Javascript is required
logo-dastralogo-dastra

Audit modelDPO annual activity report

DPO
The annual review enables the DPO to report any difficulties to the data controller, to obtain resources, and to trace his actions over the years.

1. Introduction

1. Preamble

1.1. Write a preamble, explaining the purpose of the annual review

2. presentation-of-the-organization

2.1. Presentation of the organization

3. Presentation of the Data Protection Officer (DPO)

3.1. What is the date of designation of the DPO?
3.2. Did the controller have an obligation to designate a DPO?
3.3. What is the status of the DPO?
3.4. What is the type of designation of the DPO?
3.5. Detail the DPO's skills and training

Remind if he/she is a professional, his/her experience, diplomas, etc.

3.6. What means does the DPO have at his disposal to carry out his function?

This concerns the dedicated team, the budget, the relays (local correspondents) set up in the organization, etc.

3.7. Detail the relationship between the DPO and the data controller

This concerns the type of exchanges, the frequency of these exchanges, the means put in place to guarantee the independence and freedom of action of the DPO, etc.

4. Internal procedures implemented

4.1. Describe the internal procedures implemented

5. highlights of the year

5.1. Indicate the highlights of the year

Indicate the highlight(s) of the year that do not fall under specific paragraphs, for example :

  • Number of dossiers submitted for authorization;

  • Adherence to the Safe Harbor Agreement for data flows to the USA;

  • Implementation of a particular dossier such as biometrics; 

  • New internal organization;

  • Sanctions that hit a competitor...

2. List of personal data processing activities

1. The record of data processing activities (ROPA)

1.1. Is the organization concerned by the record of data processing activity?
1.2. Describe the preliminary work of establishing the record of processing activities
1.3. How many processing activities does this record of processing activities include?
1.4. What is the quantity of processing activities created, modified or deleted during the period covered by the review?
1.5. Have all the files been filed with the local data protection authority?

2. Evolution of the data processing activities

2.1. describe-new-processing-activities-of-organism

Even simple Excel databases if the data entered and the purpose justify it, or if they fall under CNIL exemptions or a simplified standard.

2.2. Describe modified or deleted processing activities
2.3. Describe processing activities subject to authorization

3. Objectives for the coming year

3.1. Describe objectives for the coming year

3. Spreading the privacy culture

1. Privacy watch

1.1. Describe the privacy watch carried out

2. Training and awareness-raising

2.1. How many internal and external training courses have been held?
2.2. Are there any upcoming training or awareness-raising events?
2.3. Has there been any feedback of information important to the life of the company as a result of the newly acquired knowledge? If so, please provide details
2.4. Which populations are targeted by the training? (HR, CIO, Lawyers, operational staff, trainees in the case of external training)

3. Broadcasting tools

3.1. Describe broadcast tools

4. consulting activity

1. Intervention(s) by the DPO

1.1. Trace the consultations carried out by the DPO on the formalities to be completed during the year
1.2. Has management followed the DPO's recommendations?

This question requires detailed indication of the follow-up rate of recommendations, as well as details for each recommendation.

1.3. Were any mediations necessary during the year? If so, on what subject?

2. Activities requiring expertise

2.1. How are sensitive files handled?

Concerning highly personal or sensitive data.

2.2. What are the criteria and modalities for the takeover of sensitive data within the organization?
2.3. do cross-border flows exist?
2.4. Are there file interconnections?
2.5. Is there automated decision making, including profiling?

5. Responses to internal and external requests

1. right of access

1.1. Were there any data access requests during the year?
1.2. What is the number of requests for right of access to personal data?
1.3. Were the requests for access rights processed within the legal deadline?
1.4. Are any requests being processed?
1.5. Have (reasonable) charges been made to the data subject for a request for an additional copy of the data?
1.6. Is there remote access to a (secure) system allowing the data subject direct access to his/her data?

2. Right to modify/delete personal data

2.1. Were there any requests for data rectification during the year?
2.2. Were there any requests for data erasure during the year?
2.3. What is the number of data rectification requests?
2.4. What is the number of data deletion requests?
2.5. Have the rectification requests been processed within the legal deadline?
2.6. Have deletion requests been processed within the legal deadline?
2.7. Are any rectification requests being processed?
2.8. Are any deletion requests being processed?
2.9. Have the rectification(s) been notified to the recipients to whom the data was communicated?
2.10. Have any deletion requests been refused? If so, for what reason(s)?

