Samsung Vendor Audit – English

Contact Information

Full Vendor Company Name:

Street:

ZIP Code:

City:

Country:

Point of Contact Name:

Point of Contact Email-Address:

Point of Contact Phone Number:

Website:

DPO Name (Data Protection Officer):

DPO E-Mail:

DPO Phone:

Please Choose:
New VendorExisting Vendor

Services

Brief description of the services provided by the Vendor

Will controllers personal data be accessed by the Vendor?
YesNo
Are controller's personal data entered, transformed, stored or processed by the Vendor or its system?
YesNo
Are controller's personal data stored in the Vendors system (laptop, memory drive, servers, cloud account, etc.)?
YesNo
What, if any, controller systems will the Vendor or Vendor systems require access/integration to?
IntranetInfrastructureDatabase(s)Wireless NetworkHardwareSoftwareWebsiteOther

Use of Personal Data

In this step, we kindly ask you to answer questions about which personal data you will be using.
In this context, “Using” includes accessing, copying, viewing, collecting, downloading, uploading or otherwise processing or transforming of personal data.

If you click "Yes" on a data category, please confirm why you will collect, access or use the data outlined above in providing the services.

If you click "No", you can leave the text-bracket in that row empty.

Data Categories	Usage	Purpose - confirm why you need this data for providing the services
Name, Former Name, Alias	YesNo
Company ID	YesNo
Badge Number, Passport Number	YesNo
Tax ID	YesNo
Social Security Number	YesNo
Citizenship	YesNo
Credit Report/Credit Score	YesNo
Criminal Record	YesNo
Signatures, Fingerprints	YesNo
Photos	YesNo
Age/Date of Birth/Place of Birth	YesNo
Marital Status	YesNo
Benefits/Other HR Info	YesNo
Data on Children under 13 Years of Age	YesNo
Data on Children under 16 Years of Age	YesNo
Gender	YesNo
Private Email Address	YesNo
Work Email Address	YesNo
Private Address	YesNo
Work Address	YesNo
Work Phone	YesNo
Home Phone	YesNo
Mobile Phone	YesNo
IP Address/Log Files	YesNo
Source Code/Security Codes/Other Security Information	YesNo
Other Product Information	YesNo
Controllers Customer Data	YesNo
If other Data, please describe in the field to the right.	YesNo

The controller expects that any use of the data is limited to the provision of the services. If you intend to use the data for any other purpose, please provide full details.

Do you process data from special categories of personal data?
Racial and Ethnic OriginPolitical OpinionsReligious or Philosophical BeliefsTrade Union MembershipGenetic Data or Biometric Data uniquely identifying a personData Concerning HealthData Concerning a natural persons sex life or sexual orientationNone of the above

Based on your previous entries, you do not have to answer questions about the use of personal data. Please click on "Next Step"

Location of Data Processing

Based on your previous entries, you do not have to answer questions about the location of data processing. Please click on "Next Step"

Where are personal data processed by the Vendor (geographically)?
EUUSChinaRussiaSwitzerlandNorth-KoreaJapanOther
Where are servers located on which Vendor or its subcontractors (if any) process the personal data?
Where are offices located from which Vendor staff (including those employed by subsidiaries, affiliates or other group companies) and any subcontractor staff may remotely access Controller’s personal data?
Which measures does the Vendor take in order to ensure the adequate level of data protection?
Does the Vendor process personal data only as allowed by documented instructions from controller?	YesNo
Does the Vendor inform controller if any of its instruction contradicts GDPR and if so, how it will be done?
YesNo

Subcontractors

Based on your previous entries, you do not have to answer questions about subcontractors. Please click on "Next Step"

Does the Vendor use Subcontractors for the personal data processing activities?
YesNo

In which countries do the subcontractors process the personal data?
Only in the EUThird Countries
Please upload a list of the subcontractors used by the Vendor, the service that the subcontractor provides, whether there exists a data processing agreement with the subcontractor and which international data transfer safeguards are used.	You can upload multiple files, but not more than five files.
Here you can download our template for a list.	[mfile file-subcontractors]

Which measures does the Vendor take in order to ensure the adequate level of data protection?
Are the same data protection obligations as set out with the controller imposed on the subcontractors by way of a contract?	YesNo
Does the Vendor use any new subcontractor without prior specific or general written authorization of controller?	YesNo
By which measures does the Vendor ensure that the appropriate measures concerning data protection by its subcontractors are effective?

