Name of Organisation* Completed by* Date Questionnaire Completed* What personal data do you process on Company’s behalf? (This could include data of Company’s clients)* (UK-only) Are you registered with ICO? If yes, please provide registration number. (US-only) Are you certified under US-EU Privacy Shield? If yes, please provide registration number.* Do you have a Data Protection Officer? If not, who is the person responsible for data protection of personal data processed by your organisation?* Do you have a data protection policy in place? When was the last time this was reviewed? How regularly is this reviewed?* Do you process any personal data (internally or externally) on Company’s behalf outside the EEA (this could include Company’s client data)?* Are any of your personal data processing activities carried out by third parties (sub-processors)? List them and describe the processes, location of the provider and the data accessed by the processor.* How is the personal data stored? If using 3rd party services to store data please list detailing where and how data is stored.* How is archived personal data stored? If using 3rd party services to store data please list detailing where and how data is stored.* Please describe the security procedures in place to keep all personal data processed on behalf of Company secure.* How would you deal with possible security breaches where the security of personal data on behalf of Company (or Company ‘s clients) has been compromised?* What measures are in place to protect personal data during storage and transfer?* How do you ensure that personal data is not retained longer than instructed?* Will you store any personal data processed on behalf of Company once the contract with Company has come to an end?* How are you able to support Company on dealing with subject access requests?* Are you able to delete all personal data of a specific individual upon request?* Are you able to delete personal data based on a retention schedule?* Do employees in your organisation receive training on data protection and other relevant law? Please describe briefly the nature of training given and when takes place.* What personal data sources do you use in the data research process?* Knowing that personal data you provide is to be used for direct marketing purposes, how do you ensure that only data that can be legally marketed to is provided?* If you provide personal data with consent for direct marketing, how is the consent collected? What audit trail are you able to provide for consent records?*