👉
Workplace by Meta is shutting down. Ziik is here to help!
ziik.io (Chainintra ApS)
Købmagergade 67,
1150 Copenhagen, Denmark
Company Registration Number: 36553081
(the "Organization")
Last updated on 15.01.2024.
1. Introduction
1.1 This document is a report (the ”Report”) prepared to document the Organization’s ongoing efforts and measures to comply with the applicable data protection and privacy legislation, including in particular the EU General Data Protection Regulation (2016/679 of 27 April 2016) (the ”GDPR”) and the requirement of demonstrating compliance (the principle of “accountability”) as described in article 5(2) of the GDPR.
1.2 The report shall apply to the entire Organization and all of its systems and business processes.
1.3 The Report contains color markings with green, yellow and red markings at theOrganization's results of the control objectives. The colors do not necessarily meanthat the Organization complies with the GDPR, but they help to identify any areas andissues that the Organization should work with as described.
1.4 This is the first time that the Organization prepares the Report, and the comments under the control objectives must therefore be read in the light of this. This means, among other things, that the Organization sets out defined and documented control processes, even though they may not have been carried out in practice yet. This is due to the fact that such control processes are planned to take place during the period after this Report and continuously hereafter. Each Report shall cover the foregoing period.2. Control method and structure
2.1 The Report is prepared on the basis of the Organization's answers on questions and control points in ComplyCloud.
2.2 When and if the Danish Data Protection Agency publishes guidance on self assessment these guidelines will be incorporated in the questions and control points in the Report.
3. General information about the controls
3.1 The Organization follows a systematic approach for documenting GDPR compliance and uses an annual cycle of work to ensure automatic and continuous controls with reminders. This means, among other things, that the Organization reviews and updates all procedures, policies, records of processing activities and instructions continuously to ensure that they are updated and correct. The management is also included in the assessment and approval of these reports. Controls concerning auditing, updating and management review and approval are therefore not further commented below as reference is made to the underlying documentation for documenting these control points as appropriate.
4. Principles relating to processing of personal data (article 5)
4.1 Control objective
Procedures and controls are complied with to ensure that the collection, processing and storage of personal data is in accordance with the principles relating to processing of personal data.
4.2 Control 1
‍Control activity: Written procedures are available in which the following principles relating to processing of personal data have been considered: (i) lawfulness, fairness and transparency; (ii) purpose limitation; (iii) data minimisation; (iv) accuracy; (v)storage limitation; (vi) integrity and confidentiality; and (vii) accountability. Performed control: Inspected that there are updated written procedures for processing of personal data that include the principles relating to processing of personal data.
Result of control:
The Organization has employee instructions, procedures and/or policies that apply to the Organization's employees who work with and process personal data. In these the Organization has informed about the principles relating to processing of personal data as set out in article 5 of the GDPR.
4.3 Control 2
Control activity: The written procedures in control 1 are available for Organization employees. Performed control: Inspected that the procedures are available for the employees.
Result of control:
The Organization confirms that the procedures are available for the employees.
5. Lawfulness of processing (article 6)
5.1 Control objective
Procedures and controls are complied with to ensure that personal data is onlyprocessed lawfully.
5.2 Control 1
Control activity: There is continuously performed assessments of whether illegal processing of personal data has taken place, and these assessments are documented.
Performed control: Inspected documentation for continuous — and at least annually— assessment of whether illegal processing of personal data has taken place.
Result of control:
The Organization is not aware of any unlawful processing of personal data.
5.3 Control 2
Control activity: Written procedures are available in which it has been specified that processing of personal data is only allowed when there is a legal basis. There is an ongoing - and at least once a year - assessment of whether the procedures need to be updated and whether the procedures are complied with.
Performed control: Inspected that the Organization has updated written procedures for the processing of personal data specifying that personal data processing is only allowed when there is a legal basis.
Result of control:
The Organization has employee instructions that apply to the Organization's employees who work with and process personal data. In these the Organization has obliged its employees to only process personal data when there is a legal basis for the processing, including a legal basis that is in accordance with any applicable instructions from data processing agreements with data controllers. Furthermore, the Organization continuously—and at least annually—review the employee instructions to assess whether updates are necessary and whether the employee instructions has been complied with by the Organization's employees.
5.4 Control 3
Control activity: The written procedures in control 2 are available for Organization employees.
