DPR-1-2.1 What role does the service provider give itself in terms of data security?
For the role of controller
DPR-1-4.1 Is it possible to make the name of the client organization and a link to its own privacy notice visible to users in the service?
DPR-1-5.1 Does the service provider have access to personal data stored by the client organization?
DPR-1-6.1 Does use of the service generate a register of which the service provider is a joint controller with the client organization?
DPR-1-7.1 Is a personal data register of users generated for the service provider of which it is the controller?
DPR-1-8.1 Does the service provider have, for each sub-processor, an up-to-date list of sub-processors of personal data, which shows the name, location, processing purpose and possible grounds for transfer outside the EU/EEA area?
DPR-1-9.1 Link to the list of sub-processors (if any)
DPR-1-10.1 Does the service provider or one of its sub-processors process personal data outside the EU/EEA area?
DPR-1-11.1 If personal data is processed outside the EU/EEA area, on what grounds is personal data transferred?
DPR-1-12.1 Can personal data be transferred to non-secure third countries such as the United States?
DPR-2-1.1 What personal data does the service provider process?
Company name (employer)
Name of the person
Username and password
Log history of data entries and edits in the service, mainly: (1) who entered/edited data, (2) entries/edits made, (3) time stamp – this data is collected to ensure reliability of data in the service
Customary contact and billing details required for billing and invoicing paid services
Customary correspondence with users
DPR-2-2.1 Is the service also intended for processing special personal data (e.g. health data)?
DPR-2-3.1 Can the required and optional fields related to users be defined by the administrator?
DPR-2-4.1 Does the service provider provide users with comprehensive information about the processing of personal data in the service?
DPR-2-5.1 Does the service provider process personal data in accordance with data protection legislation?
DPR-2-6.1 What procedures are in place to ensure that data is not used for other purposes?
DPR-2-7.1 Does the service have a function for pseudonymizing personal data?
DPR-2-10.1 Is there profiling, scoring or evaluation of people in the functions of the service?
DPR-2-11.1 Are users' location data processed?
DPR-2-12.1 Can the service define the retention periods of personal data or its criteria?
DPR-2-13.1 Can users' personal data be anonymized instead of deleted?
DPR-4-1.1 Does the service provider guarantee that the rights of the data subjects are realized in accordance with the EU General Data Protection Regulation (GDPR)?
DPR-4-4.1 How and when are personal data deleted?
The customer must inform the service provider when the data of its employees must be deleted.