Data Protection Compliance Check - Outsourcing - Part 2 "Paper" (C2P relationship)

DPCC – Outsourcing - Paper @TommyVandepitte

DATA PROTECTION COMPLIANCE CHECKOUTSOURCING

FOCUS ON RELATIONSHIP C-P

Summary Explanation of this Document

Outsourcing data processing operations entails specific risks and requirements under the law and under sound risk management.

Therefore a set of three templates is developed to look at outsourcing of data processing operations:

(1) the (internal) organisation of the controller including policies and procedures,

(2) the relationship between the controller and the processor, mainly via the agreement and

(3) the (internal) organisation of the processor.

This template aims to give guidance to a check on a specific relationship between a controller and a processor, thus limiting the scope.

The DPCC contains checklists. They aim to provide some guidance in the check. However, be aware that some (parts of) checklists may not apply and that no checklist ever includes all possible relevant questions. So check with open eyes.

This template addresses that relationship looking at several stages from the controller side

(a) in the selection,

(b) in the agreement and

(c) in (the follow-up of) the performance.

This template should be used in a risk-based fashion. Therefore it is expected that critical, key, and/or high-risk outsourced data processing operations of the controller are submitted to a check with priority.

The result of this check hopefully is a certain comfort in the application of the controller’s procedures and rules with regard to outsourcing data processing operations. If such comfort is not found, it should be determined whether amends can be made, through an amendment to the agreement or the follow-up mechanisms, or a better discipline in applying them. Also, lessons may be learnt with regard to the effectiveness of the controller’s procedures and rules.

@TommyVandepitte@TommyVandepitte

1

http://creativecommons.org/licenses/by-nc-sa/4.0/


Content

Summary Explanation of this Document.................................................................................... 1

Content................................................................................................................................................... 2

Basics...................................................................................................................................................... 3DPCC – Outsourcing .................................................................................................................................... 3DPCC ID........................................................................................................................................................... 3Scope................................................................................................................................................................ 3

Overview of the Checks.................................................................................................................... 4

Selection of the processor............................................................................................................... 5Background Info of the Selection Process............................................................................................ 5Documentation............................................................................................................................................. 5Criteria............................................................................................................................................................ 8Decision........................................................................................................................................................ 12Conclusion................................................................................................................................................... 14

Agreement with the processor.................................................................................................... 15Conclusion................................................................................................................................................... 18

Follow-up of the processor........................................................................................................... 19Conclusion .................................................................................................................................................. 23

References.......................................................................................................................................... 24Activity Log................................................................................................................................................. 24Documentation received ........................................................................................................................ 25Interviews & Questionnaires................................................................................................................. 26


2



Basics

DPCC – Outsourcing On outsourcing there are a number of checks to be installed. On outsourcing of data processing operations in itself there are grosso modo three angles to look at: (1) the (internal) organisation of the controller including policies and procedures, (2) the relationship between the controller and the processor, mainly via the agreement and (3) the (internal) organisation of the processor. The check on the relationship between the controller and the processor is addressed in several stages: in the selection, in the agreement and in (the follow-up of) the performance. This DPCC aims to check and look for possible improvements in these approaches from a data protection perspective. The DPCC contains checklists. They aim to provide some guidance in the check. However, be aware that some (parts of) checklists may not apply and that no checklist ever includes all possible relevant questions. So check with open eyes.

DPCC IDPlanning reference <reference to the DPCC overall planning, if any>Prior similar DPCC(s) <reference to similar DPCC, in case a DPCC with similar scope was

performed, and is now repeated, for reasons of comparison over time>Date / Period DPCC <date on or period in which the DPCC will be performed + as the case may

be estimate v actual mandays needed >(Lead) Checker <name of the lead checker >Departments of Controller involved

<departments involved e.g. through requests for documentation, interviews,… most likely the procurement department, legal department, department that is accountable for the data set and should have an outsoucing manager, etc.>

Budget reference <reference to the budget, if any>Reporting line <recipients of the results, departments, fuctions and/or names>

ScopeThe scope is determined based on a target controller-processor relation with a potential further narrowing of the scope to a particular data set and/or data processing operation. During the actual check it is possible that this has to be slightly refocused as the scoping is generally based on some assumptions. Should a refocus be significant, the DPCC may be restarted or continue under a strict focus. In any case such discovery of assumptions being wrong is reported to increase the knowledge of the data processing operations in the organisation.

