A compliance maintenance action plan is essential to ensure that your company is compliant with GDPR regulations. It is important to be accompanied by a DPO with proven data protection skills to ensure the effectiveness and relevance of this action plan.
The compliance maintenance action plan should include the following steps:
- Analysis of the current compliance status: This step involves assessing the current compliance status of your company by examining existing processes, policies, and procedures for the collection, processing, storage, and protection of employee health data. This step may also include a risk analysis for the confidentiality and security of employee health data.
- Identification of gaps: This step involves identifying areas where your company is not in compliance with GDPR rules. This step can be done by comparing company policies and procedures with GDPR requirements.
- Development of an action plan: This step involves developing an action plan to address the gaps identified in the previous step. This action plan should include specific actions to be taken to ensure your company’s compliance with GDPR rules.
- Implementation of the action plan: This step involves implementing the actions identified in the action plan. It is important to follow the steps rigorously to ensure that the actions are implemented correctly.
- Evaluation of effectiveness: This step involves evaluating the effectiveness of the actions taken to maintain GDPR compliance. This evaluation may include compliance testing, security assessments, and employee satisfaction surveys.
Compliance maintenance action plan: First quarter 2023.
Monitoring employees’ consent for the collection and processing of their health data, as well as the effectiveness of the methods for collecting and storing this data in compliance with GDPR standards.
Exclusivité DPO PARTAGE
Vos questions sur le RGPD
Gratuitement, poser vos questions sur la conformité RGPD.
Une réponse sous 24/48h à votre problématique.
Monitoring employees’ consent for the collection and processing of their health data involves ensuring that employees have given their consent explicitly, freely, informed, and unambiguously for the collection, processing, and storage of their health data.
To do this, it is necessary to verify that employees have been clearly and transparently informed about the purposes for which their health data is collected, the recipients of this data, their rights regarding data protection, and the duration of the retention of this data.
It is also important to verify that employees have been clearly and precisely informed of their right to withdraw their consent at any time and that procedures have been put in place to facilitate the exercise of this right.
It is also important to ensure the effectiveness of the methods for collecting and storing this data in compliance with GDPR standards, for example by verifying that health data is collected proportionately to the purpose of the processing, that technical and organizational measures have been put in place to ensure data security, that access to data is limited to those who need it, and that the data is retained for a duration that does not exceed the necessary duration for the purpose of the processing.
| Audit Checklist | Compliance with GDPR | Yes | No | N/A |
|---|---|---|---|---|
| Consent for employee health data collection and processing | Article 7 | |||
| Employees are informed of data collection purposes and recipients | Article 13, 14 | |||
| Employees are informed of their data protection rights | Article 13, 14, 15, 16, 17, 18, 20, 21, 77, 79 | |||
| Employees are informed of data retention duration | Article 13, 14 | |||
| Procedures in place for employee consent withdrawal | Article 7 | |||
| Proportional collection and processing of health data | Article 5, 9 | |||
| Technical and organizational measures for data security | Article 32 | |||
| Access to data limited to those with need-to-know | Article 32 | |||
| Data retention duration is not excessive | Article 5 |
In this example, the checklist includes specific GDPR articles that relate to each item. The “Yes,” “No,” and “N/A” columns can be used to indicate whether the audited item is compliant, non-compliant, or not applicable.
Ensuring that workers have easy access to their health data and that requests for deletion or modification of this data are processed in accordance with GDPR regulations.
Ensuring that workers have easy access to their health data and that requests for deletion or modification of this data are processed in accordance with GDPR regulations involves ensuring that workers can exercise their rights of access, rectification, erasure, or portability of their health data easily and quickly.
To do this, it is important to verify that workers have access to a simple and effective procedure for exercising their rights and that designated persons within the company are responsible for responding to workers’ requests. It is also important to ensure that workers are informed clearly and transparently about the conditions for exercising their rights, the response times, and the means of contacting the designated persons to respond to their requests.
In addition, it is important to verify that requests for deletion or modification of health data are processed in accordance with GDPR regulations. This involves verifying that the health data in question is accurate, relevant, and up to date, that the request is justified, and that workers’ rights are respected. In case of a request for deletion or modification of health data, it is also important to ensure that all relevant data is deleted or modified and that evidence of this action is properly retained.
