Questionnaire on the implementation of the GDPR on 25 May 2018

based on the Bavarian Data Protection Authority (BayLDA) audit questionnaire / Translated by Classmethod (without guaranty)

I.               Structure and responsibility in the company 

1.  Is there a corporate awareness that data privacy is management top priority, for example through the existence of
   • a data privacy policy
   • description of data privacy goals
   • regulation of responsibilities
   • awareness about data privacy risks
   • transparency about conflicting goals (e.g., between marketing and legal department)
2.  Does your company have a company data protection officer?
   • if not, why not?
   • if so, is it clear when and by whom he has to be involved?
   • if yes, he is already notified to the competent supervisory authority according to gem. Art. 37 (8) GDPR?

II.             Overview of processing 

• do you have a list of your processing activities pursuant to Art. 30 DS-GVO
• if not, why not? Is this documented?
• how do you ensure that data protection concerns are taken into account when starting or changing a process in your company (i.e. Privacy by Design Art. 25 DS-GVO)?

III.           Integration of external providers

• do you have externals involved in the execution of your work (processor)?
• if so, do you have an overview of the processors?
• if so, you have the necessary agreements with all your contract processors with the minimum content according to Art. 28 (3) DS-GVO completed?

IV.           Transparency, information requirements and securing of data subject rights

1. Have you adapted your texts on the data protection information of the data subjects involved in the data collection to the requirements of Art. 13 or 14 DS-GVO? If not, why not?
2. In particular, have you included the following information, if not previously included:
   • Contract details of the data protection officer
   • Legal basis (s) for the processing of personal data
   • If you are processing with their legitimate interests or legitimate interests of a third party: the legitimate interests
   • If you submit data to third countries: the appropriate warranties you use to protect the data (e.g., standard data protection clauses)
   • duration of storage; if not possible, the criteria for setting this duration
   • Existence of the rights of data subjects to information, rectification, erasure, restriction of processing, opposition based on the particular situation of a data subject and on data portability
   • If processing is based on consent: the right to revoke consent at any time
   • Right to complain to the supervisory authority
   • Whether the provision of the data is required by law or by contract or for a contract conclusion is necessary
   • When relevant: making automated decision making including profiling and – in this case – information on the logic involved and the scope and sought impact of processing on the data subject
   • If you did not collect the data from the data subject: from which source came the person data and, if applicable, whether they came from publicly available sources
   • Have you adapted your advertising consent form for customers, interested parties, etc., to the requirements of Art. 7 and 13 GDPR (in particular: extended information requirements, including the revocability of consent at any time)?
3. Have you set up a procedure in order to be able to respond promptly and completely to applications by data subjects for information on their own data pursuant to Art. 15 DS-GVO (Article 12 (1) GDPR)?
4. Have you set up procedures in order to be able to fulfill requests for data portability of data subjects (Article 20 GDPR)?

V.             Accountability, dealing with risks

1. Is there any information for each processing activity that can be used to prove the lawfulness of your processing, e. with regard to purposes, categories of personal data, recipients and / or deletion periods (Article 5 (2) GDPR)?  Have you checked whether the consents on which you base your processing still meet the requirements of Articles 7 and / or 8 GDPR? Can you prove the existence of the consent?
2. Have you installed a data protection management system in order to ensure and prove that your processing takes place in accordance with the GDPR (Article 24 (1) GDPR)?
3. Have you adapted your existing processes for checking the safety of processing to the new requirements of Art. 32 DS-GVO?  Do you have existing checklists in particular for the selection of technical and organizational Replacing measures with a risk-based approach on the basis of the nature, scope, circumstances and purposes of the processing and the different likelihood and severity of risks to rights and freedoms?  Has a suitable management system been implemented for the regular review, evaluation and improvement of security measures?  Have safeguards such as pseudonymisation and the use of cryptographic procedures to protect against unauthorized or unlawful processing been implemented, both with regard to external and internal “attackers”?
4. Have you prepared for the possible need to carry out a privacy impact assessment?  Have you introduced a suitable method for determining whether a privacy impact assessment should be carried out in your organization?  Have you implemented a suitable risk method for conducting a privacy impact assessment in your company?  Have you decided on a process of privacy impact assessment; have you ever tested this?

VI.           Data security breaches

Do you have ensured that the reporting of personal data breaches within 72 hours to the supervisory authority is possible pursuant to Art. 33 GDPR?In particular, have you ensured that privacy violations can be detected in your company.  Have you implemented a suitable method for identifying a risk or high risk in your company? Have you set up a process how to deal with potential injuries internally? Have you defined who, when and how to communicate with the Data Protection Inspectorate