Appendix
E. Checklist for corporate data protection
Technical
Measures |
|
Are there
adequate technical safeguards against cyber intrusion? |
□ (How) |
Are there
adequate technical measures to ensure the integrity and confidentiality of
stored personal data? |
□ |
Are there
adequate technical measures to ensure the integrity and confidentiality of
personal data during data processing? |
□ |
Are there
adequate technical measures to ensure the integrity and confidentiality of
personal data when transferring data between systems or organizations? |
□ |
Are there
adequate technical measures to ensure the security of disposed documents that
contain personal data? |
□ |
Are surveillance
systems used in a proper way? |
□ |
Are tracking
technologies used in a proper way? |
□ |
Are portable
data storage devices used in a proper way? |
□ |
Organizational
Measures |
|
Are there
adequate authentication procedures to verify and validate the accuracy of
identity of the data subjects as well as their personal data? |
□ |
Is there a
privacy policy? |
□ |
Does the privacy
policy comply with the requirement of the data protection regulation? |
□ |
Is there
adequate control of employees’ access to personal data? |
□ |
Are there
adequate resources to support corporate data protection activities? |
□ |
Are there
digital forgetting mechanisms which stipulate the data retention period and
data forgetting procedures? |
□ |
Is there
adequate training of employees regarding compliance with internal guidelines
as well as national regulations for data protection? |
□ |
Is there data
protection impact assessment before data processing in particular when using
new technologies? |
□ |
Are there
regular and extensive checks on the effectiveness of the measures applied to
ensure data security? |
□ |
Is there
adequate investigation on the data security of an organization before
entering into an agreement or contract with it? |
□ |
Is personal
data, in particular sensitive data, collected as what is necessary in
relation to the processing purposes? |
□ |
Is personal data
processed in line with the purpose of its original collection? |
□ |
Are all data
handling activities based on consent? |
□ |
Are there proper
procedures to obtain informed consent? |
□ |
Are there
adequate procedures to fulfil data rights of the data subjects? |
□ |
Is there
adequate cooperation with data protection authority? |
□ |