Product: GDPR-sovelluskirjasto

GEN-1-3.1 Is there an age limit for users in the service?

GEN-1-5.1 Country of manufacture/home country of the service provider

GEN-1-6.1 ISO certifications

GEN-1-7.1 Is there a mobile app for the service?

GEN-1-8.1 License type

GEN-1-9.1 Is virtualization possible?

GEN-2-1.1 Service-specific Privacy Notice (if any)

GEN-2-2.1 Data security description of the service (if any)

GEN-2-3.1 Contact information of the data protection officer

GEN-2-4.1 Are there advertisements or links to commercial services on the platform?

GEN-2-5.1 Does the service use cookies for which users' consent is asked?

UMA-1-1.1 Is the service used with personal usernames?

UMA-1-2.1 Are there at least two user levels in the user management of the service: administrator and end user?

UMA-1-3.1 Can access rights be limited according to the employees' job duties, taking into account the rights of different user groups?

UMA-1-4.1 What options does the service have to integrate user management into the organization's centralized user registry and single sign-on (SSO)?

UMA-1-5.1 Is it possible to log in with usernames of other service providers?

UMA-1-6.1 Can multi-factor authentication (MFA) be used for logging in?

UMA-1-7.1 Is strong user authentication possible?

UMA-1-8.1 Is it possible for the service to have guest users or non-logged-in users from outside the customer organization?

UMA-2-1.1 Are comprehensive log data about the activities of all logged-in users saved?

UMA-2-2.1 Is every access to personal data saved in a log?

UMA-2-3.1 Are the service logs protected from unauthorized viewing and deletion?

UMA-2-4.1 How long are log data retained, and how are they deleted?

TDP-1-1.1 What kind of integrations (interfaces) are involved in the system and how are they protected from outsiders?

TDP-1-2.1 How are the transfers of personal data through interfaces to sub-processors and possible disclosures to other parties logged?

TDP-2-1.1 Does all personal data processing in the service take place in such a way that the network connection is encrypted and the user or the parties to the data transfer are verified?

TDP-2-2.1 Is it possible to use the service so that all personal data is stored only in encrypted form?

TDP-2-3.1 Has the service's security taken into account independent remote access?

TDP-3-1.1 Is the data content of the service backed up at least once a day and is it possible to restore the backup quickly if necessary?

TDP-3-2.1 Is the backup restoration process documented and tested?

TDP-4-2.1 Can multi-factor authentication (MFA) be required on all users at login?

TDP-5-1.1 Are security updates for software components related to the service installed regularly without any delay?

TDP-5-2.1 Has data security been audited by an external party? If so, by whom?

TDP-5-3.1 Are regular data security and vulnerability tests performed on the service?

TDP-5-5.1 How have the GDPR requirements, risk-based approach and data protection by default, been taken into account in the system design and its functions?

TDP-5-6.1 Does the service provider have procedures for detecting, reporting, and investigating data breaches?

DPR-1-1.1 What are the purposes of processing personal data?

DPR-1-2.1 What role does the service provider give itself in terms of data security?

DPR-1-3.1 Do end users need to give consent for the processing of personal data related to the service?

DPR-1-4.1 Is it possible to make the name of the client organization and a link to its own privacy notice visible to users in the service?

DPR-1-5.1 Does the service provider have access to personal data stored by the client organization?

DPR-1-6.1 Does use of the service generate a register of which the service provider is a joint controller with the client organization?

DPR-1-8.1 Does the service provider have an up-to-date list of personal data sub-processors, including each sub-processor's name, location, processing purpose, and any transfer basis outside the EU/EEA?

DPR-1-9.1 Link to the list of sub-processors (if any)

DPR-1-10.1 Does the service provider or any of its sub-processors process personal data outside the EU/EEA?

DPR-1-11.1 If personal data is processed outside the EU/EEA area, on what grounds is personal data transferred?

DPR-1-12.2 Can personal data be transferred to third countries that are not considered safe?

DPR-1-13.1 In which countries are the service provider's servers located?

DPR-2-1.1 What personal data does the service provider process?

DPR-2-2.1 Is the service also intended for processing special personal data (e.g. health data)?