| Audit Checklist | Compliance with GDPR | Yes | No | N/A |
|---|---|---|---|---|
| Workers have easy access to their health data | Article 15 | |||
| Workers can exercise their rights of access, rectification, erasure, or portability | Articles 15, 16, 17, 20 | |||
| Simple and effective procedure for exercising rights in place | Articles 12, 15, 16, 17, 20, 21 | |||
| Designated persons responsible for responding to workers’ requests | Articles 12, 15, 16, 17, 20, 21 | |||
| Workers are informed clearly and transparently about exercising their rights | Articles 12, 15, 16, 17, 20, 21 | |||
| Workers are informed of response times and means of contact | Articles 12, 15, 16, 17, 20, 21 | |||
| Requests for deletion or modification of health data are processed in accordance with GDPR regulations | Articles 5, 16, 17, 18 | |||
| Health data is accurate, relevant, and up to date | Article 5 | |||
| Request for deletion or modification is justified | Article 17 | |||
| Workers’ rights are respected | Articles 12, 15, 16, 17, 20, 21, 77, 79 | |||
| Relevant data is deleted or modified and evidence is properly retained | Articles 5, 17, 18, 24, 30 |
This checklist includes specific GDPR articles that relate to each item. The “Yes,” “No,” and “N/A” columns can be used to indicate whether the audited item is compliant, non-compliant, or not applicable.
Verifying that the exchange of health data with third parties is carried out in compliance with GDPR rules on security, confidentiality, and consent.
Verifying that the exchange of health data with third parties is carried out in compliance with GDPR rules on security, confidentiality, and consent involves ensuring that all health data shared with third parties is protected and processed in compliance with GDPR rules.
To do this, it is important to verify that the company has implemented appropriate technical and organizational security measures to ensure the security and confidentiality of health data during its transmission and storage with third parties. It is also important to ensure that the third parties have signed data processing contracts that comply with GDPR requirements.
It is also important to verify that workers are informed clearly and transparently about the exchange of health data with third parties, the purposes of these exchanges, and the recipients of this data. Workers must also give their explicit, free, informed, and unambiguous consent for their health data to be shared with third parties.
Finally, it is important to verify that the exchange of health data with third parties is carried out in compliance with GDPR rules on data retention, purpose of processing, and workers’ rights. This involves ensuring that health data is collected proportionally to the purpose of the processing and that the duration of data retention is compliant with GDPR legislation.
| Audit Checklist | Compliance with GDPR | Yes | No | N/A |
|---|---|---|---|---|
| Technical and organizational security measures in place | Article 32 | |||
| Third parties have signed GDPR-compliant data processing contracts | Article 28 | |||
| Workers are informed clearly and transparently about the exchange of health data with third parties | Articles 12, 13, 14 | |||
| Workers give explicit, free, informed, and unambiguous consent for health data to be shared with third parties | Article 7 | |||
| Data is collected proportionally to the purpose of processing | Article 5 | |||
| Data retention duration is compliant with GDPR legislation | Article 5 | |||
| Finality of processing is compliant with GDPR legislation | Article 5 | |||
| Workers’ rights are respected | Articles 12, 15, 16, 17, 20, 21, 77, 79 |
This checklist includes specific GDPR articles that relate to each item. The “Yes,” “No,” and “N/A” columns can be used to indicate whether the audited item is compliant, non-compliant, or not applicable.
Evaluating the compliance of data security policies and the implementation of appropriate technical and organizational measures to ensure the security of employee health data.
Evaluating the compliance of data security policies and the implementation of appropriate technical and organizational measures to ensure the security of employee health data involves verifying that the company has implemented security measures to protect employee health data.
To evaluate the compliance of these security policies, it is important to verify that the company has implemented technical measures such as health data encryption, password management, access limitation, and strong authentication. The company must also have implemented organizational measures such as staff training, security policies, and internal controls to protect health data.
It is also important to ensure that the company has conducted a risk analysis to identify potential risks to the security of health data and has implemented measures to mitigate them.
Finally, it is important to verify that the company has implemented security policies for mobile devices such as laptops and smartphones, and that these policies are compliant with GDPR rules. The company must also have established procedures for erasing data on mobile devices in case of loss or theft.
| Audit Checklist | Compliance with GDPR | Yes | No | N/A |
|---|---|---|---|---|
| Technical security measures are in place | Article 32 | |||
| Organizational security measures are in place | Article 32 | |||
| Risk analysis has been conducted | Article 35 | |||
| Risks have been mitigated | Article 32 | |||
| Encryption of health data is used | Article 32 | |||
| Password management is used | Article 32 | |||
| Access limitation is used | Article 32 | |||
| Strong authentication is used | Article 32 | |||
| Staff training is in place | Article 32 | |||
| Security policies are in place | Article 32 | |||
| Internal controls are in place | Article 32 | |||
| Policies for mobile devices are in place | Article 32 | |||
| Procedures for erasing data on mobile devices are in place | Article 32 |
This checklist includes specific GDPR articles that relate to each item. The “Yes,” “No,” and “N/A” columns can be used to indicate whether the audited item is compliant, non-compliant, or not applicable.
Ensuring that employees receive regular training on GDPR rules, risks to the confidentiality and security of their health data, and ways to protect them is a key element of GDPR compliance in occupational health services.
