COMPANYNAME FRANCE

GDPR ASSESSMENT REPORT

Confidential
Dear Mr. …..

At your request, our law firm has carried out an audit of COMPANYNAME France with a view to evaluate its level of conformity with the General Data Protection Regulation
(« GDPR »).

Considering the profile and activities of COMPANYNAME France, namely:

- a French subsidiary of an international group;

- legally and financially independent from its mother company;
- having mainly a B2B2B activity of integrator of products develops by other companies.

Considering also the fact that COMPANYNAME France:

- is very dependent of COMPANYNAME HQ for its business activities and HR activities;

- relies on third parties for various tasks such as security control, pay slips management and recruitment has no real marketing activity.

The audit had been focused mainly on the GDPR compliance of COMPANYNAME France in the context of its business activities (Part I), its HR activities (Part II) and for the
internal access and external visitors control (Part III).

Mr. …… Ms. ….. and you were our main interlocutors for the performance of the audit. In addition, copies and extracts of business agreements entered into by COMPANYNAME
France were provided by M. …..; there are attached thereto in exhibit.

The present report recapitulates in a table format the observations made during the audit. The assessment method is based on 3 levels of evaluation:
Adequate: means that the GDPR obligation is Insufficient : means that the GDPR obligation is partly fulfilled or Non adequate : means that the GDPR obligation is not
fulfilled that the risk incurred by COMPANYNAME France is limited fulfilled and the risk incurred by COMPANYNAME France is
significant

I remain at your disposal should you have any question about this report.

Yours sincerely,
 PART I – BUSINESS ACTIVITIES
Object Subject matter GDPR Assessment Recommendation/measure
Business contacts of: Personal data : Art. 4, 1 Adequate:  Always ensure that the personal data
- existing customers - Name For the purposes of this  Appropriate to the purpose of the processing processed is adequate, relevant and
- contractors - Phone number Regulation: limited to what is necessary to the
- Email (1) ‘Personal data’ means any purpose of the processing.
- Position information relating to an
identified or identifiable natural  As often as possible, avoid buying
person (‘data subject’); […]; mailing lists.

Consent Consent exemption Art. 6, 2 Insufficient:  If in the capacity of COMPANYNAME

Processing shall be lawful only if  Copies and extracts of agreements provided France, all the commercial agreements
and to the extent that at least show that all the agreements entered into by with existing customers must be
one of the following applies: […] COMPANYNAME must be updated with GDPR updated to include GDPR provisions.
(2) processing is necessary for the provisions.
performance of a contract to  A privacy policy must be written and
which the data subject is party or made available to existing customers
in order to take steps at the and contractors by email.
request of the data subject prior
to entering into a contract; […]