Performed control: Inspected that the procedures are available for the employees.
Result of control: The Organization confirms that the procedures are available for the employees.
6. Consent (article 7 and 8)
6.1 Control objective
Procedures and controls are complied with to ensure that the data subjects provide written consent for the processing of personal data when necessary.
6.2 Control 1
Control activity: There are written procedures for collecting written consent for the processing of personal data. There is an ongoing - and at least once a year -assessment of whether the procedures need to be updated and whether the procedures are complied with.
Performed control: Inspected that there are written procedures for obtaining written consent for processing personal data.
Result of control:The Organization uses consent from data subjects as a legal basis for processing personal data. On this topic, the Organization has written procedures to ensure that valid consent is obtained in the correct manner in accordance with article 7 of the GDPR.
6.3 Control 2
Control activity: The written procedures in control 1 are available for Organization employees.
Performed control: Inspected that the procedures are available for the employees.
Result of control:
Consent is automatically obtained when customers sign up online.
7.2 Control 1
Control activity: There is an instruction that is approved which regulates the Organization's processing of special categories of personal data.
Performed control: Inspected that it is documented that the processing of special categories of personal data is done on a legal processing basis.
Result of control:
The Organization does not process special categories as part of the processing of personal data.
8. Processing which does not require identification (article 11)
8.1 Control objective
Procedures and controls are complied with to ensure that storage, collection and processing of information for identifying the data subject is maintained as long asidentification is required.
8.2 Control 1
Control activity: There are procedures and controls to ensure that storage, collection and processing of information for identifying the data subject is maintained as long as identification is required. Assessments are continuously made - and at least once everyyear - about whether the procedures should be updated.
Performed control: Inspected that there are updated written procedures to ensure that it has been considered that storage, collection and processing of information for the identification of the data subject is maintained as long as identification is required.
Result of control: The Organization does not process personal data in such a way that article 11 of the GDPR is relevant.
8.3 Control 2
Control activity: The written procedures in control 1 are available for Organization employees.
Performed control: Inspected that the procedures are available for the employees.
Result of control:
9. Transparent information, communication and modalities for the exercise of the rights of the data subject (article 12)
9.1 Control objective
Procedures and controls are complied with to ensure that information about the processing of personal data can be provided and communicated in a concise, transparent, intelligible and easily accessible form to the data subject.
9.2 Control 2
Control activity: It is continuously ensured - and at least once every year - that replies to requests from data subjects are completed in due time.
Performed control: Inspected documentation for that actual replies of the requests from data subjects have been performed in due time and in accordance withprocedures.
Result of control:
Every second month one or more employees of the Organization investigates and confirms whether the Organization has answered all inquiries from data subjects correctly and within the time limits in accordance with chapter III of the GDPR.
10. Information to be provided where personal data are collected(article 13 and 14)
10.1 Control objective
Procedures and controls are complied with to ensure that the data subject has received the Organization's contact information, information about the purpose(s) of the processing of personal data in addition to information about any transfer of personal data to recipients in third countries or international organisations.
10.2 Control 1
Control activity: There are written procedures describing how it is ensured that the data subject receives information about the purpose(s) of the processing of personal data in addition to information about any transfer of personal data to recipients, third countries or international organisations, or how the data processor can assist the data controller in this manner. Assessments are continuously made - and at least once every year - about whether the procedures should be updated.
Performed control: Inspected that there are updated written procedures in which it is described how it is ensured that the data subjects receives information about the purpose(s) about the processing of personal data in addition to information about any transfer of personal data to recipients, third countries or international organisations.
Result of control:
The personal data policies of the Organization meet the information requirements of article 13 and 14 of the GDPR, including, among other things, information about the purposes of the processing, information about any recipients of personal data and the types of personal data.
The external personal data policies of the organization are available to the relevant user, for example by inserting a link to the personal data policies in relevant places or in other ways informing the users when possible.
The personal data policies of the Organization contain information about the rights of the data subjects under chapter III of the GDPR in accordance with article 13(2) and article 14(2) of the GDPR.
11. The data subject's right of access (article 15)
11.1 Control objective
Procedures and controls are complied with to ensure the data subject's right of access in own personal data.
11.2 Control 1
‍Control activity: The Organization has a defined format for extracting personal data (copy of the personal data which are registered and processed by the Organization)to the data subject.
