GDPR Implementation Inquiry

"We have an inquiry regarding the GDPR implementation, we are a software company that develops a software solutions to  a customer X at Europe ; the  software solutions are carrying personal information for X’s employees so we are a processor.
Internal systems developed and maintained by my company  for other customers that have EU citizen employees should be GDPR compliant and in this case it should be secure by design and data should be secured at rest considering there is no agreement between the client and ourselves for applying GDPR requirements on the system ..please confirm?

You are a data processor under GDPR because you are processing personal data on behalf of your Client. You need a data processor appointment agreement to comply with obligations listed in Article 28 GDPR. It helps you to demonstrate accountability to GDPR principles in case of controls by Data Protection Authorities. 

We developed the template of the Agreement to use with your Clients applying GDPR:
EU GDPR document template: Supplier Data Processing Agreement https://advisera.com/eugdpracademy/documentation/supplier-data-processing-agreement/

You can also find more information here:

• Full text of GDPR: https://advisera.com/eugdpracademy/gdpr/
• EU GDPR controller vs. processor – What are the differences? https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/

Regarding personal rights, are these rights applied on employees as they are EU citizens in the way that is compliant with business rules and data retention policies, for example if the employee left the company and wants his data to be deleted, in this case the company should reply within 1 month that according to the business needs and regulations, his data will be retained for 5 years for example and after these 5 years ha may ask for a data deletion confirmation, is that right? We need to know what are the employee rights here and what to be applied at our systems? 

Being a data processor under GDPR you need to guarantee data subjects’ rights in your system. However, it should be the data controller to ensure that you comply with GDPR requirements through the Data Processing Agreement.

This happens because data subjects shall exercise their rights in front of the data controller and you – as a data processor – will be jointly responsible. Keep in mind that retention periods may vary under national legislation implementing GDPR requirements (I.e. in Italy bookkeeping legislation requires a company to store documents for 10 years) so you need to check it with your Client.

The employee rights are those listed from Article 15 to 22 GDPR:

• Right of access
• Right of rectification
• Right of erasure (Right to be forgotten)
• Right to restriction of processing
• Right to data portability
• Right to lodge a complaint to a Data Protection Authority
• Right to object
• Right to ask for human control in case of automated individual decision-making

Here you can find more information:

• Full text of GDPR: https://advisera.com/eugdpracademy/gdpr/
• Data subject rights according to GDPR: https://advisera.com/eugdpracademy/knowledgebase/8-data-subject-rights-according-to-gdpr//

You can consider enrolling in our free EU GDPR Foundations Course
EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//