DPR-1-2.1 What role does the service provider give itself in terms of data security?
DPR-1-4.1 Is it possible to make the name of the client organization and a link to its own privacy notice visible to users in the service?
DPR-1-5.1 Does the service provider have access to personal data stored by the client organization?
DPR-1-6.1 Does use of the service generate a register of which the service provider is a joint controller with the client organization?
DPR-1-7.1 Is a personal data register of users generated for the service provider of which it is the controller?
DPR-1-8.1 Does the service provider have, for each sub-processor, an up-to-date list of sub-processors of personal data, which shows the name, location, processing purpose and possible grounds for transfer outside the EU/EEA area?
DPR-1-9.1 Link to the list of sub-processors (if any)
DPR-1-10.1 Does the service provider or one of its sub-processors process personal data outside the EU/EEA area?
DPR-1-11.1 If personal data is processed outside the EU/EEA area, on what grounds is personal data transferred?
DPR-1-12.1 Can personal data be transferred to non-secure third countries such as the United States?
DPR-2-1.1 What personal data does the service provider process?
Company name (employer)
Name of the person
Email address
Username and password
Log history of data entries and edits in the service, mainly: (1) who entered/edited data, (2) entries/edits made, (3) time stamp – this data is collected to ensure reliability of data in the service
Customary contact and billing details required for billing and invoicing paid services
Customary correspondence with users
DPR-2-2.1 Is the service also intended for processing special personal data (e.g. health data)?
DPR-2-3.1 Can the required and optional fields related to users be defined by the administrator?
DPR-2-4.1 Does the service provider provide users with comprehensive information about the processing of personal data in the service?
DPR-2-5.1 Does the service provider process personal data in accordance with data protection legislation?
DPR-2-6.1 What procedures are in place to ensure that data is not used for other purposes?
DPR-2-7.1 Does the service have a function for pseudonymizing personal data?
DPR-2-10.1 Is there profiling, scoring or evaluation of people in the functions of the service?
DPR-2-11.1 Are users' location data processed?
DPR-2-12.1 Can the service define the retention periods of personal data or its criteria?
DPR-2-13.1 Can users' personal data be anonymized instead of deleted?
DPR-3-1.1 Has the service provider identified, in its privacy policy, all personal data that is clearly related to the use of the service?
DPR-4-1.1 Does the service provider guarantee that the rights of the data subjects are realized in accordance with the EU General Data Protection Regulation (GDPR)?
DPR-4-4.1 How and when are personal data deleted?
The customer must inform the service provider when the data of its employees must be deleted.