Processing protocol

2. Do I need a declaration of consent to transfer personal data to an external trainer who should serve the customer? Or is that not actually necessary to fulfill my contract?
3. Do I really need from each individual person from my already existing customer database a consent form in order to be able to send information about training series, or is this a legitimate interest?
4. Do I need a consent form to process the results of personality tests that I need to tailor my advice to the individual customer or is this a legitimate interest? Is not that actually part of contract performance?
5. Can I already on 29.05. expect a warning?
6. How do I best fulfill my obligation to inform in practice?

Answers:

1. If by processing protocol you refer to a Data Processing Agreement/Processor Addendum, this document needs to be signed with those suppliers that process personal data on your behalf (e.g. payroll suppliers).
2. You don`t need the consent for transferring data to a third party supplier. You just need to mention that in your Privacy Notice which you should present to the individuals when collecting their personal data.
3. You can rely on legitimate interest for you existing customers with which you have already an ongoing contract. Make sure to provide them with an unsubscribe option each time you send the advertisement.
4. A personality test most likely would result in processing sensitive personal data or even to profiling of the individual subject to the personality test. I this case processing of sensitive personal data would require explicit consent from the individual as per EU GDPR art. 9 –“ Processing of special categories of personal data” (https://advisera.com/eugdpracademy/gdpr/processing-of-special-categories-of-personal-data/).
5. Is quite unlikely but it depends on where you are based as well as the type of business you are running.
6. If you refer to the transparency obligation best way to fulfill that is to have a Privacy Notice available to the individuals each time you collect their data or when you contact them for the first time when you get their data from some other source.

To learn more about the EU GDPR check out our free “EU GDPR Foundations Course” https://advisera.com/training/eu-gdpr-foundations-course//