Audit modelGDPR processor assessment (advanced)
Evaluate your processor GDPR compliance
1.1. Is the relationship between the controller and the processor subject to a contract?
1.2. Does the contract contain the clauses, defining the responsibilities of the processor, that comply with the GDPR?
1.3. Please download the contract and/or the addendum.
1.4. Has the processor formalised a Data Protection Policy?
1.6. Has the processor appointed a DPO?
1.7. Please indicate DPO details (name, first name, telephone number, email address)
1.8. Has the processor appointed an Chief Information Security Officer (CISO)?
1.9. Please indicate CISO details (name, first name, telephone number, email address)
1.10. Does the processor keep a records of categories of processing activities carried out on behalf of a controller?
1.11. Has the processor already carried out a compliance audit of the personal data used in the context of the services carried out by the controller?
1.12. Has a risk analysis (Impact Analysis as defined in the GDPR) been carried out on the entrusted services from the point of view of the protection of personal data?
1.13. Has the processor defined and formalised data protection procedures (exercise of data subject rights, data breach, privacy by design / default, etc.)?
2. Human ressources
2.1. Has the processor defined and implemented a plan to raise awareness of the GDPR among employees?
2.2. Has the processor made its employees who have access to the data entrusted to it by its clients sign a confidentiality agreement, possibly in the employment contract?
2.3. Has the processor established a charter for the use of IT resources?
3. Physical access control to office areas.
3.1. Has the processor taken appropriate state-of-the-art technical and organisational measures to control access to its offices?
3.2. Select the measures taken to control access to the premises
3.3. Has the processor taken appropriate state-of-the-art technical and organisational measures to control access to the facilities where personal data are processed, in particular to verify authorisation?
3.4. Select the measures taken to control access to the facilities where personal data are processed, in particular to verify authorization
4. Logical access control to IT systems
4.1. Has the processor taken the technical and organisational measures for user identification and authentication to limit access to computer systems to only those persons concerned by the use of personal data for the service entrusted?
4.2. Select identification and authentication measures
5. Hosting and storage of personal data
5.1. Where are the data outsourced by the controller hosted?
5.2. Identify the host(s) where the data entrusted by the controller are stored
5.3. Are the hosting provider(s) ISO 27001 certified?
5.4. Is the processor ISO 27001 certified?
5.5. Has the processor defined and implemented an internal data retention policy in line with the requirements of the GDPR?
5.6. Does the processor delete or return personal data in accordance with the documented instructions received from the controller?
5.7. Unless expressly authorised in the contract, is the data entrusted by the controller to the processor for processing hosted and operated within the EU/EEA or in an appropriate country?
5.8. How are data transfers outside the EU/EEA or to an inadequate country governed?
5.9. What are the measures to protect IT infrastructures?
6. Data security
6.1. Does the processor have a security incident management procedure in place?
6.2. Does the processor take measures to prevent loss, alteration or unauthorized disclosure during electronic transfer, data transport, transmission control, communication or storage of data on data carriers (manual or electronic), etc., and thus control the risks of unauthorized disclosure?
6.3. Describe the measures in place
6.4. Does the processor regularly evaluate the technical and organizational measures to control access to personal data (e.g. penetration testing)?
6.5. Does the processor have a business continuity plan (BCP) with data replication to a backup site?
6.6. Does the processor have a backup plan in place?
7. Compliance with implementation of processing activities
7.1. Does the processor have measures in place for subsequent verification of data entry, modification or deletion, and of the person who carried it out (logging of access and reporting)?
7.2. Does the processor regularly inform its Client of the proper execution of the Contract for the services entrusted to it (compliance with the documented instructions)?
7.3. Does the processor comply with the principles of isolation of processing for different purposes and has it put in place appropriate arrangements?
8. Subsequent subcontracting
8.1. Is the use of subsequent subcontracting part of the contract with the processor?
8.2. Does the contract provide for the controller to validate the choice of subsequent processors?
8.3. Is the relationship with subsequent processors covered by a contract with the processor?
8.4. Do these contracts take into account the GDPR requirements?
8.5. Are any transfers of data outside the EU by sub-processors subject to standard clauses or other provisions laid down by the supervisory authority?
8.6. Has the processor ensured that subsequent processors have taken organizational and technical measures to ensure sufficient guarantees for the protection of personal data?
Created at: 10/4/2021 9:46:29 PM
Updated on: 10/4/2021 9:48:13 PM
License: © Creative commons :
Attribution / Pas d'utilisation commerciale
Attribution / Pas d'utilisation commerciale