To ensure this compliance, it is important to set up regular training sessions for all employees, including medical personnel and those responsible for managing health data. This training should cover the following key points:
The fundamental principles of GDPR regulations on personal data protection and health data confidentiality. Employee rights related to data protection, including their right to access, rectify, erase, and transfer their health data. Risks to the confidentiality and security of health data, such as cyberattacks, security breaches, human errors, etc. Technical and organizational measures to protect health data, such as secure passwords, restricted access, monitoring of suspicious activity, etc. Internal procedures to report data breaches and to respond quickly and effectively in case of a security incident.
In addition to initial training, it is also important to offer regular training sessions to keep employees’ knowledge up to date and to provide them with access to online resources such as best practices guides, newsletters, webinars, etc.
It is also important to ensure that employees understand the importance of protecting health data and the need to comply with GDPR rules, by explaining the potential consequences for the company and for themselves in case of non-compliance.
| Audit Checklist | Compliance with GDPR (Article) | Yes | No | N/A |
|---|---|---|---|---|
| Data Protection Officer (DPO) | Article 37 | |||
| Compliance Action Plan | Article 24 | |||
| Consent for Health Data | Article 7 | |||
| Data Exchange with Third Parties | Article 28 | |||
| Employee Data Access | Article 15 | |||
| Employee Training | Article 39 | |||
| Security Measures | Article 32 | |||
| Data Breach Management | Article 33 | |||
| Records of Processing Activities | Article 30 |
Compliance Maintenance Action Plan: Second Quarter 2023
Assessing the compliance of contracts with external service providers for the collection, processing and storage of employee health data to ensure they comply with GDPR rules is a crucial step in protecting employee health data.
To achieve this, it is important to verify that the data processing contracts signed with external providers contain standard contractual clauses that comply with GDPR requirements. These clauses must include, among other things, the purposes of data collection, processing and storage, the duration of data retention, employee data protection rights, data security, and data breach notification obligations.
It is also important to ensure that external service providers comply with GDPR requirements for data security, including technical and organizational measures to protect health data, data encryption, access management, network security, and more.
Finally, it is important to verify that external service providers have a clear and transparent policy on personal data protection, which should be available to affected employees and accessible on their website.
The goal is to ensure that external service providers comply with GDPR standards and provide a level of protection equivalent to that of the company. If external service providers do not comply with GDPR requirements, corrective measures must be implemented or alternative service providers sought.
| Audit Checklist | Compliance with GDPR Art. XX | Yes | No | N/A |
|---|---|---|---|---|
| Policy for data protection | Art. 5 | |||
| Procedure for responding to data breaches | Art. 33 | |||
| Employee training on GDPR and data protection | Art. 39 | |||
| Procedures for managing data subject requests | Art. 12-23 | |||
| Records of processing activities | Art. 30 | |||
| Contracts with third-party data processors | Art. 28 | |||
| Technical and organizational measures for data security | Art. 32 | |||
| Regular reviews and audits of data protection practices | Art. 24 | |||
| Ensuring easy access for employees to their health data | Art. 15 | |||
| Evaluating compliance of data exchanges with third parties | Art. 44-50 | |||
| Evaluating compliance of contracts with external service providers | Art. 28 | |||
Ensuring that collected health data is relevant, limited to what is necessary, and proportionate to the purpose of processing, and that the data retention period is compliant with GDPR legislation is a key point of GDPR compliance.
It is important to verify that the health data collected is necessary for the purpose of processing and limited to what is relevant and proportionate to that purpose. It is important to limit the data collected to that which is necessary for the purpose of processing in order to minimize privacy and data security risks.
It is also important to ensure that the data retention period is compliant with GDPR legislation. Health data must be retained for a limited period, which must be justified by the purpose of processing and must not exceed the time necessary to achieve that purpose.
To evaluate the company’s compliance with this point, it is important to verify that the health data collected is necessary for the purpose of processing and limited to what is relevant and proportionate to that purpose. It is also important to verify that the data retention period is compliant with GDPR legislation. Additionally, it is important to verify that procedures have been put in place to delete health data that is no longer necessary in accordance with GDPR provisions.
| Audit Checklist | Compliance with GDPR | Yes | No | N/A |
|---|---|---|---|---|
| Privacy Policy and Notice | Article 13, 14 | |||
| Data Subject Rights | Articles 15-22 | |||
| Legal Basis for Data Processing | Article 6 | |||
| Consent | Article 7 | |||
| Data Breach Notification and Response | Articles 33-34 | |||
| Data Protection Officer (DPO) Appointment | Article 37 | |||
| Data Protection Impact Assessment (DPIA) | Article 35 | |||
| Processor Contracts | Article 28 | |||
| International Data Transfers | Chapter V | |||
| Records of Processing Activities | Article 30 | |||
| Technical and Organizational Data Security | Article 32 | |||
| Employee Data Protection Training | Article 39 | |||
| External Service Provider Compliance | Article 28 | |||
| Relevant and Limited Data Collection | Article 5 |
Controlling the security and confidentiality of health data during their transmission and storage is crucial to ensure GDPR compliance.
