Plan of action over 12 months for maintaining your GDPR compliance.

Plan of action over 12 months for maintaining your GDPR compliance.

Le

A compliance maintenance action plan is essential to ensure that your company is compliant with GDPR regulations. It is important to be accompanied by a DPO with proven data protection skills to ensure the effectiveness and relevance of this action plan.

The compliance maintenance action plan should include the following steps:

  • Analysis of the current compliance status: This step involves assessing the current compliance status of your company by examining existing processes, policies, and procedures for the collection, processing, storage, and protection of employee health data. This step may also include a risk analysis for the confidentiality and security of employee health data.
  • Identification of gaps: This step involves identifying areas where your company is not in compliance with GDPR rules. This step can be done by comparing company policies and procedures with GDPR requirements.
  • Development of an action plan: This step involves developing an action plan to address the gaps identified in the previous step. This action plan should include specific actions to be taken to ensure your company’s compliance with GDPR rules.
  • Implementation of the action plan: This step involves implementing the actions identified in the action plan. It is important to follow the steps rigorously to ensure that the actions are implemented correctly.
  • Evaluation of effectiveness: This step involves evaluating the effectiveness of the actions taken to maintain GDPR compliance. This evaluation may include compliance testing, security assessments, and employee satisfaction surveys.

Compliance maintenance action plan: First quarter 2023.

Monitoring employees’ consent for the collection and processing of their health data, as well as the effectiveness of the methods for collecting and storing this data in compliance with GDPR standards.

Monitoring employees’ consent for the collection and processing of their health data involves ensuring that employees have given their consent explicitly, freely, informed, and unambiguously for the collection, processing, and storage of their health data.

To do this, it is necessary to verify that employees have been clearly and transparently informed about the purposes for which their health data is collected, the recipients of this data, their rights regarding data protection, and the duration of the retention of this data.

It is also important to verify that employees have been clearly and precisely informed of their right to withdraw their consent at any time and that procedures have been put in place to facilitate the exercise of this right.

Logiciel RGPD

It is also important to ensure the effectiveness of the methods for collecting and storing this data in compliance with GDPR standards, for example by verifying that health data is collected proportionately to the purpose of the processing, that technical and organizational measures have been put in place to ensure data security, that access to data is limited to those who need it, and that the data is retained for a duration that does not exceed the necessary duration for the purpose of the processing.

Audit ChecklistCompliance with GDPRYesNoN/A
Consent for employee health data collection and processingArticle 7
Employees are informed of data collection purposes and recipientsArticle 13, 14
Employees are informed of their data protection rightsArticle 13, 14, 15, 16, 17, 18, 20, 21, 77, 79
Employees are informed of data retention durationArticle 13, 14
Procedures in place for employee consent withdrawalArticle 7
Proportional collection and processing of health dataArticle 5, 9
Technical and organizational measures for data securityArticle 32
Access to data limited to those with need-to-knowArticle 32
Data retention duration is not excessiveArticle 5

In this example, the checklist includes specific GDPR articles that relate to each item. The “Yes,” “No,” and “N/A” columns can be used to indicate whether the audited item is compliant, non-compliant, or not applicable.

Ensuring that workers have easy access to their health data and that requests for deletion or modification of this data are processed in accordance with GDPR regulations.

Ensuring that workers have easy access to their health data and that requests for deletion or modification of this data are processed in accordance with GDPR regulations involves ensuring that workers can exercise their rights of access, rectification, erasure, or portability of their health data easily and quickly.

To do this, it is important to verify that workers have access to a simple and effective procedure for exercising their rights and that designated persons within the company are responsible for responding to workers’ requests. It is also important to ensure that workers are informed clearly and transparently about the conditions for exercising their rights, the response times, and the means of contacting the designated persons to respond to their requests.

In addition, it is important to verify that requests for deletion or modification of health data are processed in accordance with GDPR regulations. This involves verifying that the health data in question is accurate, relevant, and up to date, that the request is justified, and that workers’ rights are respected. In case of a request for deletion or modification of health data, it is also important to ensure that all relevant data is deleted or modified and that evidence of this action is properly retained.

