Skip to content

GDPR Audit Checklist

Last updated: August 1, 2025

This checklist helps Ponta Oy evaluate and document its compliance with the General Data Protection Regulation (GDPR) as it applies to the ads.ponta.co platform. It should be reviewed quarterly and updated as needed.

1. Data Collection & Processing

  • [x] Have we clearly documented what personal data we collect?
  • [x] Do we collect only the data necessary for our stated purposes?
  • [x] Have we identified and documented the legal basis for each processing activity?
  • [x] Have we performed a data mapping and completed a RoPA (Record of Processing Activities)?
  • [x] Do users know why we collect their data and how it will be used?

2. Transparency and User Rights

  • [x] Is our Privacy Policy publicly accessible and clearly written?
  • [x] Do we have a Cookie Policy and consent banner that blocks non-essential cookies until approval?
  • [x] Can users easily contact us to request access, correction, deletion, or portability of their data?
  • [x] Do we respond to data subject requests within one month?

3. Data Security

  • [x] Have we implemented appropriate technical and organizational measures (TOMs)?
  • [x] Are all connections encrypted (HTTPS, encrypted backups)?
  • [x] Do we enforce role-based access control and 2FA for all admin tools?
  • [x] Do we have real-time monitoring and logging enabled for all key systems?
  • [x] Are all staff trained in secure data handling and phishing awareness?

4. Vendor and Third-Party Management

  • [x] Do we have signed Data Processing Agreements (DPAs) with all third-party processors?
  • [x] Are data transfers outside the EU covered by SCCs or adequacy decisions?
  • [x] Are we using trusted service providers (e.g., Google, AWS, Stripe) that meet compliance standards?

5. Breach Response and Incident Handling

  • [x] Do we have a written data breach response plan?
  • [x] Are incidents logged, investigated, and resolved systematically?
  • [x] Can we notify the Data Protection Authority within 72 hours if required?
  • [x] Do employees know how to report suspected data breaches?

6. Data Retention and Deletion

  • [x] Do we have defined retention periods for each data category?
  • [x] Are expired records securely deleted or anonymized?
  • [x] Do we have procedures for permanent deletion upon user request?

7. Governance and Documentation

  • [x] Is there a designated Privacy Lead or DPO (if required)?
  • [x] Is the Internal Data Protection Policy in place and distributed to all staff?
  • [x] Do we perform regular GDPR compliance reviews or audits?
  • [x] Are GDPR compliance efforts logged and documented for accountability?

Review Cycle

  • [x] This checklist is reviewed quarterly by the Privacy and Security Team
  • [x] Any non-compliant items are flagged for remediation with deadlines

Contact

For questions about this audit or data protection practices, contact:

Privacy Lead
Ponta Oy
Email: privacy@ponta.co