PartiesController(s) in scope <name controller>Processor(s) in scope <name processor>Data setData Subjects <category(ies) of data subjects, if not sure at start of DPCC: assumption>Data (Categories) <category(ies) of data, if not sure at start of DPCC: assumption>Purpose <purpose(s) for which the data is used, if not sure at start of DPCC:

assumption>Processing by the Processor(s)Types of processing <types of processing by the processor with regard to the data set, if not sure

at start of DPCC: assumption><consider: collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction>


3



Overview of the Checks

Overview testings

1 Selection of the processor: The controller that uses the services of the processor has (have) to take into account that the chosen processor offers adequate garantees on the technical and organizational security measures with regard to the outsourced data processing operations.

2 Agreement with the processor: The controller that uses the services of the processor should have a written agreement with the processor, which must include compulsory provisions and (best) should include useful provisions.

3 Follow-up of the processor: The controller that uses the services of the processor should have a procedure in place to follow-up the performance of the processor (with regard to data protection).


4



Selection of the processor

Background Info of the Selection ProcessWhen did the selection process take place?

Start date of the selection process <date>

What is considered the start of the selection process? Formal decision to outsource

Sending out the RFI

Other: …

End date of the selection process <date>

What is considered the end of the selection process? BOFA of the processor

Formal decision to outsource to this processor

Date of execution / signature of the agreement with the processor

Other: …

Who within the controller (department, function, name) was involved in the selection process? Background: These people are potential interviewees should the documentation give an insufficiently detailed view on the situation or even next to sufficient documentation to see whether the documentation is complete. Note: It is possible that not all persons involved or all parameters are known. Try to get at least the information on the key people involved.

Task(s) Name Function DepartmentLead negotiatorRepresentative of business involvedLegal supportDecision taker

DocumentationDid the controller that uses the services of the processor document the selection process? Namely that the processor (to be) chosen offers adequate garantees on the technical and organizational security measures with regard to the data processing operations.

Background / Assumption

A structured selection has several phases like research for potential players (e.g. via a search in publicly available information or a Gartner Magic Quadrant), Request for Information (RFI), Request for Proposal (RFP), Best and Final Offer (BAFO), decision, adjudication, etc.

Even in an unstructured selection process documents are exchanged back and forth between the parties and some internal memo are drafted to support the decision.

Suggestions


5



Most likely this documentation, if any, is kept at the procurement or legal department, in the same file as the agreement with the processor. At least they should / could now where it is kept.

Do not accept the statement that there is such documentation, in the context of this DPCC, the documentation should be presented for review. Add the documentation received or reviewed in the list in annex.

. General

Data protection is inserted in the documentation of the selection process of a processor

No.

Yes.

. Approach (applied in the case in scope)

What is the approach or are the approaches to inserting data protection in the selection process?

Research of the publicly available credentials / reference of the candidates.

Questions to the candidates.

Documentation presented by the candidates.

Type of questions Not applicable.

Open questions.

Closed questions (i.e. seeking specific answers or yes/no answers).

Proof provided by the processor None.

Documents/policies.

Certifications.

Control results.

Control / visit by controller.

. Per phase: was data protection inserted in a phase (applied in the case in scope)

Included in the basic requirements to participate in the selection process (e.g. general or specific buyer terms of the controller)

No.

Yes.

Included in the RFI – sent out by the controller No.

Yes.

Included in the RFI – response by the processor No.

Yes.

Included in the RFP – sent out by the controller No.

Yes.

Included in the RFP – response by the processor No.

Yes.

Included in the BAFO No.

Yes.

Included in the decision to choose the processor No.


6



Yes.


7



Criteria

The controller that uses the services of the processor has to take into account that the chosen processor offers adequate garantees on the technical and organizational security measures with regard to the data processing operations. What criteria were used to that extent?

Suggestions

Look for predetermined criteria (explicitly) being used to select the processor and for criteria that may not have been predetermined, but de facto were used.

. Criteria (explicitly or implicitly applied in the case in scope)

Criterion Used? How applied to processor?

Is the processor a member of the economic group of the controller?