Processing Personal data collection Art. 4, 2 Adequate:  Always ensure that the personal data
(2) ‘processing’ means any Personal data obtained : processed is adequate, relevant and
operation or set of operations  by exchanging business cards limited to what is necessary to the
which is performed on personal  from people participating in local events where purpose of the processing.
data or on sets of personal data, they leave business cards
whether or not by automated  by sales people networks (incl. LinkedIn)  As often as possible, avoid buying
means, such as collection, mailing lists.
recording, organisation,
structuring, storage, adaptation
or alteration, retrieval,
consultation, use, disclosure by
transmission, dissemination or
otherwise making available,
alignment or combination,
restriction, erasure or
destruction; […]
Object Subject matter RGPD Assessment Recommendation/measure
- Direct collection Art. 13 Non adequate: A privacy policy containing the information
Information to be provided  Information required by GDPR art 13 is not required by art 13 and 14 of GDPR must be
where personal data are provided. written and made available to existing
collected from data subject. customers and contractors by email.
- Indirect collection Art. 14 Non adequate: Can be individual email to each business
Information to be provided  Information required by GDPR art 14 is not contact or can be an emailing campaign.
where personal data have not provided.
been obtained from data subject.
Internal processing Art. 4, 2) Insufficient:  Must be set up:
See above  No internal data processing policy - An internal data processing
 Internally personal data are processed policy;
erratically: some data are organised on a CRM - A good practices policy.
database, some on excel files, some on the  All the data must be centralised and
personal mobile phones of the employees, kept in the CRM tool and then
some on outlook databases processed internally (organised,
structured, extracted, updated, etc.)
from the CRM Tool.
 The CRM tool must be updated
according to the publisher’s
recommendations.
If possible and not depending of HQ, a more
efficient and EU CRM tool should be
purchased.
Share and transfer of data Art. 4, 2) Insufficient: A privacy policy informing the business
See above  Data is shared between CompanyName France contacts on how their data are shared
and CompanyName HQ (CompanyName HQ is between the companies of the group must
not considered 3rd party, but part of the group) be written and made available to them by
 Excel files with contacts are shared with email.
CompanyName HQ once a year for Mobile Can be the same document as the one
World event in Barcelona. mentioned above.
Object Subject matter RGPD Assessment Recommendation/measure
Storage Art. 4, 2) Insufficient:  Must be set up:
See above Data are stored in France but in - A personal data storage policy
various places inside the company: (can be added to the data
CRM database (extremely limited info), processing policy document) ;
local file server, backup server and - A good practices policy (can be
user laptop, email server, phone the same document as one
contacts list. mentioned above)
Profiling Art. 4, 4) No profiling performed
(4) ‘profiling’ means any form of automated
processing of personal data consisting of the
use of personal data to evaluate certain
personal aspects relating to a natural person,
in particular to analyse or predict aspects
concerning that natural person’s performance
at work, economic situation, health, personal
preferences, interests, reliability, behaviour,
location or movements
Erasure / Destruction Art. 4, 2) Non adequate: A specific policy on personal data
See above  No specific policy on personal retention duration must be set up,
data retention duration together with specific erasure and
 No specific procedure for the destruction procedures.
erasure or destruction of personal (can be added to the data processing policy
data. document)
Data subject Rights Rectification Art. 16 Non adequate: A privacy policy informing the business
Erasure / To be forgotten Art. 17  No information is provided by contacts on their rights must be written.
Restriction of processing Art. 18 COMPANYNAME France to the (Can be the same document as the one
Data Portability Art. 20 data subject as regard to its mentioned above.)
To object Art. 21 rights.

Security Appropriate security Art. 5, 1. Personal data shall be: […] processed Insufficient: The setting up of the recommended
- Confidentiality in a manner that ensures appropriate security  No appropriate measure is in measure should enable CompanyName
- Integrity of the personal data, including protection place to ensure the security of the France to fulfill this obligation.
- Reliability against unauthorised or unlawful processing personal data processed.
and against accidental loss, destruction or However, because of the type of
damage, using appropriate technical or personal data, a breach of
organisational measures (‘integrity and security will not have an impact
confidentiality’) on the privacy of the business
Art. 32 contacts.
Security of processing
Object Subject matter RGPD Assessment Recommendation/measure
Encryption Art. 32 Adequate:
Security of processing No encryption is needed for the type
of personal data processed. In
addition, encrypting this data will
compromise the quality of the
relationships with the customers and
contractors.

