GDPR Questionnaire

Does the company consist of several legal entities/companies?

Please upload an organizational chart of the corporate structure.

Are corporate entities located in a third country?

Please list the relevant third countries.

Is data exchanged between the individual companies?

Have contracts been concluded between the companies for the processing of data (e.g., data processing agreements, other contracts)?

Is there a works council?

Please describe (briefly and concisely) the main activity or activities of the company.

What do you do (product/service)? For whom (B2B/B2C)?

Is artificial intelligence (AI) used in your company - either internally by employees or as part of your products/services?

Through which digital channels do you offer your services or products?

Please insert the links/information about the websites/platforms/apps you operate here.

Is a newsletter used on the website?

Which provider? (e.g. Mailchimp, HubSpot, Brevo)

Is there a career portal or application option?

Which provider? (e.g.Personio, Workday, custom form)

Is a live chat used on the website?

Which provider? (e.g. Intercom, Drift, Tidio)

Is there a demo or appointment booking page?

Which provider? (e.g. Calendly, Cal.com, HubSpot Forms)

Is there a directory documenting what data processing takes place within the company?

This could be a list of the individual business processes of the respective departments, showing which data is processed, how, and why.

Examples of individual processing activities: lead generation, operation of the company website, customer relationship management.

If the company is a service provider (e.g., offering software in the area of compliance): Is there separate documentation for this?

Please list the individual departments of your company according to the example below.

E.g.:

HR-Department

Finance

Legal

...

Who is the internal contact person for data protection (data protection coordinator)?

Who approves and reviews data protection and security policies and decisions?

Who is responsible for IT security/system administration (e.g., IT administrator, head of IT)?

Are there other relevant roles related to data protection and security (e.g., CISO)?

Are freelancers employed in the company, and if so, in what role?

What types of data are collected, processed, and stored in the product?

Are special categories of personal data processed in accordance with Article 9 of the GDPR (apart from the HR Department)?

Does the company also process data relating to children?

Children within the meaning of the GDPR are aged 1-15.

Are decisions made in the company based on automated processing?

Example: An algorithm evaluates and decides on a person's creditworthiness, and the results are used to make a decision on whether to grant a loan.

Have in-depth considerations already been made for individual processing operations between the interests of the company and the rights of the data subjects (data protection impact assessment)?

Explanation: The GDPR requires that data processing operations that pose a high risk to the rights and freedoms of natural persons (e.g., video surveillance) must be subject to a separate assessment.

Is there a (documented) process for handling and processing inquiries from affected parties?

Requests from data subjects include, for example, information / deletion / correction.

Is there a (documented) process for handling the deletion of data and the associated retention requirements (deletion concept)?

Is there a (documented) process for dealing with data breaches (e.g., hacker attacks)?

Has any of the following issues been an issue in the company in the past?

Have employees received training on data protection in the past?

Is access to systems/folders/IT infrastructure restricted to those employees who actually need it?

Is the use of private IT devices (e.g., smartphones) permitted for work purposes?

Is the use of the company network (internet, email, or IT devices) permitted for private purposes?

Is the IT infrastructure regularly subjected to external audits?

(e.g. ISO 27001, TÜV)?

Can systems and data collections be restored in the event of loss or destruction?

Is remote work permitted in the company (e.g., working from home or workation)?

What forms of remote work are permitted in the company?

How is external access to systems or the company network carried out?

Can employees independently install software/tools on (the company's) IT devices?

Is there an IT security concept / technical and organizational measures (TOM)?

Does the company use any kind of surveillance measures such as video surveillance, GPS tracking, or microphones?

Please specify the specific form 

of monitoring.

How is marketing conducted within the company (email, events, CRM)?

How are leads and customers approached in sales (outreach)?

Are employees (who work with personal data) bound to confidentiality?

This does not refer to the obligation to maintain confidentiality of trade secrets under employment contracts. It refers to the obligation to comply with GDPR requirements.

Is there employee data protection information?

Data protection information is not only required for the website, but also for employment relationships, for example.

Is there any data protection information for applicants?

Does the company already have data protection guidelines in place (e.g., password policy, dealing with suppliers, handling personal data)?

Please tell us which guidelines already exist:

For example, password policy, IT security policy

In which language(s) are the documents/guidelines required?

Which of the following frameworks could be relevant for your company in the future?

Thank you very much!