2) Do we need a Data Protection Officer or is a Data processor enough?
3) Regarding the 'Compliance Questionnaire' Do we need to send this all 3rd parties that hold data of ours or just our clients?
1) According to EU GDPR article 5(e) (https://advisera.com/eugdpracademy/gdpr/principles-relating-to-processing-of-personal-data/) personal data cannot be kept longer than is necessary for the purposes for which the personal data are processed. Assuming that the data received via you website comes from users registering there you can set up your own retention period. When establishing that you should consider a reasonable retention period that would be consistent both to the type of services you provide to the data subject and the categories of personal data processed. To give you an example, if you are not collecting special categories of data (https://advisera.com/eugdpracademy/gdpr/processing-of-special-categories-of-personal-data/) you can set up r etention period anywhere between 1-3 years (most likely it will not be considered excessive) from the last time the user accessed his/hers account on your website.
2) Appointing Data Protection Officer is required by the EU GDPR (https://advisera.com/eugdpracademy/gdpr/designation-of-the-data-protection-officer/) only is some specific cases:
- you are required to do so by national law;
- your core activities consist of regular and systematic monitoring of data subjects on a large scale;
- your our core activities consist of processing sensitive personal data on a large scale (including processing
information about criminal offences).
So, if you find yourself in any of the above cases it is required to appoint a DPO which can be an employee or a third party (e.g. consultancy company). If not you don’t, then you are not required to appoint a DPO but you can designate some data protection specific tasks to someone within the organization.
3) The Supplier Due Diligence Questionnaire is used to assess those suppliers that are processing personal data that belong to you as controller. So, those suppliers receiving or having access to personal data that you process as controller regardless if the data of your employees or your customers.