DPA Service - FAQ

This is a list of the most frequently asked questions with answers

What is the difference between buying a fixed number of audits and a subscription?

  • The "10 trip ticket" is a scheme whereby you buy a number of audits, and then you can use the number audits you have bought on your data processors. This arrangement is not fixed, which is why you can adjust the number of audits you buy from time to time, as needed.
  • If you are on a subscription, you buy them up-front, where you buy a fixed number of checks every year. In other words, a subscription is a periodic scheme where you "fill up" with the same number of audits every year.

What does the DPA Service questionnaire contain?

The audit is based on 45 questions, which have been created in collaboration with Bech-Bruun, on which an overall compliance level is calculated. These questions are divided into four themes;

  • Compliance activities and layout
  • Processing security and Privacy-by-Design/Default
  • Confidentiality and sub-processors
  • Assistance to the data controller

In other words, your data processors will answer the check on the basis of the above questions, after which you will receive their answers in the form of an audit report, which is detailed above.

How does the correspondence with your data processors take place?

In correspondence with your data processors will mainly take place through us, on your behalf. However, throughout the process, you will be continuously kept up-to-date on the correspondence with your data processors, as well as regularly involved. As mentioned earlier, the correspondence will be documented in DPA Service, which also appears in your status reports.

Can one submit without answering the entire DPA service questionnaire?

Can one submit without answering the entire DPA service questionnaire?

It is not possible for your data processors to submit the questionnaire without answering all the questions, which ensures that we always have a sufficient response when a questionnaire is submitted. The questionnaire is designed in a way that irrelevant questions for the specific data processor will be skipped. At the same time, there are detailed questions for other data processors if necessary. The assessment of which questions to ask is based on previously answered questions.

Can .legal provide legal advice regarding sufficient data processor documentation, etc.?

Since .legal is not a legal firm but merely a provider of tools for GDPR management, .legal unfortunately does not have the authority to provide legal advice. If you require legal advice regarding the DPA Service, we recommend referring to our partner Bech Bruun, the law firm that has been involved in designing the questionnaire to comply with the requirements for control based on the Danish Data Protection Authority's guidance. We are also in constant contact with Bech Bruun to ensure that we are always up to date with the latest regulatory requirements.