It is important to verify that health data is protected during transmission and storage. This involves verifying that data is transmitted securely using encryption protocols, such as SSL or TLS, and that data is stored securely using appropriate technical and organizational measures, such as encryption, password management, and restricted access to data.
Additionally, it is important to ensure that access to data is limited to those who need to access it to perform their work, and that these individuals have been trained on GDPR rules and the risks associated with protecting health data.
To assess the company’s compliance with this point, it is important to verify that health data is transmitted securely using encryption protocols, such as SSL or TLS, and that data is stored securely using appropriate technical and organizational measures, such as encryption, password management, and restricted access to data. Additionally, it is important to verify that access to data is limited to those who need to access it to perform their work, and that these individuals have been trained on GDPR rules and the risks associated with protecting health data.
Audit Checklist | Compliance with GDPR | Yes | No | N/A |
|---|---|---|---|---|
| Data mapping and inventory | Article 30 | |||
| Consent management | Articles 6, 7, and 8 | |||
| Individual rights management | Articles 12-23 | |||
| Third-party management | Article 28 | |||
| Data security | Article 32 | |||
| Data breach management | Articles 33 and 34 | |||
| Employee training | Article 39 | |||
| Data retention | Article 5 | |||
| Data processing impact assessment | Article 35 | |||
| International data transfers | Chapter 5 |
Checking that data breach notification procedures are in place and that staff is trained to identify, report and respond to data breaches in compliance with GDPR requirements is essential to ensure GDPR compliance.
It is important to verify that data breach notification procedures are clearly defined and that staff is trained to understand and implement them. It is also important to ensure that data breaches are reported immediately to the supervisory authority in compliance with the timeframes specified in GDPR legislation. Employees should be trained to identify data breaches and to report any data breaches immediately to the designated person within the company.
In addition, it is important to ensure that data breach response procedures are in place and that staff is trained to respond to them. This involves ensuring that emergency plans are established to deal with data breaches, that designated persons are informed of their role in the event of a data breach, and that corrective measures are taken to prevent future data breaches.
To assess the company’s compliance with this point, it is important to verify that data breach notification procedures are in place and that staff is trained to identify, report, and respond to data breaches in compliance with GDPR requirements. It is also important to verify that data breaches are reported immediately to the supervisory authority in compliance with the timeframes specified in GDPR legislation, and that emergency plans are established to deal with data breaches.
| Audit Checklist | Compliance with GDPR Article | Yes | No | N/A |
|---|---|---|---|---|
| Ensuring employees receive regular training on GDPR rules, risks to privacy and security of health data, and ways to protect it | Article 39 | |||
| Evaluating compliance of contracts with external service providers for collecting, processing, and storing employee health data | Article 28 | |||
| Ensuring collected health data is relevant, limited to what is necessary, and proportional to the processing purpose, and that the retention period is compliant with GDPR | Article 5 | |||
| Controlling the security and confidentiality of health data during transmission and storage, including verifying the use of encryption, password management, and restricted access to data | Article 32 | |||
| Verifying that data breach notification procedures are in place and that personnel are trained to identify, report, and respond to data breaches in compliance with GDPR requirements | Article 33 |
Evaluating the processes for transferring health data to third countries is important to ensure GDPR compliance. It is essential to ensure that appropriate transfer mechanisms are in place and that the rights of the affected workers are protected in accordance with GDPR standards.
It is important to verify that transfers of health data to third countries are authorized by GDPR legislation and that appropriate transfer mechanisms are in place, such as standard contractual clauses, binding corporate rules, and codes of conduct. It is also important to ensure that workers are clearly and transparently informed about transfers of health data to third countries, the purposes of these transfers, and the recipients of this data.
Furthermore, it is important to ensure that the rights of affected workers are protected in accordance with GDPR standards. This involves ensuring that workers have given their explicit, free, informed, and unambiguous consent for the transfer of their health data to third countries, that transfers of health data are necessary for the purpose of the processing, that health data is kept for a duration that does not exceed the time required for the purpose of the processing, and that workers have the right to withdraw their consent at any time.
To evaluate the company’s compliance with this point, it is important to verify that appropriate transfer mechanisms are in place and that the rights of affected workers are protected in accordance with GDPR standards. Additionally, it is important to ensure that workers are clearly and transparently informed about transfers of health data to third countries, the purposes of these transfers, and the recipients of this data, and that workers have given their explicit, free, informed, and unambiguous consent for the transfer of their health data to third countries.
| Audit Checklist | Compliance with GDPR | Yes | No | N/A |
|---|---|---|---|---|
| Data Protection Officer appointment | Article 37 | |||
| Data protection policies and procedures | Article 24, 25 | |||
| Data protection impact assessments (DPIAs) | Article 35 | |||
| Record of processing activities | Article 30 | |||
| Lawful basis for processing personal data | Article 6, 9 | |||
| Consent requirements | Article 7, 8 | |||
| Data subject rights | Article 12-23 | |||
| Data breaches and incident management | Article 33, 34 | |||
| Third-party data processing agreements | Article 28 | |||
| Security and confidentiality of personal data | Article 32 | |||
| Transfer of personal data outside the EU/EEA | Chapter V | |||
| Compliance monitoring and training | Article 39, 47 |
Compliance Maintenance Action Plan: Third Quarter 2023
Controlling the accuracy and completeness of workers’ contact information for notifications and consent requests, as well as identity verification processes to ensure that health data is not disclosed to unauthorized third parties, is important for GDPR compliance.
