Javascript is required
logo-dastralogo-dastra

Audit modelGDPR compliance assessment of data processing

GDPR
This questionnaire enables you to assess the compliance of your processing with the GDPR.

1. Responsibilities

1.1. Are the responsibilities for data processing clearly defined?
1.2. Indicate the reason for the non-compliance of the data processing
1.3. List the stakeholders responsible for implementing the processing

2. Purposes

2.1. Are all the purposes of the processing legitimate?
2.2. Indicate the reason for the non-compliance
2.3. Is each purpose precisely determined?
2.4. Indicate the reason for the non-compliance
2.5. is each purpose explicit?
2.6. Indicate the reason for the non-compliance

3. legal basis and legitimacy of purpose

3.1. Is a legal basis associated with each purpose of processing?
3.2. Is a legal basis associated with at least one purpose?
3.3. Are the legal bases of the purposes correct?
3.4. Are the legal bases used among the following?
3.5. Is consent freely given?

Consent must not be coerced or influenced. The person must be offered a real choice, without having to suffer negative consequences if they refuse.

3.6. Is consent specific?

A consent must correspond to a single processing operation, for a specific purpose.

3.7. Is consent informed?

For consent to be valid, it must be accompanied by a certain amount of information communicated to the person before they consent.

Beyond the obligations linked to the transparency, the controller should provide the following information to data subjects to obtain their informed consent:

  • the identity of the controller ;

  • the purposes pursued ;

  • the categories of data collected;

  • the existence of a right to withdraw consent ;

  • as appropriate : the fact that the data will be used in the context of individual automated decisions or that they will be the subject of a transfer to a country outside the European Union.

3.8. Is consent unambiguous?

Consent must be given by the data subject by means of a declaration or any other clear positive act. No ambiguity as to the expression of consent may remain.

3.9. Are the interests legitimate?

Interests are presumed legitimate for data processing :  

  • aimed at guaranteeing network and information security,

  • implemented for fraud prevention purposes,

  • necessary for commercial canvassing operations with a company's customers,

  • related to customers or employees within a group of companies for internal administrative management purposes.

In other words, the nature of the interest pursued by an organisation may be presumed if the following 3 conditions are met:

  • the interest is manifestly lawful under the law ; 

  • it is determined in a sufficiently clear and precise manner ;

  • it is real and present for the organisation concerned, and not fictitious.

3.10. Is the source of the legal obligation known?

You can identify the legal text that asks you to perform the data processing.

3.11. Is the public interest mission known?

4. data minimization

4.1. Is the data strictly necessary for processing?
4.2. If not, explain why

5. data sensitivity

5.1. Are all sensitive data processed by the organisation identified?
5.2. If no, explain why
5.3. Are sensitive data processed as part of the operation?

This is information revealing

  • alleged racial or ethnic origin,

  • political opinions,

  • religious or

  • philosophical beliefs or

  • trade union membership,

  • and the processing of genetic data,

  • biometric data for the purpose of uniquely identifying a natural person,

  • data concerning health or

  • data concerning the sex life or sexual orientation of a natural person.  

5.4. Is the legal basis for processing sensitive data correct and justified?
5.5. If no, explain why
5.6. Is/are the purpose(s) of the processing of sensitive data legitimate, specified and explicit?
5.7. If no, explain why

6. Data location

6.1. Is the location of the data known?
6.2. If not, explain why

7. Information to data subjects

7.1. Are the people affected by the processing of their personal data informed?
7.2. Does the information provided to data subjects include the following?
7.3. otherwise-explain-why

8. Data retention

8.1. Are the data retention periods identified?
8.2. Are the retention periods proportionate to the objectives (purposes) of the processing?
8.3. otherwise, explain why

9. Data accuracy

9.1. Are there measures in place to ensure that the data processed is accurate and, if necessary, kept up to date?

10. The exercise of the rights of the data subjects

10.1. Can data subjects easily exercise their rights with regard to their personal data?

11. data recipients

11.1. Are the recipients of the personal data identified?
11.2. Are sub-contractors recipients of personal data?
11.3. Does a contract setting out the requirements of Article 28 of the GDPR govern the relationship with processors?

12. Transfers outside the EU

12.1. Are transfers of personal data outside the European Union identified?
12.2. Is there an appropriate and adequate transfer mechanism for each transfer?

13. Security measures

13.1. Are security measures in place for personal data?
13.2. Are the security measures adequate in relation to the risk of breach for the data subjects?
Created at:11/31/2023
Updated on :07/29/2024
License : © Creative commons :
Attribution / Pas d'utilisation commerciale
CC-BY-NC AttributionPas d'utilisation commerciale
author :
Paul-Emmanuel Bidault
Paul-Emmanuel Bidault
Uses :3
Build my audit

Access all our audit templates

Try Dastra now to access all of our audit templates that you can customize for your organization.It's free and there's no obligation for the first 30 days (no credit card required)

Build my audit
Subscribe to our newsletter

We will send you a few emails to keep you informed of our news and what's new in our solution

* You will always be able to unsubscribe on each newsletter. Learn more.