Audit ChecklistCompliance with GDPRYesNoN/A
Workers have easy access to their health dataArticle 15
Workers can exercise their rights of access, rectification, erasure, or portabilityArticles 15, 16, 17, 20
Simple and effective procedure for exercising rights in placeArticles 12, 15, 16, 17, 20, 21
Designated persons responsible for responding to workers’ requestsArticles 12, 15, 16, 17, 20, 21
Workers are informed clearly and transparently about exercising their rightsArticles 12, 15, 16, 17, 20, 21
Workers are informed of response times and means of contactArticles 12, 15, 16, 17, 20, 21
Requests for deletion or modification of health data are processed in accordance with GDPR regulationsArticles 5, 16, 17, 18
Health data is accurate, relevant, and up to dateArticle 5
Request for deletion or modification is justifiedArticle 17
Workers’ rights are respectedArticles 12, 15, 16, 17, 20, 21, 77, 79
Relevant data is deleted or modified and evidence is properly retainedArticles 5, 17, 18, 24, 30

This checklist includes specific GDPR articles that relate to each item. The “Yes,” “No,” and “N/A” columns can be used to indicate whether the audited item is compliant, non-compliant, or not applicable.

Verifying that the exchange of health data with third parties is carried out in compliance with GDPR rules on security, confidentiality, and consent.

Verifying that the exchange of health data with third parties is carried out in compliance with GDPR rules on security, confidentiality, and consent involves ensuring that all health data shared with third parties is protected and processed in compliance with GDPR rules.

To do this, it is important to verify that the company has implemented appropriate technical and organizational security measures to ensure the security and confidentiality of health data during its transmission and storage with third parties. It is also important to ensure that the third parties have signed data processing contracts that comply with GDPR requirements.

It is also important to verify that workers are informed clearly and transparently about the exchange of health data with third parties, the purposes of these exchanges, and the recipients of this data. Workers must also give their explicit, free, informed, and unambiguous consent for their health data to be shared with third parties.

Finally, it is important to verify that the exchange of health data with third parties is carried out in compliance with GDPR rules on data retention, purpose of processing, and workers’ rights. This involves ensuring that health data is collected proportionally to the purpose of the processing and that the duration of data retention is compliant with GDPR legislation.

Audit ChecklistCompliance with GDPRYesNoN/A
Technical and organizational security measures in placeArticle 32
Third parties have signed GDPR-compliant data processing contractsArticle 28
Workers are informed clearly and transparently about the exchange of health data with third partiesArticles 12, 13, 14
Workers give explicit, free, informed, and unambiguous consent for health data to be shared with third partiesArticle 7
Data is collected proportionally to the purpose of processingArticle 5
Data retention duration is compliant with GDPR legislationArticle 5
Finality of processing is compliant with GDPR legislationArticle 5
Workers’ rights are respectedArticles 12, 15, 16, 17, 20, 21, 77, 79

This checklist includes specific GDPR articles that relate to each item. The “Yes,” “No,” and “N/A” columns can be used to indicate whether the audited item is compliant, non-compliant, or not applicable.

Evaluating the compliance of data security policies and the implementation of appropriate technical and organizational measures to ensure the security of employee health data.

Evaluating the compliance of data security policies and the implementation of appropriate technical and organizational measures to ensure the security of employee health data involves verifying that the company has implemented security measures to protect employee health data.

To evaluate the compliance of these security policies, it is important to verify that the company has implemented technical measures such as health data encryption, password management, access limitation, and strong authentication. The company must also have implemented organizational measures such as staff training, security policies, and internal controls to protect health data.

It is also important to ensure that the company has conducted a risk analysis to identify potential risks to the security of health data and has implemented measures to mitigate them.

Finally, it is important to verify that the company has implemented security policies for mobile devices such as laptops and smartphones, and that these policies are compliant with GDPR rules. The company must also have established procedures for erasing data on mobile devices in case of loss or theft.

Audit ChecklistCompliance with GDPRYesNoN/A
Technical security measures are in placeArticle 32
Organizational security measures are in placeArticle 32
Risk analysis has been conductedArticle 35
Risks have been mitigatedArticle 32
Encryption of health data is usedArticle 32
Password management is usedArticle 32
Access limitation is usedArticle 32
Strong authentication is usedArticle 32
Staff training is in placeArticle 32
Security policies are in placeArticle 32
Internal controls are in placeArticle 32
Policies for mobile devices are in placeArticle 32
Procedures for erasing data on mobile devices are in placeArticle 32

This checklist includes specific GDPR articles that relate to each item. The “Yes,” “No,” and “N/A” columns can be used to indicate whether the audited item is compliant, non-compliant, or not applicable.

Ensuring that employees receive regular training on GDPR rules, risks to the confidentiality and security of their health data, and ways to protect them is a key element of GDPR compliance in occupational health services.

To ensure this compliance, it is important to set up regular training sessions for all employees, including medical personnel and those responsible for managing health data. This training should cover the following key points:

The fundamental principles of GDPR regulations on personal data protection and health data confidentiality. Employee rights related to data protection, including their right to access, rectify, erase, and transfer their health data. Risks to the confidentiality and security of health data, such as cyberattacks, security breaches, human errors, etc. Technical and organizational measures to protect health data, such as secure passwords, restricted access, monitoring of suspicious activity, etc. Internal procedures to report data breaches and to respond quickly and effectively in case of a security incident.