It is important to ensure that contact data is accurate and complete to enable workers to receive notifications and consent requests. It is also important to verify that identity verification processes are in place to ensure that health data is not disclosed to unauthorized third parties. Identity verification processes should be proportionate to the risks associated with the disclosure of health data and should ensure that only authorized persons have access to health data.
To evaluate a company’s compliance with this point, it is important to verify that workers’ contact information is accurate and complete and that identity verification processes are in place to ensure that health data is not disclosed to unauthorized third parties.
It is also important to verify that notification and consent procedures are in place to ensure that workers are informed in a clear and transparent manner about the purposes of collecting, processing, and storing their health data, and that workers have given their explicit, freely given, informed, and unambiguous consent.
Finally, it is important to verify that technical and organizational measures are in place to ensure the security and confidentiality of health data during transmission and storage, and that access to data is limited to authorized personnel.
| Audit Checklist | Compliance with GDPR | Yes | No | N/A |
|---|---|---|---|---|
| Evaluate compliance of contracts with external service providers for collection, processing and storage of employee health data to ensure compliance with GDPR rules. | Article 28 | |||
| Ensure that the collected health data is relevant, limited to what is necessary and proportional to the purpose of processing, and that the data retention period complies with GDPR legislation. | Article 5 | |||
| Control the security and confidentiality of health data during transmission and storage, including checking the use of encryption, password management and restricted access to data. | Article 32 | |||
| Verify that procedures for data breach notification are in place and that personnel are trained to identify, report and respond to data breaches in compliance with GDPR requirements. | Article 33, 34 | |||
| Evaluate the processes for transferring health data to third countries, ensuring that appropriate transfer mechanisms are in place and the rights of affected workers are protected in accordance with GDPR standards. | Article 44 | |||
| Control the accuracy and completeness of workers’ contact information for notifications and consent requests, as well as identity verification processes to ensure that health data is not disclosed to unauthorized third parties. | Article 5, 12 |
The compliance check consists of verifying the compliance of the processes for the deletion and rectification of health data, ensuring that all employee health data is deleted or rectified when necessary and that evidence of this action is properly retained.
It is also important to verify that health data is deleted or rectified in its entirety, and that all copies of such data are also deleted or rectified. It is also necessary to check that health data is retained for a limited duration in accordance with GDPR rules and that it is deleted when this duration is reached.
To evaluate the company’s compliance with this point, it is important to verify that the processes for the deletion and rectification of health data are in compliance with GDPR rules, that health data is deleted or rectified in its entirety, that evidence of this action is properly retained, and that employees are informed of any changes made to their health data. It is also important to check
| Audit Checklist | Compliance with GDPR | Yes | No | N/A |
|---|---|---|---|---|
| Verify the accuracy and completeness of employee health data | Art. 5, 6, 9 and 32 | |||
| Ensure that the collection of health data is relevant, limited, and proportionate | Art. 5 and 9 | |||
| Control the security and confidentiality of health data during transmission and storage | Art. 5, 32 and 34 | |||
| Verify that procedures for data breach notifications are in place | Art. 33 and 34 | |||
| Evaluate the processes for transferring health data to third countries | Art. 44-49 | |||
| Verify compliance of processes for deletion and rectification of health data | Art. 5, 16, 17, and 32 | |||
| Ensure that the rights of data subjects are respected | Art. 12-22 | |||
| Verify that employees are trained in data protection | Art. 39 and 47 | |||
| Verify that data protection impact assessments are conducted | Art. 35 and 36 | |||
| Ensure that the retention period for health data is compliant with the GDPR | Art. 5 and 32 |
The compliance check consists of evaluating the compliance of the security protocols for remote or mobile worker data, such as device encryption, Wi-Fi connection security, and management of data stored on personal devices.
To do so, it is necessary to verify that mobile devices used by workers are protected by appropriate technical and organizational security measures, such as data encryption, the use of strong passwords, and the installation of up-to-date security software.
It is also important to ensure that Wi-Fi connections used by workers are secure, for example by verifying that public Wi-Fi networks are not used for the transmission of sensitive data, and that private Wi-Fi connections are secured with strong passwords and appropriate encryption protocols.
