This domain covers compliance with data protection legislation.
Answer yes if your organisation collects, processes or stores information that relates to an identified or identifiable individual. You need not answer yes if the only personal data you process is that of your own employees for HR requirements. Data collection also includes any identifiable information collected from web cookies.
Please list all countries where personal data controlled or processed by you resides or is transferred to or through. This includes the location of your head office and data centres, as well as locations of sub-processors. For each country listed, please describe what data is stored or transferred and under what circumstances.
Answer yes if you have processes in place to ensure that every cross-border transfer of personal data has the appropriate contractual / legal mechanisms in place, depending on your jurisdiction. For example, this could be an international data transfer agreement, or an adequacy decision. Please describe in the notes section which mechanism is used for which instances of data transfer.
Answer yes if your organisation has received a request from any government or other authority to provide access to personal data. Please provide information about the nature, volume and origin of requests, including how many you complied with in the notes section, or through supporting evidence (e.g. a link to your transparency report or a document upload).
Answer yes if your organisation has a nominated Data Protection Officer (DPO) who undertakes regular compliance checks and leads on continual privacy improvement. Please include in the notes section details about how your DPO monitors compliance with relevant data protection obligations.
Answer yes if your organisation has a Data Protection Policy that has been reviewed in the last year. Please upload your Data Protection Policy (as a PDF file) as evidence.
Answer yes if you document your personal data processing activities. This could be through data flow diagrams or written documentation and should include details of collection, purpose, storage, access, use, sharing, and retention. Please describe how you do this in the notes.
Answer yes if your organisation has documented the legal justification for processing personal data in each instance. The criteria for a valid lawful basis will depend on your jurisdiction.
Answer yes if your organisation conducts a Data Protection Impact Assessment (DPIA) for all processing of personal data that is likely to result in a high risk to individuals. To find out more about Data Protection Impact Assessments, see the Risk Ledger Knowledgebase.
Answer yes if your organisation has the correct processes in place to be able to provide the relevant individual data privacy rights to all of the data subjects for whom you hold data.
Answer yes if your organisation has a Records Retention Policy that has been reviewed in the last year. Please upload your Records Retention Policy (as a PDF file) as evidence.
Answer yes if organisation has robust detection, investigation and reporting procedures in place for all personal data breaches. This should include assessing the likely risk to individuals as a result of the breach, informing affected individuals without undue delay, and documenting the facts surrounding personal data breaches in a Breach Log. Please provide details about your processes surrounding a personal data breach in the notes section, including uploading any relevant documentation (as a PDF file).
Answer yes if your organisation has a documented process for notifying the relevant Authority for your jurisdiction and all data controllers or other relevant parties when it becomes aware of a security breach involving Personal Data.
Answer yes if your organisation has had a security incident that led to a Personal Data breach in the last 6 months. If you answered yes, please describe the nature of the breach in the notes section and attach a root causes analysis report (as a PDF file) for each listed breach.
Answer yes if your organisation processes personal data on behalf of another organisation where they are the data controller and you are the data processor.
Answer yes if you have ways to ensure that new sub-processors are authorised by or communicated to the data controller before the new sub-processing takes place. Please attach evidence or describe how this is ensured in the notes.
Answer yes if you have processes or policies which ensure data is only processed in the way in which your data controller has requested, and you have written instructions from the controller describing this. Please describe in the notes how you obtain these instructions from data controllers and how you ensure data is not processed in any way outside of the documented written instructions.