No.

Explicitly.

Implicitly.

Processor is group member.

Processor is no group member.

Is the processor located in the same country as controller, in the European Union, European Union or a country ensuring an adequate level of data protection?

No.

Explicitly.

Implicitly.

Processor is located in the same country as the controller.

Processor is located in the EU.

Processor is located in the EEA outside EU.

Processor is located in a country ensuring an adequate level of data protection outside EEA.

Processor is located in a country not ensuring an adequate level of data protection.

Is any processing operation by the processor located in a country not ensuring an adequate level of data protection?

No.

Explicitly.

Implicitly.

No, all processing operations are to be performed in the EU.

No, all processing operations are to be performed in the EEA outside EU.

No, all processing operations are to be performed in a country ensuring an adequate level of data protection outside EEA.

Yes, some processing operations are to be performed in a country not ensuring an adequate level of data protection: namely <processing operation> in <country>.

Is the processor under a duty of confidentiality?

No. Yes, the processor is under a statutory duty of confidentiality which is criminally


8



Explicitly.

Implicitly.

sanctioned for the processing in scope.

Yes, the processor is under a statutory duty of confidentiality which is not criminally sanctioned for the processing in scope.

Yes, the processor is under a deontological duty of confidentiality which is sanctioned by a professional ethics body for the processing in scope.

Yes, the processor is under a contractual duty of confidentiality.

No, the processor is not under a duty of confidentiality.

What is the processor’s image with regard to data protection (i.e. presentation by the company itself)?

No.

Explicitly.

Implicitly.

No information available.

The processor did not profile itself with regard to data protection.

The processor profiled itself with regard to data protection as being compliant.

The processor profiled itself with regard to data protection as going beyond compliance, striving for a very high level of data protection and/or information security.

The processor profiled itself with regard to data protection (bindingly) commiting to go beyond compliance, striving for a very high level of data protection and/or information security.

What is the processor’s reputation with regard to data protection (i.e. public perception)?

No.

Explicitly.

Implicitly.


The available information does not indicate negative experiences.

The available information seems to support data protection compliance.

What is the processor’s experience in the handling of personal data?

No.

Explicitly.

Implicitly.

No, handling personal data is exceptional for the processor.

Yes, handling personal data is a service commonly supporting the core business of the processor.

Yes, handling personal data is the core business of the processor.

Does the processor have a Data Protection Officer and/or Information Security Officer in place, that the controller could talk to during the selection?

No.

Explicitly.

Implicitly.


No DPO or ISO appointed.

A DPO and ISO appointed, but no access to them.

A DPO and ISO appointed, and fairly free access to them.


9



Does the processor have Binding Corporate Rules for Processors in place, that have been acknowledged by the relevant Data Protection Authorities?

No.

Explicitly.

Implicitly.


No the processor does not have BCRs in place.

The processor has BCRs in place and makes them publicly available (e.g. on their website).

The processor has BCRs in place and spontaneously made them available during the selection process.

The processor has BCRs in place and made them available during the selection process but only on persistent request.

How did the delegation of the processor respond to the interview by the Data Protection Officer and/or Information Security Officer of the controller?

No.

Explicitly.

Implicitly.

The interview did not take place.

The processor gave the impression of considering data protection a cost-factor.

The processor gave the impression of considering data protection a burden.

The processor did not give the impression to be engaged in data protection.

The processor gave the impression of being actively engaged in data protection.

The processor gave the impression of having a true data protection culture in place.

Did the processor provide copies of its most relevant internal policies? Did they show competence and where they reasonable?

No.

Explicitly.

Implicitly.

None that we are aware of.

No, the processor did not provide such documents even when requested.

Yes, the processor provide such documents upon request.

Yes, the processor provide such documents even without being requested.

Yes, the processor provide such documents, in such a way that some weakinesses in its frameworks could be detected.

Did the processor have past incidents with regard to handling data? How where they handled?

No.

Explicitly.

Implicitly.


Yes. The processor reluctantly admitted to them.

Yes. The processor was very transparent about how they handled them.

Did the processor incur sanctions in relation to handling data?

No.

Explicitly.


No, the processor made a warranty during the selection process that there were no such sanctions imposed.


10



Implicitly. Yes, the processor openly admitted to it.

