Audit modelSubcontractor GDPR assessment (advanced)

GDPR

Advanced assessment of the measures implemented by a subcontractor to meet GDPR requirements.

1. GDPR Compliance Policy

1.1. Is there a contract between the Data Controller and the processor?

Yes

1.2. Does the contract contain clauses defining the subcontractor's responsibilities that comply with the GDPR?

Yes

1.3. Please download the contract and/or the addendum.

1.4. Has the processor formalised a Privacy Policy?

Yes

1.5. Please download the privacy policy

1.6. Has the processor appointed a DPO?

yes

1.7. Please indicate DPO details (name, first name, telephone number, email address)

1.8. Has the processor appointed an Chief Information Security Officer (CISO)?

Yes

1.9. Please indicate CISO details (name, first name, telephone number, email address)

1.10. Does the processor keep a record of processing activities for the services entrusted to it by the controller?

Yes

1.11. Has the processor already carried out a compliance audit of the personal data used in connection with the services entrusted to it by the controller?

Yes

1.12. Has a risk analysis (privacy impact assessment as defined in the GDPR) been carried out on the services entrusted from the point of view of the protection of personal data?

Yes

1.13. Has the processor defined and formalised data protection procedures (exercise of data subject rights, data breach, privacy by design / default, etc.)?

Yes

2. Human resources

2.1. Has the processor defined and implemented a plan to raise awareness of the GDPR among employees?

Yes

2.2. Has the processor made its employees who have access to the data entrusted to it by its clients sign a confidentiality agreement, possibly in the employment contract?

Yes

2.3. Has the subcontractor drawn up a charter for the use of IT resources?

Yes

3. Physical access control to premises

3.1. Has the subcontractor taken appropriate state-of-the-art technical and organisational measures to control access to its premises?

Example: access control system (ID reader, magnetic card, smart card), key (issuing), door locks (electric door openers, etc.), security staff, guards, surveillance installations (alarm system, video / CCTV), access connection to the data centre, regular review of permanent access authorisations, etc.

Yes

3.2. Select the measures taken to control access to the premises

Doors closed at all entrances (e.g. electronic locks; physical locks; etc.)

Presence of security personnel (e.g. security at the entrance desk)

Access control systems (e.g. biometric security; secure access cards; etc.)

CCTV systems (Video surveillance)

Security alarm systems

3.3. Has the processor taken appropriate state-of-the-art technical and organisational measures to control access to the facilities where personal data are processed, in particular to verify authorisation?

Yes

3.4. Select the measures taken to control access to the facilities where personal data are processed, in particular to verify authorization

Doors closed at all entrances (e.g. electronic locks; physical locks; etc.)

Access control systems (e.g. secure access cards; digicode; speaker registration book; etc.)

CCTV systems (Video surveillance)

Systematic presence of a member of the IT department during an intervention on the IT premises

4. Logical access control to IT systems

4.1. Has the subcontractor taken the technical and organisational measures for user identification and authentication to limit access to IT systems to only those persons concerned by the use of personal data for the service entrusted?

Examples: password procedures (including special characters, minimum length, regular password change), automatic locking (e.g. password or shutdown), creation of a master folder per user, encryption of data carriers

Yes

4.2. Select identification and authentication measures

IT security systems requiring individual users to log in with a unique username

Computer security systems requiring the use of strong passwords (e.g. minimum 8 characters with use of 3 of the 4 character types)

Computer security systems requiring the use of multi-factor authentication

Mandatory password change at fixed intervals (e.g. every six (6) months)

Automatic locking of computer terminals and devices after a period of non-use, with a password required to "turn on" the terminal or device

Powerful encryption/hashing of password databases (e.g. use of Keepass on all workstations)

Use of very restrictive passwords for privileged accounts (e.g. minimum 12 characters with use of 3 of the 4 character types)

Implementation of user profiles with principle of least privilege managed in the Active Directory

Management of rights and profiles in external software

5. Hosting and storage of personal data

5.1. Where are the data entrusted by the data controller hosted?

On internal servers

At a hosting provider

5.2. Identify the host(s) where the data entrusted by the data controller is stored

5.3. Are the hosting provider(s) ISO 27001 certified?

Yes

5.4. Is the processor ISO 27001 certified?

Yes

Ongoing

5.5. Has the processor defined and implemented an internal data retention policy that complies with the requirements of the GDPR?

E.g. retention and disposal policy.

Yes

5.6. Does the processor delete or return personal data in accordance with the documented instructions received from the controller?

Yes

5.7. Unless expressly authorised in the contract, is the data entrusted by the Customer to the processor for processing hosted and used within the EU/EEA or in an appropriate country?

Yes

5.8. How is it permitted to transfer personal data to countries outside the EU/EEA or to an unsuitable country?

Standard contractual clauses (SCC)

Binding Corporate Rules (BCR)

No specific conditions

5.9. What measures are in place to protect IT infrastructures?

Redundant network equipment

Redundant firewalls

Outsourced SOC

6. Data security

6.1. Has the subcontractor set up a security incident management procedure?

Yes

6.2. Does the subcontractor take measures to prevent loss, alteration or unauthorised disclosure during electronic transfer, data transport, transmission control, communication or storage of data on data media (manual or electronic), etc, and thus control the risks of unauthorised disclosure?

Examples: Encryption /canalisation (VPN=Virtual Private Network), Electronic signature, Connection, Transport security

Yes

6.3. Describe the measures in place

Implementation of vulnerability assessment systems, threat protection technologies, update management, and monitoring procedures designed to identify, assess, mitigate, and protect against identified security threats, viruses and other malicious code

Flow encryption (SSL/TLS)

Encryption of workstations (for example with Bitlocker)

Encryption of removable media (for example with Bitlocker)

Possible encryption of email content (for example with 7-Zip)

Limiting email exchanges in favor of secure spaces (e.g. OODrive, Sharepoint)

Secure data network (e.g. VPN)

6.4. Does the processor regularly assess the technical and organisational measures designed to control access to personal data (e.g. penetration tests)?

Yes

6.5. Does the subcontractor have a business continuity plan (BCP) with data replication to a backup site?

Yes

6.6. Has the subcontractor implemented a data backup plan?

Yes

7. Compliance of processing activities' implementation

7.1. Has the processor put in place measures for subsequent verification of the entry, modification or deletion of data, and of the person who carried it out (logging of access and reporting)?

Yes

7.2. Does the subcontractor regularly inform the Customer of the proper execution of the Contract for the services entrusted to it (compliance with documented instructions)?

Yes

7.3. Does the processor comply with the principles of isolation of processing for different purposes and has it put in place appropriate measures?

Example: sandboxes for development activities, separation of activities in the organization of rights, ...

Yes

8. Subsequent subcontracting

8.1. Is subsequent subcontracting part of the contract with the subcontractor?

Yes

8.2. Does the contract stipulate that the data controller must approve the choice of subsequent processors?

Yes

8.3. Are relations with subsequent subcontractors covered by a contract with the subcontractor?

Yes