Crisis management Notification to CNIL Article 33 Notification of personal data breach Non adequate: The setting up of the recommended
- Privacy breach to the CNIL (Supervisory Authority) within 72 Because CompanyName France has no measure should enable CompanyName
- security incident hours after having become aware of it. internal policies on personal data France to fulfill this obligation.
protection, the company will be
unable to know if a breach had
occurred and to fulfill its obligation of
notification within 72 hours.
Communication to the data Article 34 Communication of a personal data Non adequate: The setting up of the recommended
subject breach to the data subject without undue Because CompanyName France has no measures should enable CompanyName
- Privacy breach delay. internal policies on personal data France to fulfill this obligation.
protection, the company will be
unable to know if a breach had
occurred and to fulfill its obligation
under this article 34 of GDPR.
 PART II – HR ACTIVITIES
Object Subject matter RGPD Assessment Recommendation/measure
Personal data of: Employees: Adequate:
- Existing employees - Name  Appropriate to the purpose of the processing
- Job applicants - Personal address o HR management
- Date and place of birth o Social security
- Social security number o Complementary health insurance
- Position
- Salary Art. 4, 1
- Taxes For the purposes of this Regulation:
- Sick leaves data (1) ‘Personal data’ means any
- Personal IP address information relating to an
Job applicants: identified or identifiable natural Adequate:
- Name person (‘data subject’); […];  Appropriate to the purpose of the processing Always ensure that the personal data
- Personal address o Recruitment management processed are adequate, relevant and
- Age limited to what is necessary to the
- Email purposes of the processing.
- Phone number
- Previous positions
Consent Consent exemption Art. 6, 2 Adequate:
Processing shall be lawful only if  Appropriate to the purpose of the processing
and to the extent that at least one
of the following applies: […]
(2) processing is necessary for the
performance of a contract to which
the data subject is party or in order
to take steps at the request of the
data subject prior to entering into a
contract; […]
(3) processing is necessary for
compliance with a legal obligation
to which the controller is subject;
Object Subject matter RGPD Assessment Recommendation/measure
Processing Personal data collection Art. 4, 2 Adequate: Always ensure that the personal data
(2) ‘processing’ means any  Personal data obtained: processed are adequate, relevant and
operation or set of operations o on the CVs limited what is necessary to the purpose of
which is performed on personal o during the job interviews the processing.
data or on sets of personal data, o on the employment contracts
whether or not by automated o on the sick leaves documents
means, such as collection,
recording, organisation,
structuring, storage, adaptation or
alteration, retrieval, consultation,
use, disclosure by transmission,
dissemination or otherwise making
available, alignment or
combination, restriction, erasure or
destruction; […]
- Direct collection Art. 13 Non adequate:  A specific agreement must be signed
Information to be provided where  Information required by GDPR art 13 is not between CompanyName France and
personal data are collected from provided. CompanyName HQ
data subject.  An internal data processing policy
- Indirect collection Art. 14 Non adequate: must be set up and implemented for
Information to be provided where  Information required by GDPR art 14 is not HR data.
personal data have not beed provided.  A notice of information should be sent
collected from data subject. to every prospective candidate invited
to a job interview.

Internal processing: Art. 4, 2) Non adequate:  A specific agreement must be signed