In addition to initial training, it is also important to offer regular training sessions to keep employees’ knowledge up to date and to provide them with access to online resources such as best practices guides, newsletters, webinars, etc.

It is also important to ensure that employees understand the importance of protecting health data and the need to comply with GDPR rules, by explaining the potential consequences for the company and for themselves in case of non-compliance.

Audit ChecklistCompliance with GDPR (Article)YesNoN/A
Data Protection Officer (DPO)Article 37
Compliance Action PlanArticle 24
Consent for Health DataArticle 7
Data Exchange with Third PartiesArticle 28
Employee Data AccessArticle 15
Employee TrainingArticle 39
Security MeasuresArticle 32
Data Breach ManagementArticle 33
Records of Processing ActivitiesArticle 30

Compliance Maintenance Action Plan: Second Quarter 2023

Assessing the compliance of contracts with external service providers for the collection, processing and storage of employee health data to ensure they comply with GDPR rules is a crucial step in protecting employee health data.

To achieve this, it is important to verify that the data processing contracts signed with external providers contain standard contractual clauses that comply with GDPR requirements. These clauses must include, among other things, the purposes of data collection, processing and storage, the duration of data retention, employee data protection rights, data security, and data breach notification obligations.

It is also important to ensure that external service providers comply with GDPR requirements for data security, including technical and organizational measures to protect health data, data encryption, access management, network security, and more.

Finally, it is important to verify that external service providers have a clear and transparent policy on personal data protection, which should be available to affected employees and accessible on their website.

The goal is to ensure that external service providers comply with GDPR standards and provide a level of protection equivalent to that of the company. If external service providers do not comply with GDPR requirements, corrective measures must be implemented or alternative service providers sought.

Audit ChecklistCompliance with GDPR Art. XXYesNoN/A
Policy for data protectionArt. 5
Procedure for responding to data breachesArt. 33
Employee training on GDPR and data protectionArt. 39
Procedures for managing data subject requestsArt. 12-23
Records of processing activitiesArt. 30
Contracts with third-party data processorsArt. 28
Technical and organizational measures for data securityArt. 32
Regular reviews and audits of data protection practicesArt. 24
Ensuring easy access for employees to their health dataArt. 15
Evaluating compliance of data exchanges with third partiesArt. 44-50
Evaluating compliance of contracts with external service providersArt. 28

Ensuring that collected health data is relevant, limited to what is necessary, and proportionate to the purpose of processing, and that the data retention period is compliant with GDPR legislation is a key point of GDPR compliance.

It is important to verify that the health data collected is necessary for the purpose of processing and limited to what is relevant and proportionate to that purpose. It is important to limit the data collected to that which is necessary for the purpose of processing in order to minimize privacy and data security risks.

It is also important to ensure that the data retention period is compliant with GDPR legislation. Health data must be retained for a limited period, which must be justified by the purpose of processing and must not exceed the time necessary to achieve that purpose.

To evaluate the company’s compliance with this point, it is important to verify that the health data collected is necessary for the purpose of processing and limited to what is relevant and proportionate to that purpose. It is also important to verify that the data retention period is compliant with GDPR legislation. Additionally, it is important to verify that procedures have been put in place to delete health data that is no longer necessary in accordance with GDPR provisions.

Audit ChecklistCompliance with GDPRYesNoN/A
Privacy Policy and NoticeArticle 13, 14
Data Subject RightsArticles 15-22
Legal Basis for Data ProcessingArticle 6
ConsentArticle 7
Data Breach Notification and ResponseArticles 33-34
Data Protection Officer (DPO) AppointmentArticle 37
Data Protection Impact Assessment (DPIA)Article 35
Processor ContractsArticle 28
International Data TransfersChapter V
Records of Processing ActivitiesArticle 30
Technical and Organizational Data SecurityArticle 32
Employee Data Protection TrainingArticle 39
External Service Provider ComplianceArticle 28
Relevant and Limited Data CollectionArticle 5

Controlling the security and confidentiality of health data during their transmission and storage is crucial to ensure GDPR compliance.

It is important to verify that health data is protected during transmission and storage. This involves verifying that data is transmitted securely using encryption protocols, such as SSL or TLS, and that data is stored securely using appropriate technical and organizational measures, such as encryption, password management, and restricted access to data.

