.. based on a point scale, considering
- How many people? (< 1000 = 1pt, 1.000-10.000 = 2 pt, > 10.000 = 3 pt)
- Special categories of personal information? (Sensitive personal information) (3 pt)
- Other personal data of a nature worthy of protection? (Confidential information) (2 pt)
- Special treatments? (2 pt)
.. resulting in different concepts that can be chosen
(1-2 points -> Concept 1-6, 3-4 points -> Concept 2-6, 5-6 points -> Concept 3-6, 7-10 points -> Concept 5-6)
- Concept 1 – Do not do anything unless you become aware of something wrong with the data processor
- Concept 2 – The data processor confirms – preferably in writing – to you that all requirements in the data processor agreement are still complied with.
- Concept 3 – The data processor provides you annually – either directly or via its website – one written status of matters covered by the data processor agreement and others relevant areas (eg organizational or product changes).
- Concept 4 – The data processor has a relevant and updated certification or follows a so-called code of conduct that is relevant to your processing activities.
- Concept 5 – An independent third party has conducted a documented inspection of the data processor in an area that also covers your treatment activities.
- Concept 6 – You carry out a documented inspection of the data processor yourself – or together with others.