This is a compliance audit template to map the GDPR compliance level of your software extension
| Personal Data handled/processed and Consent |
|---|
| Which are the personal data that are expected to be collected by the extension? |
| Does the extension also collect data to be shared with an owned or third-party server apart from the data collected and stored with the local installation? |
| Which are the data entry points of the personal data collection (i.e. cookies, forms)? |
| Is there a functionality to collect and log consents from users that submit their personal data? |
| Is there a functionality that gives the user the ability to withdraw their consent? If yes, to what? |
| Is the consent functionality connected to the core API? |
| Is the extension collecting personal data that is not needed/being used currently? |
| Consent for additional special categories |
|---|
| Is there a functionality to generate additional consent functionalities (checkboxes?) for the up front consent of the users to the use of personal data in case of i.e. marketing, profiling, children data, sensitive data? |
| Is the consent functionality connected to the core API? |
| Consent for Cookies collecting personal data |
|---|
| Does the extension installs cookies to be functional or for any other reason (tracking, performance, advertising)? |
| If yes, is there a functionality for the up front consent by the user in case the software installs cookies that are collecting any personal data? |
| If there a functionality to collect consents is provided, is there also a functionality for the user/s to withdraw consent? |
| Right to Data Portability |
|---|
| Is there a functionality that gives users the ability to request and download their data? |
| Right of Access by the Data Subject |
|---|
| Does the extension provides a dashboard to the users with settings to edit their personal data? |
| Is the consent functionality connected to the core API? |
| Right to be Forgotten |
|---|
| Is there a functionality that offers to users the ability to securly delete all of their data? |
| Is the consent functionality connected to the core API? |
| Privacy by Default |
|---|
| Does the software have all the settings set to the most private possible due to its scope? |
| Security Measures |
|---|
| Is there a secure https transmission (SSL/TLS) for all the resources used by the functionality? |
| If there is a need to apply encryption, is the data stored encrypted? |
| If there is a need to apply anonymization or pseudonymization techniques are they applied? |
| Third parties/Subprocessors |
|---|
| Incase you use third parties to provide a service or a functionality, have you included it to your third parties or subprocessors list? |
| Have you signed a DPA related document with third parties (in case you use third parties)? |
| Notification to user |
|---|
| Do you provide a Privacy Policy to users? |
| Do you include users' rights in your Privacy policy? |
| Do you include all the third party partners in you Privacy Policy? |
V.1 release:
Achilleas Papageorgiou - Joomla! Compliance Team Leader, Member of the Cross-CMS Compliance Coalition
Alan Mac Kenna (Umbraco CMS), Heather Burns (WordPress), Luca Marzo (Joomla!), Gabor Javorszky (WordPress)