Furthermore, it is important to verify that workers are informed of the risks associated with using their personal devices to store sensitive data, and that procedures have been put in place to manage data stored on these devices.
To evaluate the company’s compliance with this point, it is important to check that the security protocols for remote or mobile worker data are compliant with GDPR rules, that mobile devices are protected by appropriate technical and organizational security measures, that Wi-Fi connections used by workers are secure, and that procedures have been put in place to manage data stored on personal devices.
| Audit Checklist | Compliance with GDPR Article | Yes | No | N/A |
|---|---|---|---|---|
| Verification of the company’s GDPR compliance program | Article 24 | |||
| Review of the company’s data protection policy | Article 30 | |||
| Verification of the company’s record of processing activities | Article 30 | |||
| Evaluation of the company’s lawful basis for processing personal data | Article 6 | |||
| Verification of the company’s consent management process | Article 7 | |||
| Verification of the company’s data breach notification process | Article 33 | |||
| Review of the company’s data protection impact assessment process | Article 35 | |||
| Verification of the company’s process for handling data subject access requests | Article 15 | |||
| Verification of the company’s process for handling data portability requests | Article 20 | |||
| Review of the company’s data retention and deletion policy | Article 5 | |||
| Evaluation of the company’s vendor management process | Article 28 | |||
| Verification of the security and confidentiality of health data during transmission and storage | Article 32 | |||
| Verification of the company’s procedures for reporting data breaches | Article 33 | |||
| Evaluation of the company’s data transfer processes to third countries | Article 44 | |||
| Verification of the accuracy and completeness of employee contact information | Article 5 | |||
| Verification of the company’s data deletion and rectification processes | Article 17 | |||
| Evaluation of the compliance of security protocols for remote or mobile worker data | Article 32 |
The checkpoint is to verify compliance with the access and physical security control procedures for the premises and equipment where health data is stored, and to ensure that security policies are in place to protect employees’ health data.
To do this, it is necessary to verify that the premises and equipment where health data is stored are protected by appropriate physical security measures, such as alarm systems, surveillance cameras, electronic locks, and access controls.
It is also important to ensure that security policies are in place to protect employees’ health data, for example, by verifying that health data is stored in secure environments and that access to data is limited to authorized personnel.
It is also necessary to verify that workers are informed of the security policies and are trained on the physical security of premises and equipment where health data is stored.
To evaluate the company’s compliance with this checkpoint, it is important to check that the access and physical security control procedures for the premises and equipment where health data is stored are compliant with the GDPR, that security policies are in place to protect employees’ health data, and that workers are informed and trained on the physical security of premises and equipment.
| Audit Checklist | Compliance with GDPR | Yes | No | N/A |
|---|---|---|---|---|
| Verify compliance of employee data deletion process | Article 17 | |||
| Verify compliance of data breach notification process | Article 33, 34 | |||
| Evaluate compliance of data transfer protocols | Article 44-49 | |||
| Assess accuracy and completeness of employee contact information | Article 5, 6 | |||
| Assess security protocols for remote/mobile worker data | Article 32 | |||
| Check compliance of data access and physical security procedures | Article 32 |
The checkpoint is to evaluate the compliance of online cookie management and consent processes, ensuring that workers are informed of the cookies used on the website, have a clear choice to accept or refuse cookies, and that their data is stored and processed in accordance with GDPR standards.
To do this, it is necessary to verify that the company’s website informs workers in a clear and transparent manner about the cookies used, their purpose, and their retention period. Workers must also have a clear choice to accept or refuse cookies.
It is also important to ensure that the data stored and processed by cookies complies with GDPR rules. This involves verifying that the collected data is relevant and limited to what is necessary, that workers have given their explicit, free, informed, and unambiguous consent for the processing of their data, that the data is stored and processed in accordance with the declared purposes, and that the retention period of the data complies with GDPR legislation.
To evaluate the company’s compliance with this point, it is important to verify that online cookie management and consent processes are compliant with GDPR rules, that workers are informed in a clear and transparent manner about the cookies used on the website, that they have a clear choice to accept or refuse cookies, and that their data is stored and processed in accordance with GDPR standards.
| Audit Checklist | Compliance with GDPR Article | Yes | No | N/A |
|---|---|---|---|---|
| Evaluate compliance of data transfer processes to third countries | Article 44, 45 | |||
| Check accuracy and completeness of employee contact information | Article 5, 17 | |||
| Verify compliance of data erasure and rectification procedures | Article 16, 17 | |||
| Assess compliance of data security protocols for remote or mobile workers | Article 32 | |||
| Evaluate compliance of physical security access and control procedures | Article 32 | |||
| Review compliance of online cookie and consent management processes | Article 7, 9, 22 | |||
| Assess compliance of data breach notification procedures | Article 33, 34 | |||
| Verify compliance of data protection impact assessment (DPIA) processes | Article 35, 36 | |||
| Evaluate compliance of data processing agreements with third-party processors | Article 28 | |||
| Check compliance of data retention and deletion procedures | Article 5, 17, 30 |
Compliance Maintenance Action Plan: Fourth Quarter 2023
The checkpoint is to verify that employment contracts, confidentiality agreements, and employee data security policies comply with GDPR rules, particularly with regard to the collection, processing, and communication of health data.