Security

Based on your previous entries, you do not have to answer questions about security. Please click on "Next Step"

Please download the "Technical and Organizational Security Measures" by clicking on the icon below.	Please confirm that you comply with the "Technical and Organizational Security Measures"
	I confirmI do not confirm

What privacy or security programs or certifications does the Vendor have in place?	Please upload documentation about other technical physical and administrative measures You can upload multiple files, but not more than five files.
	[mfile file-TOMs]

Does Vendor ensure their system meets Controller's attached TOM standards?
YesNo
Do the employees in the Vendor's organisation receive training on the GDPR and other relevant data protection laws?
Yes, regularly and mandatory (at least once per year)Yes, but not regularly (e.g. only in the onboarding process)No
In the past five years, have you ever suffered a confirmed data loss, data breach or other data security related incident?
Data BreachData LossData Security Related IncidentNo

Please provide full details about the data breach (e.g. whether and how the breach was resolved)

Please provide full details about the data loss

Please provide full details about the data security related incident

Internal Policies and Processes

Based on your previous entries, you do not have to answer questions about internal policies and processes. Please click on "Next Step"

Do you have a retention policy in place?	Please upload the retention policy, if available You can upload multiple files, but not more than five files.
Yes, there is an up-to-data retention policy in placeYes, but it is not up-to-dateNo	[mfile file-retentionpolicy]
Do you have in place and maintain business continuity and disaster recovery policies and processes?	Please upload the recovery policies, if available You can upload multiple files, but not more than five files.
YesNo	[mfile file-recoverypolicies]
Have you carried out any Privacy/Data Protection Impact Assessments related to the processing you will undertake as part of the Service?
YesNo
If so, please provide a copy of the report. You can upload multiple files, but not more than five files.	If not, why not?
[mfile file-ImpactAssessmentsServices]
What policies and procedures do you have in place to deal with data incidents?	Please upload the policies and procedures, if available You can upload multiple files, but not more than five files.
	[mfile file-dataincidentpolicies]
Can you confirm that you can find, delete, anonymise, update or correct any of the controller's personal data if requested to do so by the controller?	Describe the systems and procedures you have in place to manage any such instruction.
YesNo
Can you confirm that all of your employees are subject to any employment vetting processes and, in particular, whether they sign non-disclosure agreements ("NDAs") or other engagement terms that require them to keep confidential any client information to which they have access?	Please describe the process you have in place.
YesNo

Complaints and Storage, Return or Deletion of Personal Data

Based on your previous entries, you do not have to answer questions about complaints and storage, return or deletion of personal data. Please click on "Next Step"

Have you ever received any complaint, objection or similar notice or correspondence from any data protection or other regulatory authority, or has any such authority commenced investigation or control with regard to your processing of personal data in the course of providing your service?
YesNo

Please provide full details about the complaint, objection or similar notice or correspondence you have received

Upon request, at agreed intervals and latest at the end of the supply relationship, the controller will require you to return or delete any personal data or other confidential information that you have used in the course of providing the services. Can you confirm that you will be able to do this, unless the retention is required by applicable mandatory laws and regulations?	Please describe how you will be able to comply or why you cannot confirm that you will be able to comply.
YesNo
If you believe you will need to retain personal data or other confidential information for any reason, please explain why and provide details of your record retention policy.	Please upload your record retention policy if available You can upload multiple files, but not more than five files.
	[mfile file-retainpersonaldata]

Confirmation

I confirm that the answers I have provided in this questionnaire are true, accurate and complete to the best of my knowledge.

I confirm

I confirm that I am authorized by the Vendor to provide the requested information.

I confirm