1. If a systems builder installs several workstations with different applications at a customer and needs to log information on those systems (not per se an audit trail) to be able to debug what went wrong between these systems, and the customer is happy to provide these logs or even (continuous) access to the systems to have things debugged, but the logs may contain privacy related information, then what do you do? Warn systems users that their actions are logged?Demand that customer anonimifies the logs / State we uphold privacy and use logs only for debugging our systems and not for audit trail? Do we need a processor agreement for that? Who provides it?
2. Do processor agreements need to be signed by both parties?
3. Do you need to actively request a website visitor to accept cookies and read the privacy statement even if you do not use personal information that is collected, e.g. by google analytics and similar 3rd party tools? Or is it enough just to link to a disclaimer or legal statement on these pages…
1. If the users are having access to personal data you need to ensure that they are bound by the duty of confidence. This is a requirement of EU GDPR article 28.(3)e – Processors (https://advisera.com/eugdpracademy/gdpr/processor/). You can also have a pop up message to the users that they are about to access personal data.
2. If possible the customer should try to anonymize the personal data and if is not possible a Data Processing Agreement should be signed by you as the data processor and your customer as the data controller. This need to be legally binding agreement and need to be signed or agreed by both parties.