Performed control: Inspected that the Organization has a defined format for extracting personal data to the data subject.
Result of control:
The Organization has defined format(s) and method(s) for preparing and delivering copies of personal data in accordance with article 15(3) of the GDPR.
11.3 Control 2
Control activity: Written procedures exist in which the handling of the data subject's requests about access in the processing of personal data is described. Assessments are continuously made - and at least once every year - about whether the procedures should be updated.
Performed control: Inspected that there are updated written procedures in which the handling of the data subjects requests for access in his/her personal data are described.
Result of control:
The Organization has procedures on how to comply with the data subject's right of access in accordance with article 15 of the GDPR.
11.4 Control 3
Control activity: The written procedures in control 2 are available for Organization employees.
Performed control: Inspected that the procedures are available for the employees.
Result of control:
The Organization confirms that the procedures are available for the employees.
12. Right to rectification (article 16 and article 19)
12.1 Control objective
Procedures and controls are complied with to ensure that the data subjects' right to rectification of personal data about him/her, including rectification at the recipients of the personal data, are complied with.
12.2 Control 1
Control activity: Technical measures have been established in the Organization's IT-systems which ensures that personal data can be corrected.
Performed control: Inspected that technical measures have been established in the Organization's IT systems in order to correct personal data. Inspected that the rectification of personal data only takes place through the established technical measures.
Result of control:
The IT-systems of the Organization supports the rectification of personal data inaccordance with article 16 of the GDPR.
12.3 Control 2
Control activity: The Organization has written procedures after which the handling of the data subjects' right to rectification of personal data are described. There is an ongoing - and at least once a year - assessment of whether the procedures need to be updated and whether the procedures are complied with.
Performed control: Inspected that there are updated written procedures for handling the data subjects' rights to rectification of personal data.
Result of control:
The Organization has procedures on how to comply with the right of rectification by the data subjects in accordance with article 16 of the GDPR.
12.4 Control 3
Control activity: The written procedures in control 2 are available for Organization employees.
Performed control: Inspected that the procedures are available for the employees.
Result of control:
The Organization confirms that the procedures are available for the employees.
13. Right to erasure (article 17 and article 19)
13.1 Control objective
Procedures and controls are complied with in order to ensure that the data subjects' right to erasure of personal data about him/her are complied with, including erasure of personal data at the recipients of the personal data.
13.2 Control 1
Control activity: Technical measures have been implemented in the Organization's IT-system to ensure that it is possible to erase personal data.
Performed control: Inspected that technical measures have been established in the Organization's IT system in order to erase personal data. Inspected that personal data are only erased by using the established technical measures.
Result of control:
The IT-systems of the Organization supports the erasure of personal data in accordance with article 17 of the GDPR.
13.3 Control 2
Control activity: The Organization has written procedures in which the handling of the data subjects' right to erasure of personal data are described. There is an ongoing -and at least once a year - assessment of whether the procedures need to be updatedand whether the procedures are complied with.
Performed control: Inspected that the Organization has written and updated procedures for the handling of the data subject's right to erasure of personal data.
Result of control:
The Organization has procedures on how to comply with the data subject's right to erasure in accordance with article 17 of the GDPR.
13.4 Control 3
‍Control activity: The written procedures in control 2 are available for Organization employees.
Performed control:Inspected that the procedures are available for the employees.
Result of control: The Organization confirms that the procedures are available for the employees.
14. Right to restriction of processing (article 18 and article 19)
14.1 Control objective
‍Procedures and controls are complied with in order to ensure that the data subject's right to restriction of processing, including restriction at the recipients of the personal data, is complied with.
14.2 Control 1
Control activity: There has been implemented technical measures in the IT systems to ensure that it is possible to restrict a processing of personal data.
Performed control: Inspected that technical measures has been implemented in the Organization's IT-system in order to restrict a processing of personal data. Inspected that a restriction of a processing of personal data only happens by the use of the implemented technical measures.
Result of control: The IT-systems of the Organization supports the restriction of personal data processing in accordance with article 18 of the GDPR.
14.3 Control 2
Control activity: The Organization has written and updated procedures in which the handling of the data subjects' right to restriction of a processing of their personal data is described. There is an ongoing - and at least once a year - assessment of whether the procedures need to be updated and whether the procedures are complied with.
