Samsung Vendor Audit – English


    Contact Information

    Full Vendor Company Name:

    Street:

    ZIP Code:

    City:

    Country:

    Point of Contact Name:

    Point of Contact Email-Address:

    Point of Contact Phone Number:

    Website:

    DPO Name (Data Protection Officer):

    DPO E-Mail:

    DPO Phone:

    Please Choose:

    New VendorExisting Vendor

    Services

    Brief description of the services provided by the Vendor

    Will controllers personal data be accessed by the Vendor?

    YesNo

    Are controller’s personal data entered, transformed, stored or processed by the Vendor or its system?

    YesNo

    Are controller’s personal data stored in the Vendors system (laptop, memory drive, servers, cloud account, etc.)?

    YesNo

    What, if any, controller systems will the Vendor or Vendor systems require access/integration to?

    IntranetInfrastructureDatabase(s)Wireless NetworkHardwareSoftwareWebsiteOther

    Use of Personal Data

    In this step, we kindly ask you to answer questions about which personal data you will be using.
    In this context, “Using” includes accessing, copying, viewing, collecting, downloading, uploading or otherwise processing or transforming of personal data.

    If you click “Yes” on a data category, please confirm why you will collect, access or use the data outlined above in providing the services.

    If you click “No”, you can leave the text-bracket in that row empty.

    Data Categories

    Usage

    Purpose – confirm why you need this data for providing the services

    Name, Former Name, Alias

    Company ID

    Badge Number, Passport Number

    Tax ID

    Social Security Number

    Citizenship

    Credit Report/Credit Score

    Criminal Record

    Signatures, Fingerprints

    Photos

    Age/Date of Birth/Place of Birth

    Marital Status

    Benefits/Other HR Info

    Data on Children under 13 Years of Age

    Data on Children under 16 Years of Age

    Gender

    Private Email Address

    Work Email Address

    Private Address

    Work Address

    Work Phone

    Home Phone

    Mobile Phone

    IP Address/Log Files

    Source Code/Security Codes/Other Security Information

    Other Product Information

    Controllers Customer Data

    If other Data, please describe in the field to the right.

    The controller expects that any use of the data is limited to the provision of the services.
    If you intend to use the data for any other purpose, please provide full details.

    Do you process data from special categories of personal data?

    Racial and Ethnic OriginPolitical OpinionsReligious or Philosophical BeliefsTrade Union MembershipGenetic Data or Biometric Data uniquely identifying a personData Concerning HealthData Concerning a natural persons sex life or sexual orientationNone of the above

    Based on your previous entries, you do not have to answer questions about the use of personal data. Please click on “Next Step”

    Location of Data Processing

    Based on your previous entries, you do not have to answer questions about the location of data processing. Please click on “Next Step”

    Where are personal data processed by the Vendor (geographically)?

    EUUSChinaRussiaSwitzerlandNorth-KoreaJapanOther

    Where are servers located on which Vendor or its subcontractors (if any) process the personal data?

    Where are offices located from which Vendor staff (including those employed by subsidiaries, affiliates or other group companies) and any subcontractor staff may remotely access Controller’s personal data?

    Which measures does the Vendor take in order to ensure the adequate level of data protection?

    Does the Vendor process personal data only as allowed by documented instructions from controller?

    Does the Vendor inform controller if any of its instruction contradicts GDPR and if so, how it will be done?

    Subcontractors

    Based on your previous entries, you do not have to answer questions about subcontractors. Please click on “Next Step”

    Does the Vendor use Subcontractors for the personal data processing activities?

    YesNo

    In which countries do the subcontractors process the personal data?

    Only in the EUThird Countries

    Please upload a list of the subcontractors used by the Vendor, the service that the subcontractor provides, whether there exists a data processing agreement with the subcontractor and which international data transfer safeguards are used.

    You can upload multiple files, but not more than five files.

    Here you can download our template for a list.