Yes, the processor admitted to it but only on persistent request.

Did the processor give remarkable answers to the questions on data protection / security in the selection process? (e.g. mistakes with regard to technical features, norms, certificates, internal policies, etc.)

No.

Explicitly.

Implicitly.


Yes, the processor did not seem to be bothered by them.

Yes, the processor later rectified in writing.

Might the overall (financial) situation of the processor have an impact on data protection? E.g. tendency to grow by acquisition, to risky financial situation, to be active in corruption prone countries, etc.

No.

Explicitly.

Implicitly.


Yes, but this was not picked up during the selection process.

Yes, further information was provided by the processor during the selection process.

Yes, warranties were provided by the processor during the selection process.

Is there relevant prior audit assurance available (e.g. from third party audits)?

No.

Explicitly.

Implicitly.

No relevant prior audit assurance available.

ISO27001 certified in the last 3 years.

SOC1 or SOC2 made available by the processor.

Other: xxx

What was the advice of the Data Protection Officer and/or Information Security Officer of the controller?

No.

Explicitly.

Implicitly.

No advice from the DPO or ISO.

Negative advice or high risk warning from the DPO or ISO.

Advice to put some additional saveguards in place.

Nihil obstat from the DPO and ISO.

Intermediary conclusion:

The criteria to assess the data protection risk were explicit, reasonable and coherent.

The criteria to assess the data protection risk were reasonable and coherent, even if implicit.

The criteria to assess the data protection risk cannot be considered reasonable and coherent.

There were no criteria to assess the data protection risk.


11



DecisionOverall, what was the data protection risk assessment of engaging this processor?

Suggestions

Look for predetermined criteria (explicitly) being used to select the processor and for criteria that may not have been predetermined, but de facto were used.

. At the time of the selection

The data processing operation was internally assessed as…

(in case of more data processing operations, the highest)

Very high risk.

High risk.

Medium risk.

Low risk.

Additional comment to this answer

Outsouring the data processing operation was assessed as…

(in case of more data processing operations, the highest)

Very high risk.

High risk.

Medium risk.

Low risk.


In comparison to the performing the data processing operation internally, outsouring the data processing operation was assessed as…

A higher risk.

An equal risk.

A lower risk.


In comparison to outsouring the data processing operation to any other candidate in the selection process, outsourcing it to the processor was assessed as…

A higher risk.

An equal risk.

A lower risk.


. In the context of the DPCC

The risk assessments at the time seem reasonable given the information that seemed to have been available at the time of the assessment.

No.

Yes.

When at the time of the decision more information should have been reasonably available should the selection procedure have taken into account reasonable information gathering on data protection, would the outcome of the risk assessments likely and reasonably have been different?

Hard to determine.

No.

Yes.

* * *

What was the impact of the data protection risk assessment on the final decision?

. Impact in selection decision


12



Was there an impact of the data protection risk assessment on the decision?

No.

Yes.

Were there specific items of the data protection risk that the decision explicitly wanted to avoid?

No.

Yes.

If “yes”, were the necessary measures taken to avoid those risks? No.

Yes.

Additional comments: which measures?

Were there specific items of the data protection risk that the decision explicitly wanted to allocate to the processor?

No.

Yes.

If “yes”, were the necessary measures taken to allocate those risks to the processor (via the agreement)?

No.

Yes.

Additional comments: which measures? Representations and warrants.

Specific duties for the processor, e.g. (additional) minimum security measures, reporting duties, etc.

Specific liabilities for the processor.

Other: …

Were there specific items of the data protection risk that the decision explicitly wanted to insure?

No.

Yes.

If “yes”, was the insurance taken to cover that (part of the) risk? No.

Partly.

Yes.

What are the references of the insurance agreement?

Insurer: xxx

Reference of the insurance agreement: xxx

Reference of the relevant parts of the insurance agreement: xxx

Was there an explicit acceptance of the residual risks? No.

Yes.

Were the residual risk reasonably known to the decision maker(s)? No.

Yes.


13



Conclusion Data protection is a concern that was explicitly and robustly taken into account in the selection process.

Data protection is a concern that was explicitly and reasonably taken into account in the selection process.

Data protection is a concern that was explicitly taken into account in the selection process, but that could have been improved.

