RGPD and LOPDGDD compliance diagnosis questionnaire

Questionnaire 1. General

1. Company name (commercial name in the case of a group of companies):

2. Are you a group of companies?
YesNo

3. In case you are a group, how many companies make up the group?

4. Briefly describe your general activity:

5. Your business is:
B2B (targeting other companies)B2C (targeting the end customer)Both

6. Do you collect customer information via online tools such as Web or App? If so, briefly describe the system.



7. Indicate the URL address of your web page(s):



8. Do you carry out any kind of e-commerce? Understood as any type of online contracting/sale with payment included.
YesNo


9. If yes to the previous question, indicate URL and briefly describe what it consists of:



10. Number of employees under the responsibility of the company/group of companies:



11. Indicate the different types of work centres you have:
OfficeWarehousePhysical points of saleOthers

12. Do you carry out any type of activity outside the EU?
YesNo


13. Indicate what type of data you process:
CustomersSuppliersEmployeesSelection of personnelVideo surveillanceApp / Web UsersFinancial data / prevention of money launderingSpecial categories (Ethnic or racial background; Political opinions; Religious or philosophical views; Trade union membership; Genetic data; Biometric data; Data relating to health; Data relating to life or sexual orientation.)

14. Data Protection Officer (DPO)
—Please choose an option—I have a DPO duly registered with the AEPD.I do not have a DPO because I am not legally required to.I don't know if I need to have a DPO.

15. Do you carry out periodic compliance checks with the GDPR and the LOPDGDD?
—Please choose an option—I do not carry them out.I carry out a periodic internal audit.I carry out a periodic audit with an external party.I have annual certification.

If you have taken out any type of insurance related to data protection or cybersecurity, indicate which one here:


 

Before sending, tell us your information:

(*) Required fields

Acceptance of the Privacy Policy.

Enviar

Δ

Questionnaire 2. Legal

17. Do you have Activity Processing Records (APR’s)?
YesNo

18. At the time of collecting personal data, do you have first layer information tools implemented?
NOTE: The first layer must contain the basic information on Data Protection and must be provided in the same format in which the data is collected. For example, an information clause in a form indicating the name of the person in charge, the purpose of the collection or the rights of the person providing the data.
YesNo

19. At the time of collecting personal data, do you have second layer information tools implemented?
NOTE: The second layer must complete the information of the first layer, providing greater expansion of text and much more detail. For example, instead of just giving the name of the data controller, also add the physical address and contact details of the Data Protection Officer (DPO), if applicable.
YesNo

20. If you have this information available online, indicate the URL:

21. Once the information is requested: Do you have proof that you have informed or requested the consent of the affected party (the latter only when necessary)?
YesNo

22. Do your employees sign a specific clause regarding data protection?
YesNo

23. Do your employees sign a confidentiality clause?
YesNo

24. Do you provide your employees with any type of guide or internal regulation regarding the use of data, systems or processing of confidential information?
YesNo

25. Do you provide training on Data Protection to your employees?
YesNo

26. When you subcontract to external companies any type of activity that implies access to data, do you require them to sign a Processing Manager contract in advance?
YesNoThey sign a contract, but I do not know if it includes what is necessary in terms of data protection

27. Apart from subcontracting situations, is there any transfer of personal data for which there is liability to third parties?
YesNo

28. If yes to the previous point, indicate how this transfer is authorised:
—Please choose an option—I can transfer the data because I ask for the consent of those affected beforehand.I transfer data because I am required to by Law (For example, Public Administration).I do not know.None of the above.

29. Indicate if you carry out any of the following marketing activities:
I send commercial communications by email, WhatsApp, SMS or something similarAdvertising that includes forms for collecting leadsI have a database of potential customers for communications, calls or visitsI interact with users on social networksI organise eventsI attend events such as fairs and/or conferences and collect contact informationI publish images on Social Networks or personal media of the events, fairs or conferences in which we participate

30. Have you ever carried out a Data Protection Impact Assessment (DPIA)?
YesNoI do not know what a DPIA is

Before sending, tell us your information:

(*) Required fields

Acceptance of the provacy policy.

