However, does GDPR require that production data not be stored in non-prod/dev environments? Or, as long as the non-prod/dev environment is properly secured, then it’s acceptable?
GDPR and possible software changes
I’ve seen that the documents are providing guidelines and formats for the full documentation regarding the AVG. However can you explain me how this reflects on possible software changes (we are a software developer)? We also need to find out what we need to change / provide and why before we actually make changes to the application.
EU GDPR documentation
Is your documentation compliance with Dlgs 196/2003. Part of that Dlgs will be used after 25 may 2018?
Our company wants to hire a external DPO and asked me to be the internal DPO for 2018. My question is, what are my tasks and is this normally the way how it goes? What can I expect from the external DPO and what will be expected from me? Which questions do I need to ask the external DPO?