Data protection is a concern that was implicitly taken into account in the selection process and led to a fair selection.

Data protection is a concern that was implicitly taken into account in the selection process but that could have been improved.

Data protection was not taken into account in the selection process.

Comments

-


14



Agreement with the processor

Is there a written agreement between the controller and the processor?

No.

Yes.

* * *

If yes, what are the constituent parts of the written agreement between the controller and the processor?

Explanation: A written agreement is not always a single document, but can be defined by different documents with all sorts of names such as general terms and conditions, framework agreement, specific agreement, schedule, service level agreement (“SLA”), statement of work, order form, minimum security requirements, controller’s or processor’s security policies,... To be able to assess the agreement, you should assemble (or have presented) and see all these parts.

The consitutuant parts of the agreement between the controller and processor in scope are as follows:

Title Date Document

<title of the document> <date of the document> <embed document>

* * *

The controller that uses the services of the processor should have a written agreement with the processor, which should include the necessary provisions. Which data protection relevant provisions are included in the agreement with the processor?

Suggestions

Check with the legal department.

Check the local data protection statutes and guidance by the data protection authorities.

Check for guidance and/or templates by associations within the sector of the controller.

Note:

In case the standard contractual clauses for data transfer from controller to the processor most, if not all, necessary provisions are deemed to be present.

A difference should be made between the provisions compulsory under the applicable law (as the case may be, given the situation), the provisions needed to meet the risk standard saught by the decision on the data protection risk (see end of selection process) and additional useful provisions.


15

http://ec.europa.eu/justice/data-protection/document/international-transfers/transfer/index_en.htm


. Typical provisions

Provision Compulsory? Reference in and/or quote from the agreement

a description of the data processing operations in scope (data, data subject, recipients, locations, processing types, specifically described ...)

Compulsory.

Needed. Useful.

the provision that the processor can and shall only process the data on behalf of and on instructions of the controller(s), as the case may be, with the exception of superceding statutory obligations

Compulsory.

Needed. Useful.

the provision in which the processor accepts to be bound by the EU data protection legislation, its local implementation, or (in third countries) its principles

Compulsory.

Needed. Useful.

the provision that the processor is held to ensure secure and confidential processing of the data and must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing

Compulsory.

Needed. Useful.

the provision that the processor must limit the access to the data to persons with a need-to-know for the exercise of their tasks

Compulsory.

Needed. Useful.

the provision that the processor must create awareness on data protection (in general and the regulations in particular)

Compulsory.

Needed. Useful.

the minimum (level of) security and confidentiality measures to be taken by the processor, as the case may be making a risk-based distinction (e.g. per partial assignment, per type of data, ...)

Compulsory.

Needed. Useful.

provisions with regard to procedures and rules on incident management

Compulsory.

Needed.

Useful.


16



provisions with regard to procedures and rules on reporting and communication in case of incidents, including access requests by third parties

Compulsory.

Needed.

Useful.

provisions regulating the possibility, if any, and the conditions of deployment of subprocessors

Compulsory.

Needed.

Useful.

a way to get assurance of the proper implementation of the (minimum) technical and organizational measures, e.g. audit rights for the controller(s) or assurance by external auditors

Compulsory.

Needed. Useful.

provisions with regard to periodic and ad hoc reporting by the processor

Compulsory.

Needed.

Useful.

provisions with regard to (other) follow-up mechanisms Compulsory.

Needed.

Useful.

provisions with regard to retention of the (personal) data during and at the end of the agreement

Compulsory.

Needed.

Useful.

provisions creating an incentive for compliance with data protection or enhancing the enforcement of data protection, e.g. rewards, sanctions (data protection = material breach and uncapped liability), etc.

Compulsory.

Needed. Useful.

clear provisions on the liability of the parties with regard to issues relating to data processing operations (e.g. data leakage)

Compulsory.

Needed. Useful.

a governance framework for events and incidents such as data breaches and requests by data subjects

Compulsory.

Needed. Useful.

a provision to grant the data subject third party beneficiary rights Compulsory.


17



against the processor Needed.

Useful.

Intermediary conclusion:

All typical provisions are strongly implemented in the existing agreement.

All compulsory and needed provisions are strongly implemented in the existing agreement.