Send

Δ

Questionnaire 3. Organisational

31. Do you have a protocol to address the rights of access, rectification, opposition, deletion (“right to be forgotten”), processing limitation, portability and not being subject to individualised decisions?
YesNo

32. Do you have a specific email address for managing the rights of those affected by data processing?
YesNo

33. If yes to the previous question, indicate the address and who receives and manages the messages received by it.

34. If you have video-surveillance cameras, do you have information signs visible to those affected and do they contain the necessary information in accordance with the GDPR and the LOPDGDD?
YesNoI have signs, but I do not know if they have the necessary information and/or if they are located correctly.

35. Indicate what mechanisms you have in place in terms of controlling access to offices:
Door closed from the outside that must be opened by an employee from the inside.Reception.Record of visits.Card access.None of the above.

36. The record of the employee's working day is carried out…
Manually.Through an app/website.Through entry and exit monitoring without the use of biometric data.Through entry and exit monitoring with the use of biometric data.None of the above.

37. Do any record any type of phone calls?
YesNo

38. Shared printers, indicate how they are managed:
They are in common areas and anyone can print from their workstation.They are organised by Departments or workspaces and only certain employees can print on them.They are protected by a password system so that each employee must identify himself/herself in order to print.None of the above.

39. Are the Departments or personnel that process the most sensitive data sufficiently isolated from the rest so as to make it difficult for third parties to access the information?
YesNo

40. Regarding the use of paper, indicate if you use any of the following policies:
Paper policy 0.People are instructed that no confidential paper should be left on their desk or visible at the end of the workday.There are filing cabinets organised by departments and protected by key or similar mechanism.There are filing cabinets organised by departments and protected with a key or similar mechanism.None of the above.

41. Any documentation that includes information is destroyed…
It is not destroyed, it is thrown in the trash.We have paper shredders.We have containers that are collected by an external company for their destruction.None of the above.

42. Employee screens have one of the following protection mechanisms:
Strategic location so that it is not viewed by unauthorised individuals.Screen/session lock with password after a period of inactivity.Screen/session lock without password after a period of inactivity.None of the above.

Before sending, tell us your information:

(*) Required fields

Acceptation of the privacy policy.

Send

Δ

Questionnaire 4. Technical

NOTE: This questionnaire has been prepared by DEISOLTEC, S.L., our partner in Security, and with whom we can share the answers to the questionnaire so that they can collaborate in carrying out a totally professional diagnosis. By submitting the form, you agree to allow us to share our data with DEISOLTEC, S.L. for the sole purpose of making the aforementioned diagnosis.

43. Type of correspondence used (POP, SMTP, Office 365, Google, Exchange?)

44. Do you have an anti-spam system?
YesNo

45. If so, which one?

Servers and access to information

46. Do you have servers in the office or in the Cloud?
In the officeIn the CloudHybridOthers

47. Are permissions for folder access managed based on the user profile?
YesNo

48. Is access to files recorded and defined according to the profile?
YesNo

49. Do some employees telecommute full-time or part-time?
YesNo

50. If the answer to the previous question is yes, have security systems similar to those in the office been implemented by the company for telecommuting?
YesNo

51. Do you keep the systems up-to-date (servers, apps, user equipment, firewall, internet, …) and do you keep track of updates?
YesNo

Security copies (backups)

52. Do you perform daily local backups of files and application servers?
YesNo

53. Do you perform remote backups of files and application servers?
YesNo

54. Are these backups checked against recurring restorations?
YesNo

55. Do you have a DRS (Disaster and Recovery Services) system or disaster recovery plan in place?
YesNo

56. Do you back up mailboxes?
YesNo

User equipment

57. Do they have encrypted equipment?
YesNo

58. Do you have corporate antivirus?
YesNo

59. If you have antivirus, which one is it?

60. Are employees regularly trained on security?
YesNo

61. Are you protected against phishing or identity theft?
YesNo

Before sending, tell us your information:

(*) Required fields

Acceptance of the policy privacy.

Send

Δ