To do so, it is necessary to verify that employment contracts and confidentiality agreements contain clauses that comply with GDPR rules on the collection, processing, and communication of health data. It is also important to ensure that the company’s data security policies comply with GDPR rules, particularly with regard to restricted access to health data, network security, and protection against data breaches.
It is also important to ensure that employees are informed in a clear and transparent manner about the company’s policies on health data protection and that GDPR training is provided to employees.
To evaluate the company’s compliance with this checkpoint, it is important to verify that employment contracts, confidentiality agreements, and employee data security policies comply with GDPR rules regarding the collection, processing, and communication of health data. It is also important to ensure that employees are informed in a clear and transparent manner about the company’s policies on health data protection and that GDPR training is provided to employees.
| Audit Checklist | Compliance with GDPR Article | Yes | No | N/A |
|---|---|---|---|---|
| Evaluate compliance of remote or mobile workers’ data security protocols, such as device encryption, Wi-Fi security, and data management on personal devices. | Article 32 | |||
| Verify compliance of processes for deletion and correction of health data, ensuring that all employee health data is deleted or corrected when necessary and that evidence of this action is properly retained. | Article 5, 17 | |||
| Check compliance of access and control procedures for physical security for premises and equipment where health data is stored, and ensure that security policies are in place to protect employee health data. | Article 32 | |||
| Evaluate compliance of online cookie management and consent processes, ensuring that workers are informed of cookies used on the website, have a clear choice to accept or refuse cookies, and that their data is stored and processed in accordance with GDPR standards. | Article 7, 13 | |||
| Verify that employment contracts, confidentiality agreements, and employee data security policies are in compliance with GDPR rules, particularly with regards to the collection, processing, and communication of health data. | Article 9, 28 |
Evaluate the compliance of health data transfer procedures in case of business transfer or asset acquisition, ensuring that employees are informed of these transfers and that their data protection rights are respected.
When a company transfers health data in case of merger, acquisition, asset sale, or any other business transaction, it is important to ensure that employees are transparently and clearly informed about the data transfers and that their data protection rights are respected. To evaluate compliance with health data transfer procedures in case of business transfer or asset acquisition, it is necessary to:
- Verify that employees have been transparently and clearly informed of the health data transfers, the recipients of this data, and the purposes for which this data is transferred.
- Ensure that health data transfers are carried out in accordance with GDPR rules for the transfer of personal data outside the European Union.
- Verify that employees have the possibility to exercise their data protection rights, such as the right of access, rectification, erasure or portability of their data.
- Verify that employees have been informed of their rights and the means to exercise them in case of business transfer or asset acquisition.
- Verify that health data transfers are in compliance with the initial purpose for which this data was collected.
- Ensure that health data is protected during the transfer and that the recipients have signed data processing agreements in accordance with GDPR requirements.
- Verify that employees have the possibility to withdraw their consent to the transfer of their health data at any time.
| Audit Checklist | Compliance with GDPR Article | Yes | No | N/A |
|---|---|---|---|---|
| Verify compliance of procedures for access and control of physical security for locations and equipment where health data is stored and ensure security policies are in place to protect employee health data | Art. 32 | |||
| Evaluate compliance of security protocols for remote or mobile workers’ data, such as device encryption, Wi-Fi security, and data management on personal devices | Art. 32 | |||
| Verify compliance of processes for deleting and rectifying health data, ensuring all employee health data is deleted or rectified when necessary, and evidence of this action is properly retained | Art. 17 | |||
| Evaluate compliance of processes for cookie management and online consent, ensuring employees are informed about cookies used on the website, have a clear choice to accept or refuse cookies, and their data is stored and processed in accordance with GDPR standards | Art. 6, 7, 32 | |||
| Verify compliance of employment contracts, confidentiality agreements, and employee data security policies with GDPR regulations, especially regarding the collection, processing, and communication of health data | Art. 6, 9, 32 | |||
| Evaluate compliance of procedures for transferring health data in the event of a business transfer or asset sale, ensuring employees are informed of these transfers and their data protection rights are respected | Art. 6, 13, 14, 15, 32 |
Verify that health data is stored and processed in accordance with the company’s document retention policies, and that employee health data is not used for purposes other than those for which it was collected
should be audited to ensure that employee health data is stored and processed in accordance with the company’s document retention policies, and that this data is not used for purposes other than those for which it was collected. The audit criteria include reviewing the company’s document retention policies, verifying that health data is stored in secure locations accessible only to authorized personnel, and verifying that health data is not used for purposes other than those for which it was collected.
| Audit Checklist | Compliance with GDPR | Yes | No | N/A |
|---|---|---|---|---|
| Are document retention policies in place and compliant with GDPR? | Article 30 | |||
| Are employee health data stored in secure locations accessible only to authorized personnel? | Article 32 | |||
| Are data processing activities for employee health data in accordance with the purposes for which they were collected? | Article 5 |
To ensure compliance with GDPR regulations, it is important to evaluate procedures for notifying employees of requests for access, rectification, or deletion of their health data. It is crucial to ensure that employees are informed of their data protection rights, including their right to access, rectify, or delete their health data.