All compulsory provisions are strongly implemented in the existing agreement, the needed provisions however are not.

Some minor improvements are possible to the existing agreement.

Some major improvements are possible to the existing agreement.

Some major improvements are needed to the existing agreement.

Some major improvements are urgently needed to the existing agreement.

There is no existing agreement.

Conclusion The contractual framework, as investigated, is robust.

The contractual framework, as investigated, is subject to minor improvements, namely: <…>

The contractual framework, as investigated, is subject to major improvements, namely: <…>

Comments

-


18



Follow-up of the processorThe controller that uses the services of the processor should have a procedure in place to follow-up

In what way is assurance acquired on the proper handling of personal and/or customer data?

Suggestions

Check the agreement for audit rights or other elements of assurance.

Check with the contact / procurement officer / relationship manager for the processor how he/they follow-up on the processor and in particular the data protection practice at the processor.

. Follow-up mechanisms on an individual level (controller – processor)

Mechanism Foreseen Basis Used in fact Periodicity

Day-to-day cooperation with the service provider No.

Yes.

Agreement.

Practice.

Goodwill of processor.

Other.

No.

Yes.

Monthly. Quarterly.

Yearly.

Other.

Scrutiny of deliverables, quality control No.

Yes.

Agreement.

Practice.


Other.

No.

Yes.

Monthly. Quarterly.

Yearly.

Other.

Follow-up of milestones and deadlines No.

Yes.

Agreement.

Practice.


Other.

No.

Yes.

Monthly. Quarterly.

Yearly.

Other.

W(h)ine and dine No.

Yes.

Agreement.

Practice.


Other.

No.

Yes.

Monthly. Quarterly.

Yearly.

Other.

Periodic (formal) follow-up meetings, one-on-1 No. Agreement. No. Monthly. Quarterly.


19



Yes. Practice.


Other.

Yes. Yearly.

Other.

Periodic (formal) follow-up meetings, joint with other customers of the processor No.

Yes.

Agreement.

Practice.


Other.

No.

Yes.

Monthly. Quarterly.

Yearly.

Other.

Escalation procedure No.

Yes.

Agreement.

Practice.


Other.

No.

Yes.

Monthly. Quarterly.

Yearly.

Other.

Service Level (exception) reporting by the processor No.

Yes.

Agreement.

Practice.


Other.

No.

Yes.

Monthly. Quarterly.

Yearly.

Other.

Questionnaires to be answered by the processor No.

Yes.

Agreement.

Practice.


Other.

No.

Yes.

Monthly. Quarterly.

Yearly.

Other.

Assurance delivered by the internal audit of the processor (free format) No.

Yes.

Agreement.

Practice.


Other.

No.

Yes.

Monthly. Quarterly.

Yearly.

Other.

Assurance delivered by an external, independent auditor appointed by the processor (free format)

No.

Yes.

Agreement.

Practice.


Other.

No.

Yes.

Monthly. Quarterly.

Yearly.

Other.

Assurance delivered by the internal audit of the processor (template of the controller) No.

Yes.

Agreement.

Practice.

No.

Yes.

Monthly. Quarterly.


20




Other.

Yearly.

Other.

Assurance delivered by an external, independent auditor appointed by the processor (template of the controller)

No.

Yes.

Agreement.

Practice.


Other.

No.

Yes.

Monthly. Quarterly.

Yearly.

Other.

KPI measurement and reporting thereon by controller No.

Yes.

Agreement.

Practice.


Other.

No.

Yes.

Monthly. Quarterly.

Yearly.

Other.

Audit on the premises by controller’s audit team No.

Yes.

Agreement.

Practice.


Other.

No.

Yes.

Monthly. Quarterly.

Yearly.

Other.

Follow-up of and reaction to incidents at the processor No.

Yes.

Agreement.

Practice.


Other.

No.

Yes.

Monthly. Quarterly.

Yearly.

Other.

Control on the budget for the services, including invoice control No.

Yes.

Agreement.

Practice.


Other.

No.

Yes.

Monthly. Quarterly.

Yearly.

Other.

Follow-up of the financial situation of the service provider based on public information No.

Yes.

Agreement.

Practice.


Other.

No.

Yes.

Monthly. Quarterly.

Yearly.

Other.

