Contracts and compliance with GDPR requirements

2) Do we need to obtain consents from impacted personnel of third parties (e.g., we concluding contract with consulting firm or non-EU financial institution)?

Answers:

1. When acting as a controller or example for the processing of personal of your employees you would need to inform them about the processing activities . You can do that by using a “Privacy Notice” which is aimed at explaining to the employees the Employee Privacy Notice can be delivered to the new employees when sign the labor agreement. The employees do not have to agree with the content of Notice but just have to acknowledge it. For existing employees you can chose to post the Notice on your internet and inform them that they can access it at any time. We are currently working on an Employee Privacy Notice that should be with you sometime next week.

Regarding your contracts with your that process data on your behalf you will need to have in place a Supplier Data Processing Agreement which you can find in folder 7. Third Party Compliance in our EU GDPR Documentation Toolkit.

If you want to find out more about the impact of EU GDPR on your HR activities you can check out our article “How the GDPR could impact your HR department” - https://advisera.com/eugdpracademy/blog/2018/02/22/how-the-gdpr-could-impact-your-hr-department

2. If you are transferring personal data outside the EEA is not necessarily to have the consent of the data subject. You need, however, to notify him/her about the cross border data transfer. If you transfer data outside the EEA just make sure that you use the Standard Contractual Clauses you find in folder 6. Personal data transfers.