Product: GDPR-sovelluskirjasto

GEN-1-3.1 Is there an age limit for users in the service?

GEN-1-5.1 Country of manufacture/home country of the service provider

GEN-1-6.1 ISO certifications

GEN-1-7.1 Is there a mobile app for the service?

GEN-1-8.1 License type

GEN-1-9.1 Is virtualization possible?

GEN-2-1.1 Service-specific Privacy Notice (if any)

GEN-2-2.1 Data security description of the service (if any)

GEN-2-3.1 Contact information of the data protection officer

GEN-2-4.1 Are there advertisements or links to commercial services in the service?

GEN-2-5.1 Does the service use cookies for which users' consent is asked?

UMA-1-1.1 Is the service used with personal usernames?

UMA-1-2.1 Are there at least two user levels in the user management of the service: administrator and end user?

UMA-1-3.1 Can access rights be limited according to the employees' job duties, taking into account the rights of different user groups?

UMA-1-4.1 What options does the service have to integrate user management into the organization's centralized user registry and single sign-on (SSO)?

UMA-1-5.1 Is it possible to log in with usernames of other service providers?

UMA-1-6.1 Can multi-factor authentication (MFA) be used for logging in?

UMA-1-7.1 Is strong user authentication possible?

UMA-2-1.1 Are comprehensive log data about the activities of all logged-in users saved?

UMA-2-2.1 Is every access to personal data saved in a log?

TDP-1-1.1 What kind of integrations (interfaces) are involved in the system and how are they protected from outsiders?

TDP-2-1.1 Does all personal data processing in the service take place in such a way that the network connection is encrypted and the user or the parties to the data transfer are verified?

TDP-2-2.1 Is it possible to use the service so that all personal data is stored only in encrypted form?

TDP-3-1.1 Is the data content of the service backed up at least once a day and is it possible to restore the backup quickly if necessary?

TDP-4-2.1 Can multi-factor authentication (MFA) be required on all users at login?

TDP-5-1.1 Are security updates for software components related to the service installed regularly without any delay?

TDP-5-2.1 Has data security been audited by an external party? If so, by whom?

TDP-5-3.1 Are regular data security and vulnerability tests performed on the service?

DPR-1-2.1 What role does the service provider give itself in terms of data security?

DPR-1-4.1 Is it possible to make the name of the client organization and a link to its own privacy notice visible to users in the service?

DPR-1-5.1 Does the service provider have access to personal data stored by the client organization?

DPR-1-6.1 Does use of the service generate a register of which the service provider is a joint controller with the client organization?

DPR-1-7.1 Is a personal data register of users generated for the service provider of which it is the controller?

DPR-1-8.1 Does the service provider have, for each sub-processor, an up-to-date list of sub-processors of personal data, which shows the name, location, processing purpose and possible grounds for transfer outside the EU/EEA area?

DPR-1-9.1 Link to the list of sub-processors (if any)

DPR-1-10.1 Does the service provider or one of its sub-processors process personal data outside the EU/EEA area?

DPR-1-11.1 If personal data is processed outside the EU/EEA area, on what grounds is personal data transferred?

DPR-1-12.1 Can personal data be transferred to non-secure third countries such as the United States?

DPR-2-1.1 What personal data does the service provider process?

DPR-2-2.1 Is the service also intended for processing special personal data (e.g. health data)?

DPR-2-3.1 Can the required and optional fields related to users be defined by the administrator?

DPR-2-4.1 Does the service provider provide users with comprehensive information about the processing of personal data in the service?

DPR-2-5.1 Does the service provider process personal data in accordance with data protection legislation?

DPR-2-6.1 What procedures are in place to ensure that data is not used for other purposes?

DPR-2-7.1 Does the service have a function for pseudonymizing personal data?

DPR-2-10.1 Is there profiling, scoring or evaluation of people in the functions of the service?

DPR-2-11.1 Are users' location data processed?

DPR-2-12.1 Can the service define the retention periods of personal data or its criteria?

DPR-2-13.1 Can users' personal data be anonymized instead of deleted?

DPR-3-1.1 Has the service provider identified, in its privacy policy, all personal data that is clearly related to the use of the service?

DPR-4-1.1 Does the service provider guarantee that the rights of the data subjects are realized in accordance with the EU General Data Protection Regulation (GDPR)?

DPR-4-4.1 How and when are personal data deleted?

DPA-1-1.1 Is it possible to enter into a data processing agreement agreement (DPA) with the service provider?

DPA-1-2.1 Link to standard template for a DPA agreement (if available)

DPA-1-3.1 Is the personal data to be processed specified in the DPA?

DPA-1-4.1 Are the purposes of personal data processing specified in the DPA?

DPA-1-5.1 In connection with the DPA, is it possible to give instructions that the service provider must taken into account when processing personal data?

DPA-1-6.1 Does the DPA stipulate that the service provider is responsible for the confidentiality obligation of its employees?

DPA-1-7.1 Does the DPA stipulate that the service provider allows monitoring and auditing by the controller?

DPA-1-8.1 Does the service provider have a designated contact person for data protection issues?

DPA-1-9.1 Is deletion of data defined in the DPA?

DPA-2-1.1 If sub-processors are used in the processing of personal data, is compliance with the EU's General Data Protection Regulation (GDPR) and the implementation of sufficient protective measures ensured in the contract?

DPA-2.2.1 Sub-processors under the DPA agreement or a link to the list of sub-processors (if any)

DPA-3-1.1. The service provider undertakes to report all data security breaches without any delay

DPA-4-1.1 Does the processor or any of its sub-processors process personal data outside the EEA?

DPA-4-2.1 If personal data is processed outside the EEA, on what grounds is personal data transferred?

DPA-4-3.1 If the EU Commission's Standard Contractual Clauses (SCC) are used as the grounds for the transfer of personal data, which standard clauses are they?

DPA-4-4.1 Can personal data be disclosed to the authorities of a third country?

DPA-4-5.1 If data is transferred outside the EU/EEA area, does the service provider have documentation that helps in assessing the effects of data transfer (transfer impact assessment, TIA)?

DPA-4-6.1 If data is transferred outside the EU/EEA area, what additional protection measures are used?