Performed control: Inspected that there are updated written procedures for the handling of the data subjects' rights to restriction of a processing of personal data.
Result of control:The Organization has procedures on how to comply with the data subject's right to restriction of processing in accordance with article 18 of the GDPR.
14.4 Control 3
‍Control activity: The written procedures in control 2 are available for Organization employees.
Performed control: Inspected that the procedures are available for the employees.
Result of control: The Organization confirms that the procedures are available for the employees.
15. Right to data portability (article 20)
15.1 Control objective
Procedures and controls are complied with in order to ensure the data subject's right to transfer personal data about him/her to another data controller.
15.2 Control 1
Control activity: Technical measures have been implemented in the Organization's IT-system to ensure the data subjects' right to data portability.
Performed control: Inspected that technical measures have been implemented in the Organization's IT system to ensure the data subjects' right to data portability.
Result of control: The IT-systems of the Organization supports the data subject's right to data portability in accordance with article 20 of the GDPR.
15.3 Control 2
Control activity: There are written procedures in the data subject's right to transfer personal data about him/her is described. There is an ongoing - and at least once a year - assessment of whether the procedures need to be updated and whether the procedures are complied with.
Performed control: Inspected that there are updated written procedures for the data subject's right to transfer personal data about him/her to another data controller.
Result of control:The Organization has procedures on how to comply with the data subject's right to data portability in accordance with article 20 of the GDPR.
15.4 Control 3
Control activity: The written procedures in control 2 are available for Organization employees.
Performed control: Inspected that the procedures are available for the employees.
Result of control: The Organization confirms that the procedures are available for the employees.
16. Data protection by design and by default (article 25)
16.1 Control objective
Procedures and controls are complied with in order to ensure that the requirements for data protection by design and by default in are complied with in the Organization's technical measures.
16.2 Control 1
Control activity: The Organization has written procedures in which data protection by design and by default has been described. There is an ongoing - and at least once a year - assessment of whether the procedures need to be updated and whether the procedures are complied with.
Performed control: Inspected that the Organization has updated written procedures for ensuring data protection by design and by default.
Result of control: The Organization has employee instructions, which applies to the employees of the Organization that work with and process the personal data entrusted to the Organization. The employee instructions contain provisions on how to improve data protection by design and by default in accordance with article 25 of the GDPR.
16.3 Control 2
‍Control activity: The written procedures in control 1 are available for Organization employees.
Performed control: Inspected that the procedures are available for the employees.
Result of control: The Organization confirms that the procedures are available for the employees.
17. The data processing agreement and sub-processors (article 28and article 29)
17.1 Control objective
Procedures and controls are complied with in order to ensure that processing of personal data only happens in accordance with a contract or other legal act (the data processing agreement) as well as the processing only happens by data processors which have been approved by the data controller.
17.2 Control 1
Control activity: A contract or other legal act (the data processing agreement) has been entered into between the Organization and the data controller in which the Organization's implemented technical and organizational safety measures are described in order to ensure that the processing meets the requirements set out in the GDPR as well as ensuring the protection of the data subjects' rights.
Performed control: Inspected that the data processing agreement describes the technical and organisational measures which the Organization has implemented in order to ensure that the processing meets the requirements set out in the GDPR aswell as ensuring the rights of the data subjects.
Result of control: The Organization has entered into data processing agreements with its data processors and data controllers in accordance with article 28(3) of the GDPR.
17.3 Control 2
Control activity: The Organization has received - specifically or generally - approval from the data controller for the use of sub-processors. In case of a general written approval, the Organization must notify the controller of any planned changes regarding the addition or replacement of sub-processors.
Performed control: Inspected that the data controller has approved the Organization's use of other sub-processors. Inspected that any planned changes regarding the addition or replacement of sub-processors has been notified to the data controller.
Result of control:The Organization informs the relevant data controllers about any new sub-processors that the Organization plans on engaging in accordance with article28(2) of the GDPR when this is relevant or required in accordance with the applicable data processing agreements.
17.4 Control 3
Control activity: Written procedures are available which describe that the Organization must only process personal data, including the transfer of personal data to a third country or international organisation, in accordance with documented instructions from the data controller or under EU law or national law. There is an ongoing - and at least once a year - assessment of whether the procedures need to be updated and whether the procedures are complied with.
