Name of Organisation*Completed by*Date Questionnaire Completed*What personal data do you process on Company’s behalf? (This could include data of Company’s clients)*(UK-only) Are you registered with ICO? If yes, please provide registration number. (US-only) Are you certified under US-EU Privacy Shield? If yes, please provide registration number.*Do you have a Data Protection Officer? If not, who is the person responsible for data protection of personal data processed by your organisation?*Do you have a data protection policy in place? When was the last time this was reviewed? How regularly is this reviewed?*Do you process any personal data (internally or externally) on Company’s behalf outside the EEA (this could include Company’s client data)?*Are any of your personal data processing activities carried out by third parties (sub-processors)? List them and describe the processes, location of the provider and the data accessed by the processor.*How is the personal data stored? If using 3rd party services to store data please list detailing where and how data is stored.*How is archived personal data stored? If using 3rd party services to store data please list detailing where and how data is stored.*Please describe the security procedures in place to keep all personal data processed on behalf of Company secure.*How would you deal with possible security breaches where the security of personal data on behalf of Company (or Company ‘s clients) has been compromised?*What measures are in place to protect personal data during storage and transfer?*How do you ensure that personal data is not retained longer than instructed?*Will you store any personal data processed on behalf of Company once the contract with Company has come to an end?*How are you able to support Company on dealing with subject access requests?*Are you able to delete all personal data of a specific individual upon request?*Are you able to delete personal data based on a retention schedule?*Do employees in your organisation receive training on data protection and other relevant law? Please describe briefly the nature of training given and when takes place.*What personal data sources do you use in the data research process?*Knowing that personal data you provide is to be used for direct marketing purposes, how do you ensure that only data that can be legally marketed to is provided?*If you provide personal data with consent for direct marketing, how is the consent collected? What audit trail are you able to provide for consent records?*