Additionally, it is important to ensure that access to data is limited to those who need to access it to perform their work, and that these individuals have been trained on GDPR rules and the risks associated with protecting health data.

To assess the company’s compliance with this point, it is important to verify that health data is transmitted securely using encryption protocols, such as SSL or TLS, and that data is stored securely using appropriate technical and organizational measures, such as encryption, password management, and restricted access to data. Additionally, it is important to verify that access to data is limited to those who need to access it to perform their work, and that these individuals have been trained on GDPR rules and the risks associated with protecting health data.


Audit Checklist
Compliance with GDPRYesNoN/A
Data mapping and inventoryArticle 30
Consent managementArticles 6, 7, and 8
Individual rights managementArticles 12-23
Third-party managementArticle 28
Data securityArticle 32
Data breach managementArticles 33 and 34
Employee trainingArticle 39
Data retentionArticle 5
Data processing impact assessmentArticle 35
International data transfersChapter 5

Checking that data breach notification procedures are in place and that staff is trained to identify, report and respond to data breaches in compliance with GDPR requirements is essential to ensure GDPR compliance.

It is important to verify that data breach notification procedures are clearly defined and that staff is trained to understand and implement them. It is also important to ensure that data breaches are reported immediately to the supervisory authority in compliance with the timeframes specified in GDPR legislation. Employees should be trained to identify data breaches and to report any data breaches immediately to the designated person within the company.

In addition, it is important to ensure that data breach response procedures are in place and that staff is trained to respond to them. This involves ensuring that emergency plans are established to deal with data breaches, that designated persons are informed of their role in the event of a data breach, and that corrective measures are taken to prevent future data breaches.

To assess the company’s compliance with this point, it is important to verify that data breach notification procedures are in place and that staff is trained to identify, report, and respond to data breaches in compliance with GDPR requirements. It is also important to verify that data breaches are reported immediately to the supervisory authority in compliance with the timeframes specified in GDPR legislation, and that emergency plans are established to deal with data breaches.

Audit ChecklistCompliance with GDPR ArticleYesNoN/A
Ensuring employees receive regular training on GDPR rules, risks to privacy and security of health data, and ways to protect itArticle 39
Evaluating compliance of contracts with external service providers for collecting, processing, and storing employee health dataArticle 28
Ensuring collected health data is relevant, limited to what is necessary, and proportional to the processing purpose, and that the retention period is compliant with GDPRArticle 5
Controlling the security and confidentiality of health data during transmission and storage, including verifying the use of encryption, password management, and restricted access to dataArticle 32
Verifying that data breach notification procedures are in place and that personnel are trained to identify, report, and respond to data breaches in compliance with GDPR requirementsArticle 33

Evaluating the processes for transferring health data to third countries is important to ensure GDPR compliance. It is essential to ensure that appropriate transfer mechanisms are in place and that the rights of the affected workers are protected in accordance with GDPR standards.

It is important to verify that transfers of health data to third countries are authorized by GDPR legislation and that appropriate transfer mechanisms are in place, such as standard contractual clauses, binding corporate rules, and codes of conduct. It is also important to ensure that workers are clearly and transparently informed about transfers of health data to third countries, the purposes of these transfers, and the recipients of this data.

Furthermore, it is important to ensure that the rights of affected workers are protected in accordance with GDPR standards. This involves ensuring that workers have given their explicit, free, informed, and unambiguous consent for the transfer of their health data to third countries, that transfers of health data are necessary for the purpose of the processing, that health data is kept for a duration that does not exceed the time required for the purpose of the processing, and that workers have the right to withdraw their consent at any time.

To evaluate the company’s compliance with this point, it is important to verify that appropriate transfer mechanisms are in place and that the rights of affected workers are protected in accordance with GDPR standards. Additionally, it is important to ensure that workers are clearly and transparently informed about transfers of health data to third countries, the purposes of these transfers, and the recipients of this data, and that workers have given their explicit, free, informed, and unambiguous consent for the transfer of their health data to third countries.

Audit ChecklistCompliance with GDPRYesNoN/A
Data Protection Officer appointmentArticle 37
Data protection policies and proceduresArticle 24, 25
Data protection impact assessments (DPIAs)Article 35
Record of processing activitiesArticle 30
Lawful basis for processing personal dataArticle 6, 9
Consent requirementsArticle 7, 8
Data subject rightsArticle 12-23
Data breaches and incident managementArticle 33, 34
Third-party data processing agreementsArticle 28
Security and confidentiality of personal dataArticle 32
Transfer of personal data outside the EU/EEAChapter V
Compliance monitoring and trainingArticle 39, 47

Compliance Maintenance Action Plan: Third Quarter 2023

Controlling the accuracy and completeness of workers’ contact information for notifications and consent requests, as well as identity verification processes to ensure that health data is not disclosed to unauthorized third parties, is important for GDPR compliance.