Performed control: Inspected that written updated procedures are available which describe that the Organization must only process and transfer personal data in accordance with documented instruction from the data controller or under EU law or national law.
Result of control: The Organization only uses data processing agreements that contain provisions specifying that the Organization as a data processor only processes personal data on documented instructions from the data controller in accordance witharticle 28(3)(a) of the GDPR.
17.5 Control 4
Control activity: Written procedures are available which - by the Organization's use of sub-processors for the performance of specific processing activities on behalf of the data controller - describes the Organization's controls for ensuring that the sub-processors comply with the same data protection obligations as those set out in the data processing agreement between the data controllers and the Organization. There is an ongoing - and at least once a year - assessment of whether the procedures need to be updated and whether the procedures are complied with.
Performed control: Inspected that there are written producers which describes the Organization's controls for ensuring that the sub-processors comply with the same data protection obligations as those set out in the data processing agreement between the data controllers and the Organization.
Result of control: The Organization performs ongoing controls to ensure that the Organization has entered into data processing agreements with every data processor that it uses when processing personal data on behalf of a data controller and that those data processing agreements sets out the same data protection obligations as set out in the contract or other legal act between the Organization and the relevant data controllers in accordance with article 28(4) of the GDPR. The Organization furthermore performs ongoing controls with such data processors, i.e. sub-processors, by performing audits or collecting statement of assurances or by collecting information for documenting the control principles of ISAE3000. Reference is made to the Organization's annual cycle of work for more information and illustrations, and reference is made to the underlying control documentation.
17.6 Control 5
Control activity: Written procedures are available that describe how the Organization in accordance with the data controller's choice either erases or returns all personal data to the data controller when the services relating to the processing has terminated unless EU law or national law requires the retention of personal data. There is an ongoing - and at least once a year - assessment of whether the procedures need to be updated and whether the procedures are complied with.
Performed control: Inspected that written procedures are available that describe how the Organization in accordance with the data controller's choice either erases or returns all personal data to the data controller when the services relating to the processing has terminated unless EU law or national law requires the retention of personal data.
Result of control: The Organization's data processing agreements contain descriptions to ensure that, at the choice of the data controller, the Organization deletes or returns all the personal data to the data controller after the end of the provision of services relating to processing, and deletes existing copies unless European Union orEuropean Union member state law requires storage or the personal data inaccordance with article 28(3)(g) of the GDPR.
17.7 Control 6
Control activity: Written procedures are available which describe how the Organization provides all necessary information to the data controller in order to demonstrate the Organization's compliance with the requirements as well as allowing and contributing to audits, inspections etc. made by the data controller or another auditor authorized by the data controller. There is an ongoing - and at least once a year - assessment of whether the procedures need to be updated and whether the procedures are complied with.
Performed control: Inspected that written procedures are available which describe how the Organization provides all necessary information to the data controller in order to demonstrate the Organization's compliance with the requirements as well as allowing and contributing to audits, inspections etc. made by the data controller or another auditor authorized by the data controller. til revisioner, inspektioner mv.
Result of control: The Organization's data processing agreements contain descriptions of how the Organization as a data processor shall make available to the controller all information necessary to demonstrate compliance with the obligations laid down in article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the data controller or another auditor mandated by the data controller in accordance with article 28(3)(h) of the GDPR.
17.8 Control 7
Control activity: Written procedures are available which describe that the Organization ensures that the persons authorized to process personal data are subject to confidentiality or other appropriate statutory obligation of professional secrecy. There is an ongoing - and at least once a year - assessment of whether the procedures need to be updated and whether the procedures are complied with.
Performed control: Inspected that the persons authorized to process personal data are subject to confidentiality or other appropriate statutory obligation of secrecy.
Result of control:The Organization has employee instructions, which applies to the employees of the Organization that work with and process the personal data entrusted to the Organization by one or more data controllers. The employee instructions contain provisions that commits the employees of the Organization to confidentiality in accordance with article 28(3)(b) of the GDPR.
17.9 Control 8
Control activity: The written procedures in control 7 are available for Organization employees.
Performed control: Inspected that the procedures are available for the employees.
Result of control: The Organization confirms that the procedures are available for the employees.
18. Records of processing activities (article 30)
18.1 Control objective
Procedures and controls are complied with in order to ensure that the Organization maintains records of processing activities.
