Processor GDPR Compliance Questionnaire Template
Introduction
Many of the data controllers who collect their subjects' personal data employ data processor organizations, which use the personal data to create useful information for the data controllers. To assess whether these data processing organizations comply with the relevant GDPR statutes and requirements, the data controllers often use a tool called the "processor compliance questionnaire." This questionnaire aims to gather enough information to evaluate the organization's adherence to GDPR obligations, requirements, and rules.
The questionnaire typically focuses on the processing activities that the data processor will perform as the data controller proxy.
This questionnaire focuses on assessing the data processors' abilities, knowledge, and experience in complying with the GDPR statutes and regulations for keeping the personal data of the data subjects safe. The DPO of the data processor is the POC for replying to the questions and providing proof where required.
Once the questionnaires are filled in, the data controller can evaluate the various data processors in a standardized manner and assess their safeguarding abilities.
The questionnaire isn't mandatory. However, it can be utilized in audits (internal or external) to explain why a certain data processor was chosen.
Scope and Purpose
The questionnaire sets forward a series of questions in different areas, all relevant to the GDPR statutes. The data processors are expected to reply to these questions and sometimes provide evidence of their claims. The questionnaire also helps in providing transparency in the process of the data processor selection, ensures accountability, and explains certain processes.
The questionnaire typically focuses on these areas -
1. Data subject rights: Questions about how the processor can assist the data controller in responding to the requests, queries, and questions that the data subjects may have regarding their personal data
2. Sub-processing: If the processor works with other organizations who perform any type of data processing on their behalf, these questions will aim at making sure that these sub-processors comply with all the GDPR statutes and that the processor is accountable for all acts performed by the sub-processors. This includes safeguarding personal data.
3. Data Security: These questions focus on the tools and processes used by the processor to make sure that the data subject’s personal data remains so. This may include questions regarding encryption of the data, response to breaches, notification protocols and access controllers.
4. Data Transfers: The international transfer of personal data is a sensitive topic, especially if this includes a country outside of the EU. These questions focus on the ability of the data processor to comply with the annexes on this topic.
5. Records & Documentation: The goal of these questions is to understand the processor's practices and procedures for documenting and recording the outcome of the processing.
The Obligations of the Data Controller
The questionnaire should include the following fields -
1. The Name and details of the data processing and data controller organizations.
2. The DPOs of both organizations will be the focal point of replying to the questionnaire and evaluating the answers.
3. The questions, divided into various topics.
Other Obligations -
1. Have a uniform form for all data processors to use, thus facilitating comparison between them.
2. Provide proof of certain claims: notarized forms, signed documents, screenshots, etc.
3. Aid in preparing a contract with the chosen data processor.
Examples of Processed Personal Data
Attributes -
1. Name
2. Email / Physical address
3. IP address of the Internet provider
4. Personal ID number
5. Number of children
6. Monthly income
Term Definitions
What is a Data Controller?
An organization or person who determines the use of the collected personal data from the data subjects. The data controller owns the collected personal data, decides how it will be processed, and is responsible for safekeeping it.
What is personal data?
Any type of unique data which relates to an individual data subject. This can include such information as Name, phone number, Email address, ID number, health records, political opinions, IP address, etc.
What is the processing of personal data?
Any act performed on the collected personal data of all the organization's data subjects. This may include such actions as storing the data, analyzing it to extract insights, or deleting it once it is no longer required.
What is a data subject (also known as an end-user)?
Any person who created a unique username on the organization's website, thus giving them the possibility of using that username to perform certain tasks and use features offered on the website.
Who is the DPO?
The Data Protection Officer is the main stakeholder of the organization for all aspects of GDPR compliance. They are responsible for making sure that the GDPR guidelines are adhered to.
What is a data breach?
Any intentional or unintentional security incident involves sharing personal data with any unauthorized element. Sharing personal data may include viewing, copying, stealing, or altering personal data.
Key Takeaways / Conclusions
1. The DPO (or their delegate) has the responsibility of writing the questionnaire and maintaining its upkeep.
2. The questionnaire should be easy to fill in, using simple everyday language.
3. The questionnaire should mention whether the data controller or the data processor is within or outside of the European Union's borders.
4. Forms and template should accompany all open-ended questions in the questionnaire.
5. The respondent to the questionnaire needs to attach evidence documents if the answer is "Yes" to any of the Yes / No questions in the form.