Take the ISO 27001 course exam and get the EU GDPR course exam for free
LIMITED-TIME OFFER – VALID UNTIL SEPTEMBER 30, 2021

Expert Advice Community

Guest

GDPR Implementation Inquiry

  Quote
Guest
Guest user Created:   Aug 25, 2020 Last commented:   Aug 27, 2020

GDPR Implementation Inquiry

We have an inquiry regarding the GDPR implementation , we are a software company that develops a software solutions to  a customer X at Europe ; the  software solutions are carrying personal information for X’s employees so we are a processor.

Internal systems developed and maintained by my company  for other customers that have EU citizen employees should be GDPR compliant and in this case it should be secure by design and data should be secured at rest considering there is no agreement between the client and ourselves for applying GDPR requirements on the system ..please confirm?

Regarding personal rights, are these rights applied on employees as they are EU citizens in the way that is compliant with business rules and data retention policies, for example if the employee left the company and wants his data to be deleted, in this case the company should reply within 1 month that according to the business needs and regulations, his data will be retained for 5 years for example and after these 5 years ha may ask for a data deletion confirmation, is that right? We need to know what are the employee rights here and what to be applied at our systems?

0 0

Assign topic to the user

EU GDPR DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

EU GDPR DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Alessandra Nisticò Aug 27, 2020

"We have an inquiry regarding the GDPR implementation, we are a software company that develops a software solutions to  a customer X at Europe ; the  software solutions are carrying personal information for X’s employees so we are a processor.
Internal systems developed and maintained by my company  for other customers that have EU citizen employees should be GDPR compliant and in this case it should be secure by design and data should be secured at rest considering there is no agreement between the client and ourselves for applying GDPR requirements on the system ..please confirm?

 

You are a data processor under GDPR because you are processing personal data on behalf of your Client. You need a data processor appointment agreement to comply with obligations listed in Article 28 GDPR. It helps you to demonstrate accountability to GDPR principles in case of controls by Data Protection Authorities. 

We developed the template of the Agreement to use with your Clients applying GDPR:
EU GDPR document template: Supplier Data Processing Agreement https://advisera.com/eugdpracademy/documentation/supplier-data-processing-agreement/

You can also find more information here:

 

Regarding personal rights, are these rights applied on employees as they are EU citizens in the way that is compliant with business rules and data retention policies, for example if the employee left the company and wants his data to be deleted, in this case the company should reply within 1 month that according to the business needs and regulations, his data will be retained for 5 years for example and after these 5 years ha may ask for a data deletion confirmation, is that right? We need to know what are the employee rights here and what to be applied at our systems? 

 

Being a data processor under GDPR you need to guarantee data subjects’ rights in your system. However, it should be the data controller to ensure that you comply with GDPR requirements through the Data Processing Agreement.

This happens because data subjects shall exercise their rights in front of the data controller and you – as a data processor – will be jointly responsible. Keep in mind that retention periods may vary under national legislation implementing GDPR requirements (I.e. in Italy bookkeeping legislation requires a company to store documents for 10 years) so you need to check it with your Client.

The employee rights are those listed from Article 15 to 22 GDPR:

  • Right of access
  • Right of rectification
  • Right of erasure (Right to be forgotten)
  • Right to restriction of processing
  • Right to data portability
  • Right to lodge a complaint to a Data Protection Authority
  • Right to object
  • Right to ask for human control in case of automated individual decision-making

Here you can find more information:

You can consider enrolling in our free EU GDPR Foundations Course
EU GDPR Foundations Course: https://training.advisera.com/se/eu-gdpr-foundations-course//

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Aug 25, 2020

Aug 27, 2020

Suggested Topics

Guest user Created:   Sep 24, 2021 EU GDPR
Replies: 0
0 0

Conversion to UK version of GDPR

Guest user Created:   Sep 21, 2021 EU GDPR
Replies: 2
0 0

Application of GDPR to emailed CVs

Guest user Created:   Aug 30, 2021 EU GDPR
Replies: 1
0 0

Complying with EU GDPR