18.2 Control 1
Control activity: The Organization has a record of processing activities.
Performed control: Inspected that the Organization has a record of processing activities.
Result of control: The Organization has prepared records of the Organization's processing activities in accordance with article 30(1) of the GDPR.
19. Security of processing (article 32)
19.1 Control objective
Procedures and controls are complied with in order to ensure that the Organization has implemented technical and organizational measures based on a risk assessment in order to prevent accidental or illegal destruction, loss, alteration, unauthorized disclosure or access to personal data.
19.2 Control 1
Control activity: The Organization has made an risk assessment of the processing of personal data, including the preparation of the Organization's security descriptions.
Performed control: Inspected that the Organization has made a risk assessment of a processing of personal data, including the preparation of the Organization's security descriptions.
Result of control:The Organization has assessed the specific risks in connection with determining the security measures, and the Organization makes continuous risk assessments by following a defined annual cycle of work. Reference is made to the annual cycle of work for more information and the underlying documentation.
19.3 Control 2
Control activity: The Organization has implemented appropriate technical and organisational security measures which cover the risk in the Organization's risk assessment.
Performed control: Inspected that the Organization has implemented appropriate technical and organisational security measures which cover the risk in the Organization's risk assessment.
Result of control:The Organization confirms that it complies with the security measures described in applicable data processing agreements in accordance with article 32 of the GDPR.
20. Personal data breach (article 33 and article 34)
20.1 Control objective
Procedure and controls are complied with in order to ensure that the Organization is able to make adequate notification of a personal data breach to the supervisory authority as well as communicating the breach to the persons affected.
20.2 Control 1
Control activity: The Organization ensures that all personal data breaches are registered and documented.
Performed control: Inspected that the Organization has registered and documentedall personal data breaches.
Result of control:The Organization continuously and systematically registers any personal data breaches regardless of whether such breaches are to be notified to the data protection agencies. The Organization's registrations include the necessary information in accordance with article 33(5) of the GDPR, including information about the facts relating to each personal data breach, its effects and the remedial actions taken.
20.3 Control 2
Control activity: Written procedures are available - and updated at least once a year -in which handling of a personal data breach is described.
Performed control: Inspected that written procedures are available in which handling of a personal data breach is described.
Result of control: The Organization uses procedures for handling personal data breaches in accordance with article 33 and 34 of the GDPR. In the procedures contains specifics of how to handle personal data breaches, including the notification of personal data breaches to the data protection agencies and communication to the data subjects.
20.4 Control 3
Control activity: The written procedures in control 2 are available for Organization employees.
Performed control: Inspected that the procedures are available for the employees.
Result of control: The Organization confirms that the procedures are available for the employees.
21. The Organization's procedure as a data processor
21.1 Control objective
Written procedures and controls are complied with in order to ensure that the Organization complies with the requirements which the Organization has been imposed when being a data processor.
21.2 Control 1
Control activity: Written procedures are available in which it is described how the Organization can help with providing information about a specific processing of personal data to the data subject. There is an ongoing - and at least once a year -assessment of whether the procedures need to be updated and whether the procedures are complied with.
Performed control: Inspected that written procedures are available in which it is described how the Organization can help with providing information about a specific processing of personal data to the data subject.
Result of control: The Organization's data processing agreements contain provisions about the requirements of article 28(3)(e) of the GDPR, meaning that the Organization, taking into account the nature of the processing, as a data processor must assist the data controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the data controller's obligation to respond to requests for exercising the data subject's rights laid down in chapter III of the GDPR.
21.3 Control 2
Control activity: The Organization has received instruction on the processing of personal data from the data controller.
Performed control: Inspected that the Organization has given the Organization instrucions on the processing of personal data on behalf of the data controller.
Result of control: The Organization's data processing agreements stipulate that the Organization as a data processor only processes personal data on documented instructions from the data controller in accordance with article 28(3)(a) of the GDPR.
21.4 Control 3
Control activity: Employees at the Organization and the Organization's used sub-processors are instructed about the data controllers' instructions on the processing of personal data.
Performed control: Inspected that the Organization has written instructions or procedures requiring Organization employees to only process personal data in accordance with the data controllers' instructions.