    Which measures does the Vendor take in order to ensure the adequate level of data protection?

    Are the same data protection obligations as set out with the controller imposed on the subcontractors by way of a contract?

    Does the Vendor use any new subcontractor without prior specific or general written authorization of controller?

    By which measures does the Vendor ensure that the appropriate measures concerning data protection by its subcontractors are effective?

    Security

    Based on your previous entries, you do not have to answer questions about security. Please click on “Next Step”

    Please download the “Technical and Organizational Security Measures” by clicking on the icon below.

    Please confirm that you comply with the “Technical and Organizational Security Measures”

    Download

    I confirmI do not confirm

    What privacy or security programs or certifications does the Vendor have in place?

    Please upload documentation about other technical physical and administrative measures
    You can upload multiple files, but not more than five files.

    Does Vendor ensure their system meets Controller’s attached TOM standards?

    Do the employees in the Vendor’s organisation receive training on the GDPR and other relevant data protection laws?

    Yes, regularly and mandatory (at least once per year)Yes, but not regularly (e.g. only in the onboarding process)No

    In the past five years, have you ever suffered a confirmed data loss, data breach or other data security related incident?

    Data BreachData LossData Security Related IncidentNo

    Please provide full details about the data breach (e.g. whether and how the breach was resolved)

    Please provide full details about the data loss

    Please provide full details about the data security related incident

    Internal Policies and Processes

    Based on your previous entries, you do not have to answer questions about internal policies and processes. Please click on “Next Step”

    Do you have a retention policy in place?

    Please upload the retention policy, if available
    You can upload multiple files, but not more than five files.

    Yes, there is an up-to-data retention policy in placeYes, but it is not up-to-dateNo

    Do you have in place and maintain business continuity and disaster recovery policies and processes?

    Please upload the recovery policies, if available
    You can upload multiple files, but not more than five files.

    YesNo

    Have you carried out any Privacy/Data Protection Impact Assessments related to the processing you will undertake as part of the Service?

    YesNo

    If so, please provide a copy of the report.
    You can upload multiple files, but not more than five files.

    If not, why not?

    What policies and procedures do you have in place to deal with data incidents?

    Please upload the policies and procedures, if available
    You can upload multiple files, but not more than five files.

    Can you confirm that you can find, delete, anonymise, update or correct any of the controller’s personal data if requested to do so by the controller?

    Describe the systems and procedures you have in place to manage any such instruction.

    YesNo

    Can you confirm that all of your employees are subject to any employment vetting processes and, in particular, whether they sign non-disclosure agreements (“NDAs”) or other engagement terms that require them to keep confidential any client information to which they have access?

    Please describe the process you have in place.

    YesNo

    Complaints and Storage, Return or Deletion of Personal Data

    Based on your previous entries, you do not have to answer questions about complaints and storage, return or deletion of personal data. Please click on “Next Step”

    Have you ever received any complaint, objection or similar notice or correspondence from any data protection or other regulatory authority, or has any such authority commenced investigation or control with regard to your processing of personal data in the course of providing your service?

    YesNo

    Please provide full details about the complaint, objection or similar notice or correspondence you have received

    Upon request, at agreed intervals and latest at the end of the supply relationship, the controller will require you to return or delete any personal data or other confidential information that you have used in the course of providing the services. Can you confirm that you will be able to do this, unless the retention is required by applicable mandatory laws and regulations?

    Please describe how you will be able to comply or why you cannot confirm that you will be able to comply.

    YesNo

    If you believe you will need to retain personal data or other confidential information for any reason, please explain why and provide details of your record retention policy.

    Please upload your record retention policy if available
    You can upload multiple files, but not more than five files.

    Confirmation

    I confirm that the answers I have provided in this questionnaire are true, accurate and complete to the best of my knowledge.

    I confirm

    I confirm that I am authorized by the Vendor to provide the requested information.

    I confirm