Process description for data protection inspections / privacy inspections / audits.
In a first step, the DPA is gathering information and statements based on a questionnaire.
In addition, the DPA regularly requests the following information in an electronic format or on paper:
- Records of processing activities (GDPR Art. 30 (4));
- Information to the affected persons (GDPR Art. 13 and 14);
- Templates of consent forms (GDPR Art. 7);
- Information about data protection trainings of employees;
- Contracts with processors (GDPR Art. 28 (3)) or other current contracts with external parties that get in touch with personal data, such as hardware and software partners, software vendors, application service providers, in which the applicable data protection controls need to be emphasized;
- Documentation of data breaches (GDPR Art. (5));
- Data protection impact assessments (GDPR Art. (35)).
In order to assess compliance to GDPR and the effectiveness of the controls, the DPA regularly asks for
- Organisational structure
- Privacy directive (privacy policy), security policy, emergency planning
- Review and audit reports – esp. in context of IT in scope
- Basic documentation of the IT infrastructure (hardware and software in use)
- Access control concept, especially access rights of administrators, external staff, sub-processors and other external parties
- Policies, instructions to users for the use of IT
- Non-disclosure, confidentiality agreements and other relevant instructions/agreements
- Controls and arrangements regarding the retention time and deletion of personal data (deletion concept)