Can company share their employee personal data?
I need to ask a question because I was not able to find one of the situation which makes me confused about GDPR. Company which have become our customer and bought service from us do share via email his employees personal data (name, last name and email) so we can create access for them on our portal. When they access portal, they will be asked to accept privacy policy and give consent (GDPR stuff)... is that ok from law side, to have personal information of company employees and after they login for the first time to accept policy? Also what will happen if some of the users never login, or don`t login for a long period and we made account for them, but user haven`t accepted privacy policy and gave consent to us?
How can we overcome this situation? Do you know if we can still be GDPR compliant with this situation?
Assign topic to the user
In B2B relationships, each company authorizes the processing of its own employees' personal data. So you can provide them an account and they acknowledge the privacy notice while logging in and if they don’t, you can process their data as well for any activity which is connected to the provision of service to your client. The legal basis of data processing, in fact, is the contract under Article 6 lett. B) GDPR.
Here you can find some information about how to process personal data:
- Is consent needed? Six legal bases to process data according to GDPR: https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/
If you want to learn how personal data are processed under the EU GDPR you may consider enrolling in our free training EU GDPR Foundations course: https://advisera.com/training/eu-gdpr-foundations-course/
Thank you very much for your reply!
Great, so that mean that we just need to state in the contract that we have privacy notice on our customer portal and that is all, or maybe we don`t need to specify anything and if that company share with us their employee personal data we don`t need to do anything more!?
No, it means that in the agreement with your client you state that personal data connected to the performance of the contract will be processed as stated in the attached privacy notice. You may also link to the web portal, but if you attach the privacy notice to the contract it is easier to demonstrate compliance to the obligation of providing information about data processing.
Comment as guest or Sign in
Sep 23, 2021