Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
71 lines (52 sloc) 5.61 KB

This is a compliance audit template to map the GDPR compliance level of your software extension

Personal Data handled/processed and Consent
Which are the personal data that are expected to be collected by the extension?
Does the extension also collect data to be shared with an owned or third-party server apart from the data collected and stored with the local installation?
Which are the data entry points of the personal data collection (i.e. cookies, forms)?
Is there a functionality to collect and log consents from users that submit their personal data?
Is there a functionality that gives the user the ability to withdraw their consent? If yes, to what?
Is the consent functionality connected to the core API?
Is the extension collecting personal data that is not needed/being used currently?
Consent for additional special categories
Is there a functionality to generate additional consent functionalities (checkboxes?) for the up front consent of the users to the use of personal data in case of i.e. marketing, profiling, children data, sensitive data?
Is the consent functionality connected to the core API?
Consent for Cookies collecting personal data
Does the extension installs cookies to be functional or for any other reason (tracking, performance, advertising)?
If yes, is there a functionality for the up front consent by the user in case the software installs cookies that are collecting any personal data?
If there a functionality to collect consents is provided, is there also a functionality for the user/s to withdraw consent?
Right to Data Portability
Is there a functionality that gives users the ability to request and download their data?
Right of Access by the Data Subject
Does the extension provides a dashboard to the users with settings to edit their personal data?
Is the consent functionality connected to the core API?
Right to be Forgotten
Is there a functionality that offers to users the ability to securly delete all of their data?
Is the consent functionality connected to the core API?
Privacy by Default
Does the software have all the settings set to the most private possible due to its scope?
Security Measures
Is there a secure https transmission (SSL/TLS) for all the resources used by the functionality?
If there is a need to apply encryption, is the data stored encrypted?
If there is a need to apply anonymization or pseudonymization techniques are they applied?
Third parties/Subprocessors
Incase you use third parties to provide a service or a functionality, have you included it to your third parties or subprocessors list?
Have you signed a DPA related document with third parties (in case you use third parties)?
Notification to user
Do you provide a Privacy Policy to users?
Do you include users' rights in your Privacy policy?
Do you include all the third party partners in you Privacy Policy?

Author

V.1 release:

Achilleas Papageorgiou - Joomla! Compliance Team Leader, Member of the Cross-CMS Compliance Coalition

Contributors

Alan Mac Kenna (Umbraco CMS), Heather Burns (WordPress), Luca Marzo (Joomla!), Gabor Javorszky (WordPress)

You can’t perform that action at this time.