Follow-up of the financial situation of the service provider based on non-public information

No.

Yes.

Agreement.

Practice.

No.

Yes.

Monthly. Quarterly.


21




Other.

Yearly.

Other.

. Follow-up mechanisms on a multilateral level (processor to multiple controllers, including the controller in scope)

Service Level (exception) reporting No.

Yes.

Agreement.

Practice.


Other.

No.

Yes.

Monthly. Quarterly.

Yearly.

Other.

KPI measurement and (issue) reporting thereon No.

Yes.

Agreement.

Practice.


Other.

No.

Yes.

Monthly. Quarterly.

Yearly.

Other.

Control on the overall budget No.

Yes.

Agreement.

Practice.


Other.

No.

Yes.

Monthly. Quarterly.

Yearly.

Other.

. Follow-up mechanisms on an group governance level (in case the processor is a member of the group of the controller)

Information Security reporting on the processes as such No.

Yes.

Agreement.

Practice.


Other.

No.

Yes.

Monthly. Quarterly.

Yearly.

Other.

Audit assurance on the processes as such No.

Yes.

Agreement.

Practice.


Other.

No.

Yes.

Monthly. Quarterly.

Yearly.

Other.

Statistical analysis of the operations (e.g. throughput time, access to tools, etc.) No. Agreement. No. Monthly.


22


Yes. Practice.


Other.

Yes. Quarterly.

Yearly.

Other.

Is it clear who has to follow-up the processor?

No.

Yes for all follow-up mechanisms.

Yes for some follow-up mechanisms. Not for the following <…>

* * *

Is it clear how the assurance or lack thereof has to be handled? Is it clear what has to be done in case of the absence of assurance or the reception of a notification indicating a security incident?

No.

Yes for all follow-up mechanisms.

Yes for some follow-up mechanisms. Not for the following <…>

Conclusion Follow-up of the processor is robust.

Follow-up of the processor is subject to minor improvements.

Follow-up of the processor is subject to major improvements.

Comments

-


23


References

Suggestions: Keep these lists in a spreadsheet and insert/embed the final spreadsheets in this annex.

Note: The prefilled fields are just examples of content in these reference document. Modification to internal procedures and factual situation is needed.

Activity Log

Date Activity Status Who? RemarkIntake interview with xxxInterview with xxxQuestionnaire xxx sent out to xxxResponse to questionnaire xxx received from xxxProcess diagram xxx received from xxxWalkthrough process xxxDocument request for xxxDocument xxx received fromDraft report sent to xxxFeedback interview with xxxFinal report Final report sent out


24



Documentation received

Category Document Date request Date receipt SourceSelection RFISelection Responses of the processor (winning

candidate) to the RFISelection RFPSelection Responses of the processor (winning

candidate) to the RFPSelection BOFA of the processor (winning

candidate)Selection Memo for the decision taker(s)Selection Certificates relevant for data protection of

the processor provided in the selection process

Selection SOC 1 audit assurance dated xxxSelection SOC 2 audit assurance dated xxxAgreement Agreement(s) with processor (incl.

annexes, schedules and appendices)Agreement Amendment(s) to the agreement with the

processorFollow-up SOC 1 audit assurance dated xxxFollow-up SOC 2 audit assurance dated xxxFollow-up Periodic checkup report by outsourcing

manager (controller side) dated xxxFollow-up List of issues with the processor, whether

or not escalated dated xxxFollow-up Periodic reporting by processor dated

xxx


25



Interviews & Questionnaires

Category What? Document Date SourceSelection Questions for procurement departmentSelection Questionnaire completed by

procurement departmentSelection Report interview with procurement

department Agreement Questions for the lead negotiator of the

agreementAgreement Questionnaire completed by lead

negotiator of the agreementAgreement Report interview with lead negotiator of

the agreementFollow-up Questions for procurement departmentFollow-up Questionnaire completed by

procurement departmentFollow-up Report interview with procurement

department Follow-up Questions for department accountable

for the outsourced data processing operation

Follow-up Questionnaire completed by procu department accountable for the outsourced data processing operation

Follow-up Report interview with department accountable for the outsourced data processing operation


26


Law

Data Protection Compliance Check - Outsourcing - Part 2 "Paper" (C2P relationship)