📋
Art. 2.1
Data Governance & Compliance
DPO appointment, annual audits, DPCO engagement, staff training, and DPIA processes under NDPR Art. 2.1.
Q1 · Domain 1
A Data Protection Officer (DPO) has been appointed as required by NDPR.
Q2 · Domain 1
Annual data protection audits are conducted as required by NDPR.
Q3 · Domain 1
A Data Protection Compliance Organisation (DPCO) has been engaged if required.
Q4 · Domain 1
NDPR compliance training has been completed for all staff handling personal data.
Q5 · Domain 1
A Data Protection Impact Assessment (DPIA) process exists for high-risk processing activities.
⚖️
Art. 2.2
Lawful Basis & Consent
Lawful basis documentation, consent management, sensitive data consent, and privacy notices per NDPR Art. 2.2.
Q1 · Domain 2
A lawful basis is documented for every processing activity.
Q2 · Domain 2
Consent is obtained via clear affirmative action and is freely withdrawable per Art. 2.2.
Q3 · Domain 2
A consent management system captures and records all consent.
Q4 · Domain 2
Sensitive personal data (health, biometrics) has explicit consent.
Q5 · Domain 2
Privacy notices are written in plain language and accessible to data subjects.
👤
Art. 2.4
Data Subject Rights
Access, rectification, erasure, portability, and objection rights per NDPR Art. 2.4.
Q1 · Domain 3
Access requests are responded to within 30 days per Art. 2.4.
Q2 · Domain 3
Processes exist to rectify inaccurate personal data promptly.
Q3 · Domain 3
Erasure requests are handled within prescribed timeframes.
Q4 · Domain 3
Data portability is supported for consent-based personal data.
Q5 · Domain 3
Objection to processing requests are formally assessed and responded to.
🔒
Art. 2.6
Security & Safeguards
Technical and organisational measures, processor agreements, incident response, and breach notification per NDPR Art. 2.6.
Q1 · Domain 4
Technical measures (encryption, access controls) protect personal data per Art. 2.6.
Q2 · Domain 4
Organisational security measures are documented and enforced.
Q3 · Domain 4
All processors are bound by data processing agreements with security requirements.
Q4 · Domain 4
An incident response plan covers personal data breach detection and containment.
Q5 · Domain 4
Breach notification procedures comply with NDPR reporting timelines.
🌐
Art. 2.11
Cross-Border Transfers
Identification, lawful transfer mechanisms, third-country guarantees, SCCs, and transfer record-keeping per NDPR Art. 2.11.
Q1 · Domain 5
All cross-border data transfers have been identified and documented.
Q2 · Domain 5
A lawful transfer mechanism is in place for each cross-border data flow.
Q3 · Domain 5
Third-country recipients provide adequate data protection guarantees.
Q4 · Domain 5
Standard contractual clauses or equivalent safeguards are used for transfers.
Q5 · Domain 5
Cross-border transfer records are maintained and available for regulator inspection.