Samsung Vendor Audit – English

Vendor Audit auf Deutsch

    Contact Information
    Full Vendor Company Name:
    Street:
    ZIP Code:
    City:
    Country:
    Point of Contact Name:
    Point of Contact Email-Address:
    Point of Contact Phone Number:
    Website:
    DPO Name (Data Protection Officer):
    DPO E-Mail:
    DPO Phone:
    Please Choose:
    New VendorExisting Vendor
    Services
    Brief description of the services provided by the Vendor
    Will controllers personal data be accessed by the Vendor?
    YesNo
    Are controller's personal data entered, transformed, stored or processed by the Vendor or its system?
    YesNo
    Are controller's personal data stored in the Vendors system (laptop, memory drive, servers, cloud account, etc.)?
    YesNo
    What, if any, controller systems will the Vendor or Vendor systems require access/integration to?
    IntranetInfrastructureDatabase(s)Wireless NetworkHardwareSoftwareWebsiteOther
    Use of Personal Data
    In this step, we kindly ask you to answer questions about which personal data you will be using.
    In this context, “Using” includes accessing, copying, viewing, collecting, downloading, uploading or otherwise processing or transforming of personal data.

    If you click "Yes" on a data category, please confirm why you will collect, access or use the data outlined above in providing the services.

    If you click "No", you can leave the text-bracket in that row empty.
    Data Categories Usage Purpose - confirm why you need this data for providing the services
    Name, Former Name, Alias
    Company ID
    Badge Number, Passport Number
    Tax ID
    Social Security Number
    Citizenship
    Credit Report/Credit Score
    Criminal Record
    Signatures, Fingerprints
    Photos
    Age/Date of Birth/Place of Birth
    Marital Status
    Benefits/Other HR Info
    Data on Children under 13 Years of Age
    Data on Children under 16 Years of Age
    Gender
    Private Email Address
    Work Email Address
    Private Address
    Work Address
    Work Phone
    Home Phone
    Mobile Phone
    IP Address/Log Files
    Source Code/Security Codes/Other Security Information
    Other Product Information
    Controllers Customer Data
    If other Data, please describe in the field to the right.
    The controller expects that any use of the data is limited to the provision of the services.
    If you intend to use the data for any other purpose, please provide full details.
    Do you process data from special categories of personal data?
    Racial and Ethnic OriginPolitical OpinionsReligious or Philosophical BeliefsTrade Union MembershipGenetic Data or Biometric Data uniquely identifying a personData Concerning HealthData Concerning a natural persons sex life or sexual orientationNone of the above
    Based on your previous entries, you do not have to answer questions about the use of personal data. Please click on "Next Step"
    Location of Data Processing
    Based on your previous entries, you do not have to answer questions about the location of data processing. Please click on "Next Step"
    Where are personal data processed by the Vendor (geographically)?
    EUUSChinaRussiaSwitzerlandNorth-KoreaJapanOther
    Where are servers located on which Vendor or its subcontractors (if any) process the personal data?
    Where are offices located from which Vendor staff (including those employed by subsidiaries, affiliates or other group companies) and any subcontractor staff may remotely access Controller’s personal data?
    Which measures does the Vendor take in order to ensure the adequate level of data protection?
    Does the Vendor process personal data only as allowed by documented instructions from controller?
    Does the Vendor inform controller if any of its instruction contradicts GDPR and if so, how it will be done?
    Subcontractors
    Based on your previous entries, you do not have to answer questions about subcontractors. Please click on "Next Step"
    Does the Vendor use Subcontractors for the personal data processing activities?
    YesNo
    In which countries do the subcontractors process the personal data?
    Only in the EUThird Countries
    Please upload a list of the subcontractors used by the Vendor, the service that the subcontractor provides, whether there exists a data processing agreement with the subcontractor and which international data transfer safeguards are used. You can upload multiple files, but not more than five files.
    Here you can download our template for a list.
    Which measures does the Vendor take in order to ensure the adequate level of data protection?
    Are the same data protection obligations as set out with the controller imposed on the subcontractors by way of a contract?
    Does the Vendor use any new subcontractor without prior specific or general written authorization of controller?
    By which measures does the Vendor ensure that the appropriate measures concerning data protection by its subcontractors are effective?
    Security
    Based on your previous entries, you do not have to answer questions about security. Please click on "Next Step"
    Please download the "Technical and Organizational Security Measures" by clicking on the icon below. Please confirm that you comply with the "Technical and Organizational Security Measures"
    Download I confirmI do not confirm
    What privacy or security programs or certifications does the Vendor have in place? Please upload documentation about other technical physical and administrative measures
    You can upload multiple files, but not more than five files.
    Does Vendor ensure their system meets Controller's attached TOM standards?
    Do the employees in the Vendor's organisation receive training on the GDPR and other relevant data protection laws?
    Yes, regularly and mandatory (at least once per year)Yes, but not regularly (e.g. only in the onboarding process)No
    In the past five years, have you ever suffered a confirmed data loss, data breach or other data security related incident?
    Data BreachData LossData Security Related IncidentNo
    Please provide full details about the data breach (e.g. whether and how the breach was resolved)
    Please provide full details about the data loss
    Please provide full details about the data security related incident
    Internal Policies and Processes
    Based on your previous entries, you do not have to answer questions about internal policies and processes. Please click on "Next Step"
    Do you have a retention policy in place? Please upload the retention policy, if available
    You can upload multiple files, but not more than five files.
    Yes, there is an up-to-data retention policy in placeYes, but it is not up-to-dateNo
    Do you have in place and maintain business continuity and disaster recovery policies and processes? Please upload the recovery policies, if available
    You can upload multiple files, but not more than five files.
    YesNo
    Have you carried out any Privacy/Data Protection Impact Assessments related to the processing you will undertake as part of the Service?
    YesNo
    If so, please provide a copy of the report.
    You can upload multiple files, but not more than five files.     		If not, why not?
    What policies and procedures do you have in place to deal with data incidents? Please upload the policies and procedures, if available
    You can upload multiple files, but not more than five files.
    Can you confirm that you can find, delete, anonymise, update or correct any of the controller's personal data if requested to do so by the controller? Describe the systems and procedures you have in place to manage any such instruction.
    YesNo
    Can you confirm that all of your employees are subject to any employment vetting processes and, in particular, whether they sign non-disclosure agreements ("NDAs") or other engagement terms that require them to keep confidential any client information to which they have access? Please describe the process you have in place.
    YesNo
    Complaints and Storage, Return or Deletion of Personal Data
    Based on your previous entries, you do not have to answer questions about complaints and storage, return or deletion of personal data. Please click on "Next Step"
    Have you ever received any complaint, objection or similar notice or correspondence from any data protection or other regulatory authority, or has any such authority commenced investigation or control with regard to your processing of personal data in the course of providing your service?
    YesNo
    Please provide full details about the complaint, objection or similar notice or correspondence you have received
    Upon request, at agreed intervals and latest at the end of the supply relationship, the controller will require you to return or delete any personal data or other confidential information that you have used in the course of providing the services. Can you confirm that you will be able to do this, unless the retention is required by applicable mandatory laws and regulations? Please describe how you will be able to comply or why you cannot confirm that you will be able to comply.
    YesNo
    If you believe you will need to retain personal data or other confidential information for any reason, please explain why and provide details of your record retention policy. Please upload your record retention policy if available
    You can upload multiple files, but not more than five files.
    Confirmation
    I confirm that the answers I have provided in this questionnaire are true, accurate and complete to the best of my knowledge.

    I confirm
    I confirm that I am authorized by the Vendor to provide the requested information.

    I confirm