It is important to ensure that contact data is accurate and complete to enable workers to receive notifications and consent requests. It is also important to verify that identity verification processes are in place to ensure that health data is not disclosed to unauthorized third parties. Identity verification processes should be proportionate to the risks associated with the disclosure of health data and should ensure that only authorized persons have access to health data.

To evaluate a company’s compliance with this point, it is important to verify that workers’ contact information is accurate and complete and that identity verification processes are in place to ensure that health data is not disclosed to unauthorized third parties.

It is also important to verify that notification and consent procedures are in place to ensure that workers are informed in a clear and transparent manner about the purposes of collecting, processing, and storing their health data, and that workers have given their explicit, freely given, informed, and unambiguous consent.

Finally, it is important to verify that technical and organizational measures are in place to ensure the security and confidentiality of health data during transmission and storage, and that access to data is limited to authorized personnel.

Audit ChecklistCompliance with GDPRYesNoN/A
Evaluate compliance of contracts with external service providers for collection, processing and storage of employee health data to ensure compliance with GDPR rules.Article 28
Ensure that the collected health data is relevant, limited to what is necessary and proportional to the purpose of processing, and that the data retention period complies with GDPR legislation.Article 5
Control the security and confidentiality of health data during transmission and storage, including checking the use of encryption, password management and restricted access to data.Article 32
Verify that procedures for data breach notification are in place and that personnel are trained to identify, report and respond to data breaches in compliance with GDPR requirements.Article 33, 34
Evaluate the processes for transferring health data to third countries, ensuring that appropriate transfer mechanisms are in place and the rights of affected workers are protected in accordance with GDPR standards.Article 44
Control the accuracy and completeness of workers’ contact information for notifications and consent requests, as well as identity verification processes to ensure that health data is not disclosed to unauthorized third parties.Article 5, 12

The compliance check consists of verifying the compliance of the processes for the deletion and rectification of health data, ensuring that all employee health data is deleted or rectified when necessary and that evidence of this action is properly retained.

It is also important to verify that health data is deleted or rectified in its entirety, and that all copies of such data are also deleted or rectified. It is also necessary to check that health data is retained for a limited duration in accordance with GDPR rules and that it is deleted when this duration is reached.

To evaluate the company’s compliance with this point, it is important to verify that the processes for the deletion and rectification of health data are in compliance with GDPR rules, that health data is deleted or rectified in its entirety, that evidence of this action is properly retained, and that employees are informed of any changes made to their health data. It is also important to check

Audit ChecklistCompliance with GDPRYesNoN/A
Verify the accuracy and completeness of employee health dataArt. 5, 6, 9 and 32
Ensure that the collection of health data is relevant, limited, and proportionateArt. 5 and 9
Control the security and confidentiality of health data during transmission and storageArt. 5, 32 and 34
Verify that procedures for data breach notifications are in placeArt. 33 and 34
Evaluate the processes for transferring health data to third countriesArt. 44-49
Verify compliance of processes for deletion and rectification of health dataArt. 5, 16, 17, and 32
Ensure that the rights of data subjects are respectedArt. 12-22
Verify that employees are trained in data protectionArt. 39 and 47
Verify that data protection impact assessments are conductedArt. 35 and 36
Ensure that the retention period for health data is compliant with the GDPRArt. 5 and 32

The compliance check consists of evaluating the compliance of the security protocols for remote or mobile worker data, such as device encryption, Wi-Fi connection security, and management of data stored on personal devices.

To do so, it is necessary to verify that mobile devices used by workers are protected by appropriate technical and organizational security measures, such as data encryption, the use of strong passwords, and the installation of up-to-date security software.

It is also important to ensure that Wi-Fi connections used by workers are secure, for example by verifying that public Wi-Fi networks are not used for the transmission of sensitive data, and that private Wi-Fi connections are secured with strong passwords and appropriate encryption protocols.

Furthermore, it is important to verify that workers are informed of the risks associated with using their personal devices to store sensitive data, and that procedures have been put in place to manage data stored on these devices.

To evaluate the company’s compliance with this point, it is important to check that the security protocols for remote or mobile worker data are compliant with GDPR rules, that mobile devices are protected by appropriate technical and organizational security measures, that Wi-Fi connections used by workers are secure, and that procedures have been put in place to manage data stored on personal devices.

