Modelo de auditoríaThird Party GDPR Assessment (simple)
GDPR
Simple assessment of the measures implemented by a third party to meet GDPR requirements.
1. General
1. GDPR Compliance Policy
1.1. The third party has formalised a Personal Data Protection Policy
1.2. The third party has appointed a DPO
1.3. The processor keeps a record of processing activities for the services entrusted to it
1.4. The third party has defined and is implementing a plan to raise employee awareness of the GDPR regulations
1.5. The third party has already carried out a compliance audit of the personal data used for the services entrusted to it.
1.6. A risk analysis (privacy impact assessment as defined in the GDPR) has been carried out on the services entrusted from the point of view of the protection of personal data
1.7. The third party has defined and formalised data protection procedures: exercise of personal rights, data breaches, privacy by design / default, etc.
2. Documentation
2.1. What documents and/or certificates does the third party have that can prove or explain the measures implemented (if applicable)?
2. Security
1. Access to premises, facilities and IT systems
1.1. The processor has taken appropriate state-of-the-art technical and organisational measures to control access to the premises and facilities where personal data is processed, in particular to verify authorisation.
1.2. The third party has taken technical and organisational measures to identify and authenticate the user in order to limit access to IT systems to only those persons concerned by the use of personal data for the service entrusted
1.3. The third party has taken appropriate measures to control access management on dedicated platforms/software tools
1.4. The processor regularly assesses the technical and organisational measures designed to control access to personal data (e.g. penetration test)
1.5. The third party has implemented a security incident management procedure
1.6. The third party takes measures to prevent loss, alteration or unauthorised disclosure during electronic transfer, data transport, transmission control, communication or storage of data on data media (manual or electronic), etc, and thus to control the risks of unauthorised disclosure
2. Hosting and storage of personal data
2.1. The processor has taken appropriate steps to protect against the accidental destruction or loss of personal data (principle of availability)
2.2. The processor shall delete or return personal data in accordance with the documented instructions received from the Customer. Failing this, it has defined and implemented an internal data retention policy that complies with the requirements of the GDPR.
2.3. Unless expressly authorised in the contract, the data entrusted by the Customer to the processor for processing is hosted and used within the EU
3. Contrat
1. Contract
1.1. Have you signed a contract with the third party?
The relationship between a controller and a processor must be governed by a contract in accordance with Article 28 of the GDPR.
1.2. Does this contract include a section on the protection of personal data?
2. Compliance of implementation of processing activities
2.1. The processor has implemented measures for subsequent verification of the entry, modification or deletion of data, and of the person who carried it out (logging of access and reporting).
2.2. The third party regularly informs its Customer of the proper performance of the Contract for the services entrusted to it (compliance with the documented instructions).
2.3. The processor complies with the principles of isolation of processing for different purposes and has put in place appropriate measures
2.4. The processor has put in place measures to enable data to be processed separately (stored, modified, deleted, transmitted) for different purposes
3. Subsequent subcontracting
3.1. Relationships with any subsequent third parties are governed by a contract
3.2. If yes, these contracts take into account the GDPR requirements
3.3. Any transfers of data outside the EU are governed by standard clauses or other guarantees provided for in the GDPR.
3.4. The processor has ensured that subsequent processors have taken the organisational and technical measures necessary to provide sufficient guarantees for the protection of personal data.
Creado el:00/13/2024
Actualizado el :02/30/2026
Licencia : © Creative commons :
Attribution / Pas d'utilisation commerciale
CC-BY-NC
Attribution / Pas d'utilisation commerciale
CC-BY-NC
Autor :
Número de usos :1