3. Right to processing activity limitation

3.1. Were there any requests for processing activity limitation during the year?
3.2. What is the number of requests for the right to restrict processing?
3.3. For what reason(s) has the organization limited data processing (GDPR, art. 18, §1)
3.4. Have requests for the right to restrict processing been processed within the legal time limit?
3.5. Are any requests being processed?
3.6. Have any limitation requests been refused? If so, for what reason(s)?
3.7. Have the data recipients been notified of the request to restrict processing?
3.8. Has the data processing activity in question been resumed in a normal manner?

4. Right to portability

4.1. Were there any requests for the right to portability during the year?
4.2. What is the number of requests for the right to portability?
4.3. Have the requests for the right to portability been processed within the legal deadline?
4.4. Are any requests being processed?
4.5. Have any requests for the right to portability been refused? If so, for what reason(s)?

5. Opposition right

5.1. Were there any right of objection requests during the year?
5.2. What is the number of requests for the right to object?
5.3. Were the requests for the right to object processed within the legal deadline?
5.4. Are any requests being processed?
5.5. Have any requests for the right to object been refused? If so, for what reason(s)?

6. Fate of data after death

6.1. Are there any directives (general or specific) issued by the person concerned?
6.2. Have the heirs exercised the rights guaranteed by law after the death of the person concerned?
6.3. Has the organization made the heirs aware of the data information of the person concerned?
6.4. Is there a mechanism allowing data subjects to give instructions on the fate of their data after death?

7. Complaints and claims

7.1. Were there any complaints and claims during the year?

6. Audit and control

1. Data Protection Impact Assessment (DPIA)

1.1. Has a DPIA been established?
1.2. What are the types of processing operations implemented by the organization, requiring an AIPD?

According to the list(s) adopted by the local data protection authorities

1.3. Have any processing operations implemented before the GDPR came into force been subject to a DPIA?
1.4. In the case where a DPIA has been established, are there any points that need to be reviewed or clarified?
1.5. Has the local data protection authority been consulted for the DPIA?
1.6. Has the data protection impact assessment (DPIA) been published?

2. Control

2.1. Have security measures been taken to ensure data integrity and availability? If so, which ones?
2.2. Is there evidence of implementation of secure development practices?
2.3. Has the organization anonymized the data?
2.4. Was there one or more data breaches during the year?
2.5. In the event of a data breach(s), have the persons concerned been informed within the legal time limit?

3. Action plan for the coming year

3.1. Is there an action plan for the coming year? Detail.

7. External relations

1. Data protection authorities

1.1. Have controls been carried out by the local data protection authorities?
1.2. Have the local data protection authorities been notified (data subjects, DPO, etc.)?
1.3. Have local data protection authorities been asked for advice?
1.4. Have local data protection authorities been consulted under Article 36 of the GDPR?
1.5. Have local data protection authorities been notified of one or more data breaches within the legal timeframe?
1.6. Have the workshops proposed by the data protection authorities been followed by the organization / the DPO?

2. Delegation of processing

2.1. Does the organization use one or more subcontractors?
2.2. Does the subcontractor present sufficient guarantees?
2.3. Does the organization ensure that the subcontractor complies with the GDPR?
2.4. Is the contract between the organization and the subcontractor still valid?

3. Other relationships

3.1. Are there any other external relationships? Detail.

8. Estimated workload

1. Time spent (quantitative)

1.1. Detail time spent on DPO work.

2. Workload (qualitative)

2.1. Detail the workload on the qualitative level.

3. Budget and means

3.1. Detail the budget requirements and the means necessary for the successful completion of the DPO's work.
Created at:11/19/2023

Updated on :07/29/2024

License : © Creative commons :
Attribution / Pas d'utilisation commerciale
CC-BY-NC AttributionPas d'utilisation commerciale

author :
Paul-Emmanuel Bidault
Paul-Emmanuel Bidault



Access all our audit templates

Try Dastra now to access all of our audit templates that you can customize for your organization.It's free and there's no obligation for the first 30 days (no credit card required)

Build my audit
Subscribe to our newsletter

We will send you a few emails to keep you informed of our news and what's new in our solution

* You will always be able to unsubscribe on each newsletter. Learn more.