Audit ChecklistCompliance with GDPR ArticleYesNoN/A
Verification of the company’s GDPR compliance programArticle 24
Review of the company’s data protection policyArticle 30
Verification of the company’s record of processing activitiesArticle 30
Evaluation of the company’s lawful basis for processing personal dataArticle 6
Verification of the company’s consent management processArticle 7
Verification of the company’s data breach notification processArticle 33
Review of the company’s data protection impact assessment processArticle 35
Verification of the company’s process for handling data subject access requestsArticle 15
Verification of the company’s process for handling data portability requestsArticle 20
Review of the company’s data retention and deletion policyArticle 5
Evaluation of the company’s vendor management processArticle 28
Verification of the security and confidentiality of health data during transmission and storageArticle 32
Verification of the company’s procedures for reporting data breachesArticle 33
Evaluation of the company’s data transfer processes to third countriesArticle 44
Verification of the accuracy and completeness of employee contact informationArticle 5
Verification of the company’s data deletion and rectification processesArticle 17
Evaluation of the compliance of security protocols for remote or mobile worker dataArticle 32

The checkpoint is to verify compliance with the access and physical security control procedures for the premises and equipment where health data is stored, and to ensure that security policies are in place to protect employees’ health data.

To do this, it is necessary to verify that the premises and equipment where health data is stored are protected by appropriate physical security measures, such as alarm systems, surveillance cameras, electronic locks, and access controls.

It is also important to ensure that security policies are in place to protect employees’ health data, for example, by verifying that health data is stored in secure environments and that access to data is limited to authorized personnel.

It is also necessary to verify that workers are informed of the security policies and are trained on the physical security of premises and equipment where health data is stored.

To evaluate the company’s compliance with this checkpoint, it is important to check that the access and physical security control procedures for the premises and equipment where health data is stored are compliant with the GDPR, that security policies are in place to protect employees’ health data, and that workers are informed and trained on the physical security of premises and equipment.

Audit ChecklistCompliance with GDPRYesNoN/A
Verify compliance of employee data deletion processArticle 17
Verify compliance of data breach notification processArticle 33, 34
Evaluate compliance of data transfer protocolsArticle 44-49
Assess accuracy and completeness of employee contact informationArticle 5, 6
Assess security protocols for remote/mobile worker dataArticle 32
Check compliance of data access and physical security proceduresArticle 32

The checkpoint is to evaluate the compliance of online cookie management and consent processes, ensuring that workers are informed of the cookies used on the website, have a clear choice to accept or refuse cookies, and that their data is stored and processed in accordance with GDPR standards.

To do this, it is necessary to verify that the company’s website informs workers in a clear and transparent manner about the cookies used, their purpose, and their retention period. Workers must also have a clear choice to accept or refuse cookies.

It is also important to ensure that the data stored and processed by cookies complies with GDPR rules. This involves verifying that the collected data is relevant and limited to what is necessary, that workers have given their explicit, free, informed, and unambiguous consent for the processing of their data, that the data is stored and processed in accordance with the declared purposes, and that the retention period of the data complies with GDPR legislation.

To evaluate the company’s compliance with this point, it is important to verify that online cookie management and consent processes are compliant with GDPR rules, that workers are informed in a clear and transparent manner about the cookies used on the website, that they have a clear choice to accept or refuse cookies, and that their data is stored and processed in accordance with GDPR standards.

Audit ChecklistCompliance with GDPR ArticleYesNoN/A
Evaluate compliance of data transfer processes to third countriesArticle 44, 45
Check accuracy and completeness of employee contact informationArticle 5, 17
Verify compliance of data erasure and rectification proceduresArticle 16, 17
Assess compliance of data security protocols for remote or mobile workersArticle 32
Evaluate compliance of physical security access and control proceduresArticle 32
Review compliance of online cookie and consent management processesArticle 7, 9, 22
Assess compliance of data breach notification proceduresArticle 33, 34
Verify compliance of data protection impact assessment (DPIA) processesArticle 35, 36
Evaluate compliance of data processing agreements with third-party processorsArticle 28
Check compliance of data retention and deletion proceduresArticle 5, 17, 30

Compliance Maintenance Action Plan: Fourth Quarter 2023

The checkpoint is to verify that employment contracts, confidentiality agreements, and employee data security policies comply with GDPR rules, particularly with regard to the collection, processing, and communication of health data.

To do so, it is necessary to verify that employment contracts and confidentiality agreements contain clauses that comply with GDPR rules on the collection, processing, and communication of health data. It is also important to ensure that the company’s data security policies comply with GDPR rules, particularly with regard to restricted access to health data, network security, and protection against data breaches.

It is also important to ensure that employees are informed in a clear and transparent manner about the company’s policies on health data protection and that GDPR training is provided to employees.

