GDPR compliance and data protection

1.There is some suppliers like couriers that want to sign DPAs with us. Is this ok? Are couriers processors?

Couriers act like independent data controllers so you need to sign a Controller to Controller Agreement. You can find such an Agreement in this EU GDPR Premium Documentation Toolkit: https://advisera.com/eugdpracademy/pricing/

2. Also since we want to start from January to work on our implementation how much time do you think we need? How about resources?

Both the time and resources depend on various factors such as the size of the company and the activities it performs. We have developed some tools that allow you to calculate the duration and the costs of becoming compliant. Check out this tool: https://advisera.com/eugdpracademy/eu-gdpr-compliance-duration-calculator/ .

3. Being a shipping company do we need to register?

As far as I know, this requirement no longer exists. However, you should check out the website of the local Supervisory Authority as this is a local decision.

4. When we provide the notices to the crew members we are recruiting do they need to sign it?

Privacy notices need to be made available to the data subjects but not necessarily signed. You can make them available on your website for example.

5. Are we allowed to keep the CVs for possible future arrangements?

Based on your legitimate interest or the candidate consent you can keep the CV longer. You need however to decide and asses which lawful ground would suit you best. You can find out more about Privacy Notices in this free webinar “Privacy Notices under the EU GDPR” https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/ .

6. And if yes is there a time limit?

The GDPR does not provide specific retention principles however, based on the minimization principle personal data should not be kept more than needed to achieve the purpose for which it was collected. My suggestion is not to keep CVs for more than 1 year.