DPR-2-3.1 Can the required and optional fields related to users be defined by the administrator?

DPR-2-4.1 Does the service provider provide users with comprehensive information about the processing of personal data in the service?

DPR-2-6.1 What procedures are in place to ensure that data is not used for other purposes?

DPR-2-7.1 Does the service have a function for pseudonymizing personal data?

DPR-2-8.1 Can users be asked for separate consents for the processing of certain personal data (e.g., personal identification number or special personal data)?

DPR-2-9.1 Is data processed on a large scale in the service?

DPR-2-10.1 Can the service's functions involve profiling, scoring, or evaluating individuals?

DPR-2-11.1 Can the service involve the processing of location data?

DPR-2-12.1 Can the service define the retention periods for personal data or the criteria for determining them?

DPR-2-13.1 Can users' personal data be anonymized instead of deleted?

DPR-3-3.1 Is the scope and duration of personal data processing proportional to the intended benefits?

DPR-4-2.1 Can users see all the data stored about them?

DPR-4-3.1 Can users download or transfer the data they have stored to another service, or import data from another system?

DPR-4-4.1 How and when are personal data deleted?

DPR-4-5.1 If a data subject exercises their right to restrict the processing of their personal data, what technical means are used to ensure the implementation of the restriction?

DPR-5-1.1 How is the accuracy of the processed personal data ensured?

DPR-6-1.1 Are automated decisions made in the service, and if so, on what basis?

DPR-6-2.1 How are data subjects informed about automated decision-making?

DPR-6-3.1 How are the conclusions related to the data subject that are based on automated decision-making described to them?

DPA-1-1.1 Is it possible to enter into a data processing agreement (DPA) with the service provider?

DPA-1-2.1 Link to standard template for a DPA agreement (if available)

DPA-1-3.1 Are the personal data to be processed defined in the DPA (Data Processing Agreement)?

DPA-1-4.1 Are the purposes of personal data processing defined in the DPA (Data Processing Agreement)?

DPA-1-5.1 Can instructions be provided in conjunction with the DPA (Data Processing Agreement) that the service provider must take into account when processing personal data?

DPA-1-6.1 Does the DPA (Data Processing Agreement) stipulate that the service provider ensures confidentiality obligations for its employees?

DPA-1-7.1 Does the DPA (Data Processing Agreement) stipulate that the service provider allows for monitoring and auditing by the data controller?

DPA-1-8.1 Does the service provider have a designated contact person for data protection issues?

DPA-1-9.1 Is data deletion defined in the DPA (Data Processing Agreement)?

DPA-1-10.1 Does the service provider use users' personal data for purposes other than the functions and maintenance of the service?

DPA-2-1.1 Is compliance with the EU General Data Protection Regulation (GDPR) and the implementation of adequate safeguards ensured in the DPA (Data Processing Agreement) in situations where sub-processors are used for personal data processing?

DPA-2-2.1 Sub-processors in accordance with the DPA (Data Processing Agreement) or a link to the list of sub-processors (if available).

DPA-2-3.1 Does the service provider comply with the requirements of the General Data Protection Regulation (GDPR) regarding changes to sub-processors?

DPA-3-1.1 Does the service provider commit to promptly notifying of any data breaches?

DPA-3-2.1 Does the service provider have a procedure mentioned in the contract for reporting data breaches?

DPA-3-3.1 Does the service provider commit to promptly fulfilling requests related to personal data?

DPA-4-1.1 Does the processor or any of its sub-processors process personal data outside the EU/EEA?

DPA-4-2.1 If personal data is processed outside the EU/EEA, on what basis are the data transfers made?

DPA-4-3.1 If the EU Commission's Standard Contractual Clauses (SCC) are used as the grounds for the transfer of personal data, which standard clauses are they?

DPA-4-4.1 Can personal data be disclosed to the authorities of a third country?

DPA-4-5.1 Does the service provider have documentation to assist with the transfer impact assessment (TIA) when data is transferred outside the EU/EEA?

DPA-4-6.1 If data is transferred outside the EU/EEA area, what additional protection measures are used?