See above  HR data is processed erratically in HQ and between CompanyName France and
France on the HR Tool, File Server, Backup CompanyName HQ concerning HR
server, Email server, physical cabinets, HR rep data processed in HQ
laptop;  An internal data processing policy
 HR Data is stored on email server as per HR must be set up and implemented for
representative inbox. So, the IT department HR data.
managing the email server may have access (Can be the same document as mentioned
to data above)
 There is no specific written agreement
between CompanyName France and
CompanyName HQ for the processing of
French HR data;
 There is no internal data processing policy
specific to HR data.
Object Subject matter RGPD Assessment Recommendation/measure
Share and transfer of data Art. 4, 2) Non adequate:  A specific agreement must be signed
See above No specific data sharing and transfer procedures, between CompanyName France and
although: CompanyName HQ concerning HR
 HR Data is shared with CompanyName HQ data processed in HQ.
 Salary, taxes and sick leaves data are share  An internal data processing policy
with UniverPay on a monthly bases must be set up and implemented for
 HR Data are also shared with Financial HR data.
auditors and Insurance companies  An audit must be carried out with
 Job applicants data are share with external UniverPay and GDPR sub-contractor
consultants agreement should be signed between
CompanyName France and UniverPay.
 An audit must be carried out with
external consultants and GDPR sub-
contractors agreements should be
signed with each of them.
 Confirmation of conformity to GDPR
must be obtained from concerned
financial auditors and insurance
companies.
Storage Art. 4, 2) Non adequate:  A specific agreement must be signed
See above  HR Data is stored in HQ and in France in between CompanyName France and
various places inside both companies: The HR CompanyName HQ concerning HR
Tool, File Server, Backup server, Email server, data storage in HQ (can be the same
physical cabinets, HR rep laptop. document as the one mentioned
above)
 A storage policy must be set up (can
be added to the data processing policy
document specific to HR Data) ;
Profiling Art. 4, 4) No profiling performed
(4) ‘profiling’ means any form of
automated processing of personal
data consisting of the use of
personal data to evaluate certain
personal aspects relating to a
natural person, in particular to
analyse or predict aspects
concerning that natural person’s
performance at work, economic
situation, health, personal
preferences, interests, reliability,
behaviour, location or movements
Object Subject matter RGPD Assessment Recommendation/measure
Erasure / Destruction Art. 4, 2) Non adequate: A specific policy on HR data retention
See above  No specific policy on personal data retention duration must be set up, together with
duration specific erasure and destruction
 No specific procedure for the erasure or procedures.
destruction of HR data.
Rights Rectification Art. 16 Non adequate:  An internal data processing policy
Erasure / To be forgotten Art. 17  No information is provided by must be set up and implemented for
Restriction of processing Art. 18 COMPANYNAME France to the employees HR data.
Data portability Art. 20 and prospective candidates on their rights.  Employment contract of each
To object Art. 21 employee should be updated by an
amendment.
Security Guaranty of security Art. 5, 1. Personal data shall be: […] Non adequate:
- Confidentiality processed in a manner that ensures  No real precaution is taken to guaranty the
- Integrity appropriate security of the security of the HR data processed;
- Reliability personal data, including protection  No information provided on the level of
against unauthorised or unlawful security assured by CompanyName HQ on
processing and against accidental the French HR data;
loss, destruction or damage, using  IT department managing the email server of
appropriate technical or HR representative may have access to HR
organisational measures (‘integrity data.
and confidentiality’)
Art. 32 The setting up of the recommendations
Security of processing mentioned previously should enable
Encryption Art. 32 Non adequate: CompanyName France to fulfill this
Security of processing  No information provided on the level of obligation.
encryption assured by CompanyName HQ on
the French HR data;
 No encryption is performed on the data
stored on the HR rep laptop or data server.
Object Subject matter RGPD Assessment Recommendation/measure
Crisis management Notification to CNIL Article 33 Notification of personal Non adequate:
- Privacy breach data breach to the CNIL  Because CompanyName France has no
- security incident (Supervisory Authority) within 72 internal policies on HR data protection, the
hours after having become aware company will be unable to know if a breach
of it. had occurred and to fulfill its obligation of The setting up of the recommendations
notification within 72 hours. mentioned previously should enable
Communication to the data Article 34 Communication of a Non adequate: CompanyName France to be prepared and
subject personal data breach to the data  Because CompanyName France has no to fulfill this obligation.
- Privacy breach subject without undue delay. internal policies on HR data protection, the
company will be unable to know if a breach
had occurred and to fulfill its obligation under
this article 34 of GDPR.
 PART III – PREMISES ACCESS AND EXTERNAL VISITORS CONTROL
Object Subject matter RGPD Assessment Recommendation/measure
Personal data of: Employees: Art. 4, 1 Adequate: Always ensure that the personal data
- Employees - Name For the purposes of this Regulation:  Appropriate to the purpose of the processing processed are adequate, relevant and
- External visitors - Premises access log (1) ‘Personal data’ means any limited what is necessary to the purpose of
(date, time and duration information relating to an the processing.
of access) identified or identifiable natural
person (‘data subject’); […]
External visitors: Art. 5, 1 Insufficient: An audit should be carried out with the
- Name Personal data shall be:  Unable to determine if the images processed company in charge of the video surveillance
- ID card (c) adequate, relevant and limited by the video surveillance system are relevant and a GDPR sub-contractor agreement
- Images to what is necessary in relation to and limited to what is necessary to the should be signed with this company.
the purposes for which they are purposes of the processing
processed (‘data minimisation’)
Consent Consent requirements Art. 6, 1 Insufficient:  Employment contract of each
Processing shall be lawful only if  Employees’ access: the provision specified in employee should be updated by an
and to the extent that at least one the employment contracts is no longer valid. amendment.
of the following applies: (1) the  External visitors: No notice is given of the  An audit should be carried out with
data subject has given consent to video surveillance control. the company in charge of the video
the processing of his or her surveillance and a GDPR sub-
personal data for one or more contractor agreement should be
specific purposes signed with this company.
Art. 7  A notice must be made visible to the
Conditions of consent external visitors before the
checkpoint.
Processing Personal data collection Art. 4, 2) Adequate: Always ensure that the personal data
(2) ‘processing’ means any  Personal data obtained: processed are adequate, relevant and
operation or set of operations o from the CVs limited what is necessary to the purpose of
which is performed on personal o during the job interviews the processing.
data or on sets of personal data, o from the employment contracts
whether or not by automated o from the sick leaves documents
means, such as collection,
recording, organisation,
structuring, storage, adaptation or
alteration, retrieval, consultation,
use, disclosure by transmission,
dissemination or otherwise making
available, alignment or
combination, restriction, erasure or
destruction; […]
Object Subject matter RGPD Assessment Recommendation/measure
- Direct collection Art. 13 Non adequate:  Consent document must be signed by
Information to be provided where  Information required by GDPR art 13 is not each employee of CompanyName
personal data are collected from provided. France
data subject.  An audit should be carried out with
the company in charge of the video
surveillance and a GDPR sub-
contractor agreement should be
signed with this company.
 A notice must be made visible to the
external visitors before the
checkpoint.
- Indirect collection Art. 14 No indirect collection
Information to be provided where
personal data have not been
collected from data subject.
Internal processing: Art. 4, 2) Non adequate: An internal data processing policy must be
See above  No information provided on how the set up and implemented.
personal data of employees’ access and
external visitors is processed.