To evaluate compliance with GDPR rules, it is necessary to verify that the company has a clear and transparent notification process to inform employees of these requests. It is also important to ensure that employees have easy access to their health data and are informed of the procedures to follow to exercise their data protection rights.
Furthermore, it is important to verify that requests for access, rectification, or deletion of data are processed in compliance with GDPR regulations. This includes verifying that the data in question is accurate, relevant, and up-to-date, that the request is valid, and that employees’ rights are respected. In case of a request for deletion or modification of health data, it is also important to ensure that all relevant data is deleted or modified, and that evidence of this action is properly retained.
| Audit Point | Compliance with GDPR | Yes | No | N/A |
|---|---|---|---|---|
| Verify compliance of physical security access and control procedures for premises and equipment where health data is stored, and ensure security policies are in place to protect employee health data. | Article 32 | |||
| Evaluate compliance of cookie management and online consent processes, ensuring employees are informed of cookies used on the website, have a clear choice to accept or refuse cookies, and that their data is stored and processed in compliance with GDPR standards. | Article 7, Article 13, Article 30 | |||
| Check compliance of employee contracts, confidentiality agreements, and data security policies with GDPR rules, particularly with regards to the collection, processing, and communication of health data. | Article 6, Article 9, Article 28, Article 32 | |||
| Verify compliance of health data transfer procedures in case of business transfer or asset sale, ensuring employees are informed of these transfers and their data protection rights are respected. | Article 6, Article 13, Article 14, Article 30, Article 44 | |||
| Ensure compliance of data retention and use policies for employee health data, ensuring that data is not used for purposes other than those for which it was collected, and that it is stored and processed in compliance with the company’s document retention policies. | Article 5, Article 9, Article 32 | |||
| Evaluate compliance of procedures for notifying employees of requests for access to their health data and requests for rectification or deletion of such data, ensuring that employees are informed of these requests and their rights are respected. | Article 12, Article 13, Article 15, Article 16, Article 17, Article 30 |
To ensure the protection of employees’ health data, it is important to verify that employees are aware of the risks to the confidentiality and security of their health data. Employees should also be informed of the measures in place to protect their health data and how they can report any breaches or concerns related to the protection of health data.
To evaluate compliance with this aspect of the GDPR, audit criteria may include:
- Verify that the company has developed clear and precise policies on health data security, and that these policies are communicated to all employees.
- Ensure that employees have received adequate training on the risks to the confidentiality and security of their health data, as well as the measures in place to protect this data.
- Verify that employees have access to resources such as information documents and contacts to report any breach or concern related to the protection of health data.
- Ensure that employees are regularly informed of health data security policies and procedures, and that updates to these policies are communicated adequately.
- Verify that employees understand the risks associated with the use of communication technologies such as emails, messaging applications, and social networks, and that they are informed of best practices to protect their health data.
Audit Checklist | Compliance with GDPR (Article) | Yes | No | N/A |
|---|---|---|---|---|
| Review policies for the retention and disposal of health data | Article 5 | |||
| Verify that employee health data is not used for purposes other than those for which it was collected | Article 5 | |||
| Verify that the company has a clear and transparent notification process to inform employees of requests for access to health data | Article 15 | |||
| Verify that the company has a clear and transparent process to inform employees of requests for rectification or erasure of health data | Article 16, 17 | |||
| Verify that employees are informed of the risks to the confidentiality and security of their health data, the protective measures in place, and how to report any breaches or concerns related to the protection of health data | Article 5, 32 | |||
| Verify that employee contracts, confidentiality agreements, and data security policies are compliant with GDPR rules regarding the collection, processing, and communication of health data | Article 9, 24, 28 | |||
| Verify that the company has a clear and transparent process for obtaining and documenting employee consent for the processing of their health data | Article 7 | |||
| Verify that health data transfers in the event of a merger, acquisition, or asset sale comply with GDPR rules | Article 5, 44 | |||
| Verify that cookie and online consent management processes comply with GDPR rules regarding worker awareness, clear choice, and data storage and processing standards | Article 5, 6, 7, 13, 14 | |||
| Verify that the company has a clear and transparent notification process to inform employees of data breaches | Article 33, 34 |
