Expert Advice Community

Guest

Handling the privacy

  Quote
Guest
Guest user Created:   Feb 07, 2018 Last commented:   Feb 09, 2018

Handling the privacy

Employer (e.g., xxx) sends us contact information for every employee globally. Occasionally, a user requests to opt out of our system and prefers we forget them. However, information about them is still delivered everyday from the employer. What are the options for us to handle the privacy of the individual while handling the requests of our customer (the individual's employer)?
0 0

Assign topic to the user

EU GDPR DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

EU GDPR DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Andrei Hanganu Feb 07, 2018

Answer:

My understanding is that, in the case you presented you are acting as a processor because it is another company (controller) that provides you with the information about the data subjects and also decides what kind of processing activities you should perform.

If this is the case, then the data subject requests, if you receive them, should be directed to the data controller that will analyze them and instruct you how to proceed further.

You may also find helpful to go through these relevant articles on our website:
- https://advisera.com/eugdpracademy/ academy/knowledgebase/8-data-subject-rights-according-to-gdpr/;
- https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/;
Quote
0 0
Guest
bgould Feb 09, 2018
I want to be clear on this - especially regarding the right to be forgotten. In our case, the customer sends us a list of employees with extensive information. We provide guidelines for the employees to go online, perform evaluations, and enter extensive information on themselves and others. In addition, they may manually add additional people - such as contractors or their customers.

At some point, all of that information is put into reports and stored on our system. So let's say that employee A adds contractor B to evaluate him in a 360 degree evaluation. We generate a report and in the report is a list of reviewers including contractor B. Can we effectively ignore any request by contractor B to be erased?
Quote
0 0
Expert
Andrei Hanganu Feb 10, 2018
As mentioned previously my understanding is that you are acting as a processor and performing certain evaluation services on behalf of various controllers. In this case all data subject requests should be directed to the respective controllers.

This doesn't mean that you are ignoring the requests but you are directing them to the controllers so that they can evaluate and decide how to deal with them. If the controllers will consider the request grounded they will instruction you on how to proceed.

When receiving such requests from the data subjects you should just mention that you cannot evaluate their request but you will send it to the data controller.
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Feb 07, 2018

Feb 10, 2018

Suggested Topics

Guest user Created:   Nov 16, 2022 EU GDPR
Replies: 1
0 0

Data breach

Guest user Created:   Oct 19, 2022 EU GDPR
Replies: 1
0 0

Required documents