Share and transfer of data Art. 4, 2) Adequate: Ensure on a regular basis that the
See above  Videos are shared with by the security procedure has not change.
company to the police only

Storage Art. 4, 2) Non adequate:  An internal data processing policy

See above  No information provided on how the must be set up and implemented.
personal data of employees’ access and  An audit should be carried out with
external visitors is stored. the company in charge of the video
surveillance and a GDPR sub-
contractor agreement should be
signed with this company.
Object Subject matter RGPD Assessment Recommendation/measure
Profiling Art. 4, 4) No profiling performed
(4) ‘profiling’ means any form of
automated processing of personal
data consisting of the use of
personal data to evaluate certain
personal aspects relating to a
natural person, in particular to
analyse or predict aspects
concerning that natural person’s
performance at work, economic
situation, health, personal
preferences, interests, reliability,
behaviour, location or movements
Erasure / Destruction Art. 4, 2) Non adequate:
See above  No information provided on how long the
personal data of employees’ access and
external visitors is kept and how it is
destroyed.
 An internal data processing policy
Rights Rectification Art. 16 Non adequate: must be set up and implemented.
Erasure / to be forgotten Art. 17  No information is provided by  An audit should be carried out with
Restriction of processing Art. 18 COMPANYNAME France to the employees the company in charge of the video
Data Portability Art. 20 and external visitors on their rights. surveillance and a GDPR sub-
To object Art. 21 contractor agreement should be
Security Guaranty of security Art. 5, 1. Personal data shall be: […] Non adequate: signed with this company.
- Confidentiality processed in a manner that ensures  No information provided on the level of
- Integrity appropriate security of the security assured by CompanyName France
- Reliability personal data, including protection and the surveillance company on this data.
against unauthorised or unlawful
processing and against accidental
loss, destruction or damage, using
appropriate technical or
organisational measures (‘integrity
and confidentiality’)
Art. 32
Security of processing

Object Subject matter RGPD Assessment Recommendation/measure

 Encryption Art. 32 Non adequate:  An internal data processing policy
Security of processing  No information provided on the level of must be set up and implemented.
encryption assured by CompanyName France  An audit should be carried out with
and the surveillance company on this data. the company in charge of the video
surveillance and a GDPR sub-
contractor agreement should be
signed with this company.

Crisis management Notification to CNIL Article 33 Notification of personal Non adequate:

- Privacy breach data breach to the CNIL  Because CompanyName France has no
- security incident (Supervisory Authority) within 72 internal policies on HR data protection, the
hours after having become aware company will be unable to know if a breach The setting up of the recommendations
of it. had occurred and to fulfill its obligation of mentioned previously should enable
notification within 72 hours. CompanyName France to be prepared and
Communication to the data Article 34 Communication of a Non adequate: to fulfill this obligation.
subject personal data breach to the data  Because CompanyName France has no
- Privacy breach subject without undue delay. internal policies on HR data protection, the
company will be unable to know if a breach
had occurred and to fulfill its obligation under
this article 34 of GDPR.