Result of control: The Organization has employee instructions, which applies to the employees of the Organization that work with and process the personal data entrusted to the Organization by one or more data controllers. The employee instructions contain provisions specifying that the employees may only process personal data in accordance with the instructions from the applicable data controllers in accordance with article 28(3)(a) of the GDPR.
21.5 Control 3
Control activity: The written procedures in control 3 are available for Organization employees.
Performed control: Inspected that the procedures are available for the employees.
Result of control: The Organization confirms that the procedures are available for the employees.
21.6 Control 4
Control activity: The Organization has written procedures and controls, including a description of the technical and organisational measures in order to protect the data subject's rights and to process personal data on behalf on the data controller.
Performed control: Inspected that the data controller has approved the Organization's written procedures and controls, including a description of the technical and organisational measures in order to protect the data subject's rights and to process personal data on behalf on the data controller.
Result of control: The Organization's data processing agreements contain descriptions about the technical and organisational measures that the Organization as a data processor has or has implemented in accordance with article 28(3)(c) and article32 of the GDPR.
21.7 Control 5
Control activity: The Organization has a description of the use of sub-processors, including a description of the sub-processors' technical and organisational measures in order to protect the rights of the data subjects and the processing of personal data on behalf of the data controller.
Performed control: Inspected that the data controller has approved the Organization's sub-processors, including implemented their technical and organisational measures.
Result of control: The Organization's data processing agreements contain provisions about the authorisation of the Organization's current data processors, i.e. sub-processors. This includes descriptions of how and under what criteria new sub-processorsare to be engaged and approved in accordance with article 28(2) and article28(4) of the GDPR.
21.8 Control 6
Control activity: Written procedures are available which describe that the Organization is obligated to assist the data controller with the preparation of and compliance with data protection impact assessments.
Performed control: Inspected that there are updated written procedures which describe that the Organization is obligated to assist the data controller with the preparation of and compliance with data protection impact assessments.
Result of control: The data processing agreements that the Organization has concluded contain provisions, which specify that the data processor, in accordance with article28(3)(f) of the GDPR, assists the data controller in preparing the necessary data protection impact assessments (DPIA's) in accordance with article 35 of the GDPR.
21.9 Control 7
Control activity: Written procedures are available which describe that the Organization is obligated to assist the data controller with the preparation of and compliance with prior consultations.
Performed control: Inspected that there are updated written procedures which describe that the Organization is obligated to assist the data controller with the preparation of and compliance with prior consultations.
Result of control: The data processing agreements that the Organization has concluded contain provisions, which specify that the data processor, in accordance with article28(3)(f) of the GDPR assists the data controller in preparing the necessary prior consultations in accordance with article 36 of the GDPR.
21.10 Control 8
Control activity: In the event of a personal data breach the Organization forwards documentation to the data controller covering the facts of the personal data breach, the likely consequences of the breach and the measures taken to prevent and stop the breach.
Performed control: Inspected that the Organization forwards documentation to the data controller covering the facts of the personal data breach, the likely consequences of the breach and the measures taken to prevent and stop the breach.
Result of control: The Organization sends documentation to the applicable data controller when and/or if in the case of personal data breaches, including documentation of the facts relating to the personal data breach, its effects, the remedial actions taken and any other information agreed to in the applicable data processing agreement(s).
21.11 Control 9
Control activity: Written procedures are available - and updated at least annually - in which the Organization's transfer of personal data as a data processor is regulated.
Performed control: Inspected that there are procedures for the transfer of personal data.
Result of control: The Organization's data processing agreements have taken into consideration whether the Organization as a data processor may transfer personal data under the relevant data processing agreements to so-called third countries outside of EU/EEA.
22. Transfer of personal data(article 44-50)
22.1 Control objective
Procedures and controls are complied with in order to ensure that transfer of personal data to a third-country or an international organisation only happens if a legal basis for transfer exists.
22.2 Control 1
Control activity: To the extent that personal data is transferred to third countries, there is a legal basis for transfer
Performed control: Inspected that there is a legal basis for transfer of personal data to third countries.
Result of control: To the extent that the Organization transfers personal data to so-called third countries outside the EU/EEA, the Organization has provided documentation of correct and legal basis for transfer in accordance with GDPR, article 44-50.
23. Contact
23.1 If you have any questions or comments to the Report, please contact:
Søren Iversen,
soren@ziik.io
24. Signatures
24.1 The content and correctness of the Report are hereby confirmed by the Organization.
