1: Advisera docs Footer and Change record – do we have to keep the Advisera wording on all docs?
No, they can be customized to match your templates or any other form that you may consider necessary.
2: Client data – How long can we keep data? 6 years +1 from collection date or when client has left then 6+1
It depends. Storage of data is considered the processing of personal data. So if you choose to store data for 6 years +1 from the collection date, you should have a legal ground for storing. It can be legitimate interest (for eg to protect your organization in court) or legal obligation (Fiscal law, labor law, etc).
3: Confirm BtoB data is still governed the same way as BtoC – PII
Yes, personal data is any information related to an identified or identifiable data subject, it doesn’t matter if B2B or B2C.
4: Back Ups on Tape Drives and SAR requests – where do we stand?
If you receive a Subject Access Request – SAR - according to art 15 GDPR you should disclose a copy of all personal data that you are processing. If there is data on the backup, it should be in production as well anyway, so you shouldn’t do anything special besides mentioning the backup storage time for the data.
5: If a client asks to see our policies can\should we hand them over? Incident log, do we have to show that if asked?
If you act as a Data Processor, the Data Controller has the right to check all you technical and organizational measures needed to demonstrate GDPR Compliance. The Data Controller is accountable for how it chooses its Data Processors. You might choose not to share policies and procedures, especially if they contain confidential information, but you should find a way to demonstrate to your client that you took all necessary technical and organizational measures needed to demonstrate GDPR Compliance. For incident logs, I recommend sharing only the non-confidential information.
6: Clarify medical data in ***, we don’t collect it, but customer could upload it, what are the implications for us as Processor?"
The Data Controller is accountable for how it processes personal data, including uploading of medical data. As a Processor, you must make sure that you are respecting the Controller’s instructions, that you don’t process that medical data for other purposes, and that you protect that data.