Audit modelSubcontractor GDPR assessment (simple)
GDPR
Simple assessment of the measures implemented by a subcontractor to meet GDPR requirements.
1. General
1. GDPR Compliance Policy
1.1. The subcontractor has formalised a Personal Data Protection Policy
1.2. The subcontractor has appointed a DPO
1.3. The processor keeps a record of processing activities for the services entrusted to it
1.4. The subcontractor has defined and is implementing a plan to raise employee awareness of the GDPR regulations
1.5. The subcontractor has already carried out a compliance audit of the personal data used for the services entrusted to it.
1.6. A risk analysis (privacy impact assessment as defined in the GDPR) has been carried out on the services entrusted from the point of view of the protection of personal data
1.7. The subcontractor has defined and formalised data protection procedures: exercise of personal rights, data breaches, privacy by design / default, etc.
2. Documentation
2.1. What documents and/or certificates does the subcontractor have that can prove or explain the measures implemented (if applicable)?
2. Security
1. Access to premises, facilities and IT systems
1.1. The processor has taken appropriate state-of-the-art technical and organisational measures to control access to the premises and facilities where personal data is processed, in particular to verify authorisation.
1.2. The subcontractor has taken technical and organisational measures to identify and authenticate the user in order to limit access to IT systems to only those persons concerned by the use of personal data for the service entrusted
1.3. The subcontractor has taken appropriate measures to control access management on dedicated platforms/software tools
1.4. The processor regularly assesses the technical and organisational measures designed to control access to personal data (e.g. penetration test)
1.5. The subcontractor has implemented a security incident management procedure
1.6. The subcontractor takes measures to prevent loss, alteration or unauthorised disclosure during electronic transfer, data transport, transmission control, communication or storage of data on data media (manual or electronic), etc, and thus to control the risks of unauthorised disclosure
2. Hosting and storage of personal data
2.1. The processor has taken appropriate steps to protect against the accidental destruction or loss of personal data (principle of availability)
2.2. The processor shall delete or return personal data in accordance with the documented instructions received from the Customer. Failing this, it has defined and implemented an internal data retention policy that complies with the requirements of the GDPR.
2.3. Unless expressly authorised in the contract, the data entrusted by the Customer to the processor for processing is hosted and used within the EU
3. Contrat
1. Subcontracting contract
1.1. Have you signed a contract with your subcontractor?
The relationship between a controller and a processor must be governed by a contract in accordance with Article 28 of the GDPR.
1.2. Does this contract include a section on the protection of personal data?
2. Compliance of implementation of processing activities
2.1. The processor has implemented measures for subsequent verification of the entry, modification or deletion of data, and of the person who carried it out (logging of access and reporting).
2.2. The subcontractor regularly informs its Customer of the proper performance of the Contract for the services entrusted to it (compliance with the documented instructions).
2.3. The processor complies with the principles of isolation of processing for different purposes and has put in place appropriate measures
2.4. The processor has put in place measures to enable data to be processed separately (stored, modified, deleted, transmitted) for different purposes
3. Subsequent subcontracting
3.1. Relations with subsequent subcontractors have been the subject of a contract.
3.2. If yes, these contracts take into account the GDPR requirements
3.3. Any transfers of data outside the EU are governed by standard clauses or other guarantees provided for in the GDPR.
3.4. The processor has ensured that subsequent processors have taken the organisational and technical measures necessary to provide sufficient guarantees for the protection of personal data.
Created at:00/13/2024
Updated on :07/29/2024
License : © Creative commons :
Attribution / Pas d'utilisation commerciale
CC-BY-NC
Attribution / Pas d'utilisation commerciale
CC-BY-NC
author :
Uses :19