DPR-1-1.1 What are the purposes of processing personal data?
The name and e-mail information of the service users are collected to create user IDs.
Käyttäjän nimi ja sähköpostiosoite tarvitaan käyttäjätunnusten luomista varten.
DPR-1-2.1 What role does the service provider give itself in terms of data security?
DPR-1-3.1 Do end users need to give consent for the processing of personal data related to the service?
DPR-1-4.1 Is it possible to make the name of the client organization and a link to its own privacy notice visible to users in the service?
DPR-1-5.1 Does the service provider have access to personal data stored by the client organization?
DPR-1-6.1 Does use of the service generate a register of which the service provider is a joint controller with the client organization?
DPR-1-8.1 Does the service provider have an up-to-date list of personal data sub-processors, including each sub-processor's name, location, processing purpose, and any transfer basis outside the EU/EEA?
DPR-1-9.1 Link to the list of sub-processors (if any)
DPR-1-10.1 Does the service provider or any of its sub-processors process personal data outside the EU/EEA?
DPR-1-11.1 If personal data is processed outside the EU/EEA area, on what grounds is personal data transferred?
DPR-1-12.2 Can personal data be transferred to third countries that are not considered safe?
DPR-1-13.1 In which countries are the service provider's servers located?
DPR-2-1.1 What personal data does the service provider process?
Company name (employer)
Name of the person
Email address
Username and password
Log history of data entries and edits in the service, mainly: (1) who entered/edited data, (2) entries/edits made, (3) time stamp – this data is collected to ensure reliability of data in the service
Customary contact and billing details required for billing and invoicing paid services
Customary correspondence with users
Possibly information entered by the customer into the DPIA-tool.
DPR-2-2.1 Is the service also intended for processing special personal data (e.g. health data)?
DPR-2-3.1 Can the required and optional fields related to users be defined by the administrator?
DPR-2-4.1 Does the service provider provide users with comprehensive information about the processing of personal data in the service?
DPR-2-6.1 What procedures are in place to ensure that data is not used for other purposes?
DPA:s with sub-processors and customers
DPR-2-7.1 Does the service have a function for pseudonymizing personal data?
DPR-2-8.1 Can users be asked for separate consents for the processing of certain personal data (e.g., personal identification number or special personal data)?
DPR-2-9.1 Is data processed on a large scale in the service?
DPR-2-10.1 Can the service's functions involve profiling, scoring, or evaluating individuals?
DPR-2-11.1 Can the service involve the processing of location data?
DPR-2-12.1 Can the service define the retention periods for personal data or the criteria for determining them?
DPR-2-13.1 Can users' personal data be anonymized instead of deleted?
DPR-3-3.1 Is the scope and duration of personal data processing proportional to the intended benefits?
DPR-4-2.1 Can users see all the data stored about them?
DPR-4-3.1 Can users download or transfer the data they have stored to another service, or import data from another system?
DPR-4-4.1 How and when are personal data deleted?
The customer must inform the service provider when the data of its employees must be deleted during the contract. When the contract ends the data will be deleted automatically.
When a user or customer organization is deleted, any log file associated with the user is also deleted (administrators).
DPR-4-5.1 If a data subject exercises their right to restrict the processing of their personal data, what technical means are used to ensure the implementation of the restriction?
The registered person can request the deletion of their user ID and refuse customer communication.
DPR-5-1.1 How is the accuracy of the processed personal data ensured?
If the person himself/ herself informs the service provider or the regularly sent customer letter is returned to the service provider, the reason will be checked and, if necessary, the person will be removed from the user register or the information will be changed.
DPR-6-1.1 Are automated decisions made in the service, and if so, on what basis?
DPR-6-2.1 How are data subjects informed about automated decision-making?
DPR-6-3.1 How are the conclusions related to the data subject that are based on automated decision-making described to them?