To evaluate the company’s compliance with this checkpoint, it is important to verify that employment contracts, confidentiality agreements, and employee data security policies comply with GDPR rules regarding the collection, processing, and communication of health data. It is also important to ensure that employees are informed in a clear and transparent manner about the company’s policies on health data protection and that GDPR training is provided to employees.

Audit ChecklistCompliance with GDPR ArticleYesNoN/A
Evaluate compliance of remote or mobile workers’ data security protocols, such as device encryption, Wi-Fi security, and data management on personal devices.Article 32
Verify compliance of processes for deletion and correction of health data, ensuring that all employee health data is deleted or corrected when necessary and that evidence of this action is properly retained.Article 5, 17
Check compliance of access and control procedures for physical security for premises and equipment where health data is stored, and ensure that security policies are in place to protect employee health data.Article 32
Evaluate compliance of online cookie management and consent processes, ensuring that workers are informed of cookies used on the website, have a clear choice to accept or refuse cookies, and that their data is stored and processed in accordance with GDPR standards.Article 7, 13
Verify that employment contracts, confidentiality agreements, and employee data security policies are in compliance with GDPR rules, particularly with regards to the collection, processing, and communication of health data.Article 9, 28

Evaluate the compliance of health data transfer procedures in case of business transfer or asset acquisition, ensuring that employees are informed of these transfers and that their data protection rights are respected.

When a company transfers health data in case of merger, acquisition, asset sale, or any other business transaction, it is important to ensure that employees are transparently and clearly informed about the data transfers and that their data protection rights are respected. To evaluate compliance with health data transfer procedures in case of business transfer or asset acquisition, it is necessary to:

  • Verify that employees have been transparently and clearly informed of the health data transfers, the recipients of this data, and the purposes for which this data is transferred.
  • Ensure that health data transfers are carried out in accordance with GDPR rules for the transfer of personal data outside the European Union.
  • Verify that employees have the possibility to exercise their data protection rights, such as the right of access, rectification, erasure or portability of their data.
  • Verify that employees have been informed of their rights and the means to exercise them in case of business transfer or asset acquisition.
  • Verify that health data transfers are in compliance with the initial purpose for which this data was collected.
  • Ensure that health data is protected during the transfer and that the recipients have signed data processing agreements in accordance with GDPR requirements.
  • Verify that employees have the possibility to withdraw their consent to the transfer of their health data at any time.
Audit ChecklistCompliance with GDPR ArticleYesNoN/A
Verify compliance of procedures for access and control of physical security for locations and equipment where health data is stored and ensure security policies are in place to protect employee health dataArt. 32
Evaluate compliance of security protocols for remote or mobile workers’ data, such as device encryption, Wi-Fi security, and data management on personal devicesArt. 32
Verify compliance of processes for deleting and rectifying health data, ensuring all employee health data is deleted or rectified when necessary, and evidence of this action is properly retainedArt. 17
Evaluate compliance of processes for cookie management and online consent, ensuring employees are informed about cookies used on the website, have a clear choice to accept or refuse cookies, and their data is stored and processed in accordance with GDPR standardsArt. 6, 7, 32
Verify compliance of employment contracts, confidentiality agreements, and employee data security policies with GDPR regulations, especially regarding the collection, processing, and communication of health dataArt. 6, 9, 32
Evaluate compliance of procedures for transferring health data in the event of a business transfer or asset sale, ensuring employees are informed of these transfers and their data protection rights are respectedArt. 6, 13, 14, 15, 32

Verify that health data is stored and processed in accordance with the company’s document retention policies, and that employee health data is not used for purposes other than those for which it was collected

should be audited to ensure that employee health data is stored and processed in accordance with the company’s document retention policies, and that this data is not used for purposes other than those for which it was collected. The audit criteria include reviewing the company’s document retention policies, verifying that health data is stored in secure locations accessible only to authorized personnel, and verifying that health data is not used for purposes other than those for which it was collected.

Audit ChecklistCompliance with GDPRYesNoN/A
Are document retention policies in place and compliant with GDPR?Article 30
Are employee health data stored in secure locations accessible only to authorized personnel?Article 32
Are data processing activities for employee health data in accordance with the purposes for which they were collected?Article 5

To ensure compliance with GDPR regulations, it is important to evaluate procedures for notifying employees of requests for access, rectification, or deletion of their health data. It is crucial to ensure that employees are informed of their data protection rights, including their right to access, rectify, or delete their health data.

To evaluate compliance with GDPR rules, it is necessary to verify that the company has a clear and transparent notification process to inform employees of these requests. It is also important to ensure that employees have easy access to their health data and are informed of the procedures to follow to exercise their data protection rights.

