My company is a US based company that provides expense reimbursement to our customers. We have many employees in the US but very few in the EU. We also have EU customers. Customer data includes the name (phone number & business email address) of contact person for a customer. With respect to inventory of processing activities:
1. Does the GDPR standard apply to EU employees or global employees? I’m wondering if we can inventory our processing activities for employees only.
The GDPR applies to data of individuals in the Union (EU). This means that it would apply to all processing activities where the personal data of the employees in the EU is involved with regard to which you are acting as a controller. The same applies to the data of the clients' employees for which you perform the reimbursement services as a processor.
2. Data is transferred from the EU to the US and back. This could include a contact name for a customer as well as a business email and phone number. Would inventory of processing activ ities be applicable in this case?
Yes, you would need to be compliant with the provisions of art. 30 and to document the processing activities.
3. Is a business email address considered personal data?
Usually, business emails are email@example.com so it would be considered personal data except for generic email addresses such as firstname.lastname@example.org.