Your Name (required)
Your Email (required)
Question 1 – Legal entity’s name and contact details (address, telephone number, e-mail address and name of the legal representative)?
Question 2 – Contact person’s contact details (name, title, telephone number, e-mail address)?
Question 3 – Where is the registered office of the legal entity?
Question 4 – Please provide us with a brief description of the legal entity’s existing structure (branches, different controlled entities, presence in more countries, total number of customers, total number of staff, managers, etc.). Which of the other entities must comply with the Regulation?
Question 5 – What is the scope of the legal entity?
Question 6 – What kind of personal data of the staff are collected and processed, how (i.e. contracts that refer to these exact personal data of the staff), where and how long are they stored for?
Question 7 – What kind of personal data of customers and/or third parties (i.e. resellers, agents, intermediaries, etc.) are collected and processed, how (i.e. contracts that refer to these exact personal data), where and how long are they stored for?
Question 8 – Does the legal entity collect, store or process, in every way, specific categories of personal data (meaning: data that revel racial or ethnic origin, political opinions, mental or physical health, criminal records, religious or other beliefs, etc.)? If it does, how (e.g. physical or electronic document) and where are they stored?
Question 9 – Does the legal entity keep personal data in physical records? If so, has a level of protection been taken into account and implemented (e.g. security guard)?
Question 10 – Are personal data collected and stored only on a local-national level or on an international level too?
Question 11 – Does a transfer of personal data between the legal entity and third parties take place? If it does, what kind of personal data is transferred and on what frequency (systematically or on case-by-case basis)?
Question 12 – Does the legal entity have profiling mechanisms and/or automated promotions (e.g. digital marketing practices, market mapping, group e-mails, etc.)?
Question 13 – Does the legal entity keep personal data that does not relate to the purpose which they were collected for?
Question 14 – Does the legal entity hold processes for the pseudonymisation and encryption of personal data? If yes, which data it pseudonymises and encrypts?
Question 15 – Is the legal entity able to distinguish between proprietary personal data of itself and personal data of third parties, for example by a scheme to categorize these personal data?
Question 16 – Does the company collect data of children for any purpose? Is there any differentiation in the data’s processing? Has parental consent been assessed? How is it being ensured that children are fully aware of the procession? How is the age of these children verified?
Question 17 – Do the clients of the legal entity have access to their personal data? If so, how?
Question 18 – Does the legal entity have the appropriate procedures and/or systems to record the consent of subjects, before the processing of someone’s personal data? If so, with which procedures-systems is the recording of the consent taking place? Is the consensus clear (i.e. do the subjects consent positively, providing they have sufficient information to decide if they will consent)?
Question 19 – Does the legal entity receive outsourced services, through which, these external partners process or access to some personal data held by the legal entity? If so, how do these external partners have access?
Question 20 – Has the legal entity establish privacy policies, security policy or other binding corporate rules and procedures related to the security of its IT systems and the personal data held on them? If so, what are they and how do they cover the specific categories of personal data?
Question 21 – Does the legal entity have procedures for safe deletion, deliberate destruction and personal data portability?
Question 22 – Does the legal entity have an IT service or department? If so, is it familiar with the procedure of processing personal data, in order to apply the requirements of the new Regulation to the legal entity’s electronic systems?
Question 23 – Has any incident of security breach of the information systems and the data kept there by the legal entity ever occurred? If so, please provide us a brief description.
Question 24 – Does the legal entity have private insurance coverage to cover IT security breach or online tampering?
Question 25 – Has the legal entity ever been audited by the Supervisory Authority? If so, has any fine been imposed on it?
Question 26 – Does the legal entity apply adequate procedures for identifying, reporting and dealing with personal data breaches? If so, how? Are any breaches reported to the competent Supervisory Authority? If so, in what ways?
Question 27 – Has the legal entity implemented mechanisms for informing the subjects in case of violation of their personal data? If so, what mechanisms?
Question 28 – How does the legal entity become aware of any complaints by the subjects about the handling or processing of their personal data?
Question 29 – Please describe the applications through which personal data is collected/stored in your information systems (e.g. ERP, CRM) or, if the collection/storage is done by an external partner, the applications that the latter uses (e.g. Cloud).
Question 30 – Please describe the basic security solutions (such as encryption, DLP, SIEM, daily back up, firewall, etc.) with regard to personal data protection.
Question 31 – Does the legal entity have a certification for privacy policies of personal data? If so, what level (ISO, PCI etc.)?
This questionnaire, as well as the information contained therein, is the intellectual property of the law firm Sarakinos Law and is protected by the intellectual property laws of Greece. This questionnaire also contains information and questions that are confidential and belong to the exclusive property of the law firm Sarakinos Law and are prohibited from being disclosed to third parties, copied or used in whole or in part by the recipient or any third party for any purpose and without the express written permission of the law firm Sarakinos Law.