Furthermore, it is important to verify that requests for access, rectification, or deletion of data are processed in compliance with GDPR regulations. This includes verifying that the data in question is accurate, relevant, and up-to-date, that the request is valid, and that employees’ rights are respected. In case of a request for deletion or modification of health data, it is also important to ensure that all relevant data is deleted or modified, and that evidence of this action is properly retained.

Audit PointCompliance with GDPRYesNoN/A
Verify compliance of physical security access and control procedures for premises and equipment where health data is stored, and ensure security policies are in place to protect employee health data.Article 32
Evaluate compliance of cookie management and online consent processes, ensuring employees are informed of cookies used on the website, have a clear choice to accept or refuse cookies, and that their data is stored and processed in compliance with GDPR standards.Article 7, Article 13, Article 30
Check compliance of employee contracts, confidentiality agreements, and data security policies with GDPR rules, particularly with regards to the collection, processing, and communication of health data.Article 6, Article 9, Article 28, Article 32
Verify compliance of health data transfer procedures in case of business transfer or asset sale, ensuring employees are informed of these transfers and their data protection rights are respected.Article 6, Article 13, Article 14, Article 30, Article 44
Ensure compliance of data retention and use policies for employee health data, ensuring that data is not used for purposes other than those for which it was collected, and that it is stored and processed in compliance with the company’s document retention policies.Article 5, Article 9, Article 32
Evaluate compliance of procedures for notifying employees of requests for access to their health data and requests for rectification or deletion of such data, ensuring that employees are informed of these requests and their rights are respected.Article 12, Article 13, Article 15, Article 16, Article 17, Article 30

To ensure the protection of employees’ health data, it is important to verify that employees are aware of the risks to the confidentiality and security of their health data. Employees should also be informed of the measures in place to protect their health data and how they can report any breaches or concerns related to the protection of health data.

To evaluate compliance with this aspect of the GDPR, audit criteria may include:

  • Verify that the company has developed clear and precise policies on health data security, and that these policies are communicated to all employees.
  • Ensure that employees have received adequate training on the risks to the confidentiality and security of their health data, as well as the measures in place to protect this data.
  • Verify that employees have access to resources such as information documents and contacts to report any breach or concern related to the protection of health data.
  • Ensure that employees are regularly informed of health data security policies and procedures, and that updates to these policies are communicated adequately.
  • Verify that employees understand the risks associated with the use of communication technologies such as emails, messaging applications, and social networks, and that they are informed of best practices to protect their health data.

Audit Checklist
Compliance with GDPR (Article)YesNoN/A
Review policies for the retention and disposal of health dataArticle 5
Verify that employee health data is not used for purposes other than those for which it was collectedArticle 5
Verify that the company has a clear and transparent notification process to inform employees of requests for access to health dataArticle 15
Verify that the company has a clear and transparent process to inform employees of requests for rectification or erasure of health dataArticle 16, 17
Verify that employees are informed of the risks to the confidentiality and security of their health data, the protective measures in place, and how to report any breaches or concerns related to the protection of health dataArticle 5, 32
Verify that employee contracts, confidentiality agreements, and data security policies are compliant with GDPR rules regarding the collection, processing, and communication of health dataArticle 9, 24, 28
Verify that the company has a clear and transparent process for obtaining and documenting employee consent for the processing of their health dataArticle 7
Verify that health data transfers in the event of a merger, acquisition, or asset sale comply with GDPR rulesArticle 5, 44
Verify that cookie and online consent management processes comply with GDPR rules regarding worker awareness, clear choice, and data storage and processing standardsArticle 5, 6, 7, 13, 14
Verify that the company has a clear and transparent notification process to inform employees of data breachesArticle 33, 34

DPO Partagé
DPO Partagé
Looking for a DPO? Entrust your mission to DPO PARTAGE - Contact us at +33 (0)7 56 94 70 90 or by email at contact@dpo-partage.fr. DPO PARTAGE is the leader in DPO services for health and sensitive data.

Intéressant ? Partagez-le !

Newsletter

Audit gratuit Conformité RGPD

spot_imgspot_img

A ne pas manquer !

Encore plus d'actualités
Informations RGPD

Xerox Corp is reportedly the victim of a major cyberattack.

Xerox Cyberattack by Incransom : on December 30, 2023,...

Turning GDPR Compliance into Competitive Advantage: Unveiling the New Guide for American Enterprises

In a world where data protection and regulatory compliance...

Web Analytics and GDPR Compliance: How Website Hosts Can Adhere in France

Web Analytics and GDPR, CNIL's Position: Website hosts using...