Azerbaijan/
data-protection/
Azerbaijan + EU Website Privacy Compliance Audit/
audit_report_template.md
audit_report_template.md
Bundled with Azerbaijan + EU Website Privacy Compliance Audit · assets/audit_report_template.md
Audit Report Template
The audit report produced by this skill must use the structure below, in this exact order. The order is non-negotiable because it lets a business reader stop after section 1 and a lawyer drill into the citation-heavy sections from section 4 onward.
Privacy Compliance Audit — [Site identifier]
Date: [YYYY-MM-DD] Auditor: [name] Materials reviewed: [URLs, files, screenshots — list with timestamps] Languages of materials: [list] Audience determination: [AZ only / EU-targeted / both / global] Frameworks assessed: Law No. 998-IIIQ (AZ); GDPR + ePrivacy (EU) [delete what does not apply]
1. Executive summary
A four-part block for the business reader. Keep this section under one screen on a laptop.
Top critical issues (Red)
- [One line, plain language]
- [One line, plain language]
- [One line, plain language]
Top material issues (Amber)
- [One line]
- [One line]
- [One line]
Overall compliance posture
- Law No. 998-IIIQ (AZ): Compliant / Largely compliant / Material gaps / Significant gaps
- GDPR (EU): Not applicable / Compliant / Largely compliant / Material gaps / Significant gaps
- ePrivacy / cookies (EU): Not applicable / Compliant / Material gaps / Significant gaps
One-paragraph plain-language summary
[Three to five sentences explaining the bottom line in language a business owner without legal training can understand. No article numbers in this paragraph.]
2. Scope
| Item | Value |
|---|---|
| Site URL | … |
| Controller (apparent) | Legal entity name; country of registration; address |
| Business model | … |
| Categories of personal data inferred | … |
| Audience determination | AZ / EU / both / global |
| GDPR applicability | Applies / Does not apply / Unclear — Art. 3 basis: … |
| AZ Law applicability | Applies |
| ePrivacy / cookie regime applicability | Applies / Does not apply |
| Cross-border processing observed | Yes / No / Likely — describe |
3. Document inventory
| Document | Status | Location |
|---|---|---|
| Privacy policy / notice | Present / Missing / Inaccessible / Outdated | URL |
| Cookie policy | … | … |
| Cookie consent banner | … | … |
| Terms of service / use | … | … |
| Data subject rights request channel | … | … |
| Controller identification (legal entity, address) | … | … |
| DPO contact | … | … |
| AZ State Register / operator-registration reference | … | … |
| EU representative (Art. 27 GDPR) | … | … |
| Imprint / impressum | … | … |
4. Findings — Azerbaijani Law No. 998-IIIQ
| # | Requirement | Anchor | Evidence (verbatim, original language; English in parens if needed) | Status | Note |
|---|---|---|---|---|---|
| 4.1 | Legal basis stated for each processing purpose | Law No. 998-IIIQ, provisions on legal grounds for processing | … | Green / Amber / Red / Unverified / Grey | … |
| 4.2 | Categories of personal data identified, including special categories | … | … | … | … |
| 4.3 | Controller identification (legal entity, address, contact) | … | … | … | … |
| 4.4 | Purposes of processing, separately stated | … | … | … | … |
| 4.5 | Recipients / categories of recipients disclosed | … | … | … | … |
| 4.6 | Retention period or criteria stated | … | … | … | … |
| 4.7 | Data subject rights named with channel to exercise | … | … | … | … |
| 4.8 | Consent obtained on a valid basis where consent is the ground | … | … | … | … |
| 4.9 | Security measures referenced | … | … | … | … |
| 4.10 | Processor relations addressed | … | … | … | … |
| 4.11 | Cross-border transfers identified with basis | … | … | … | … |
| 4.12 | Breach response process referenced | … | … | … | … |
| 4.13 | Children's data (where applicable) — parental consent | … | … | … | … |
Add or remove rows as the facts demand. Do not pad with rows that the site's processing does not implicate.
5. Findings — GDPR
Include this section only if Step 1 concluded GDPR applies.
| # | Requirement | Article | Evidence | Status | Note |
|---|---|---|---|---|---|
| 5.1 | Controller identity and contact | Art. 13(1)(a) | … | … | … |
| 5.2 | EU representative for non-EU controller | Art. 27 | … | … | … |
| 5.3 | DPO contact (if appointed / required) | Art. 37; Art. 13(1)(b) | … | … | … |
| 5.4 | Purposes and lawful basis | Art. 13(1)(c); Art. 6 | … | … | … |
| 5.5 | Legitimate interests, where invoked | Art. 13(1)(d); Art. 6(1)(f) | … | … | … |
| 5.6 | Special-category data basis | Art. 9(2) | … | … | … |
| 5.7 | Recipients or categories | Art. 13(1)(e) | … | … | … |
| 5.8 | International transfer disclosures and safeguards | Art. 13(1)(f); Arts. 44–49 | … | … | … |
| 5.9 | Retention period or criteria | Art. 13(2)(a) | … | … | … |
| 5.10 | Data subject rights named | Art. 13(2)(b); Arts. 15–22 | … | … | … |
| 5.11 | Right to withdraw consent | Art. 13(2)(c); Art. 7(3) | … | … | … |
| 5.12 | Right to lodge a complaint | Art. 13(2)(d) | … | … | … |
| 5.13 | Statutory/contractual obligation to provide | Art. 13(2)(e) | … | … | … |
| 5.14 | Automated decision-making information | Art. 13(2)(f); Art. 22 | … | … | … |
| 5.15 | Sources, where data is not collected from the subject | Art. 14 | … | … | … |
| 5.16 | Consent quality (free, specific, informed, unambiguous) | Art. 4(11); Art. 7; EDPB 05/2020 | … | … | … |
| 5.17 | Security and breach references | Arts. 32–34 | … | … | … |
| 5.18 | Records of processing — controller obligation | Art. 30 | Unverified — see section 10 | Unverified | — |
| 5.19 | DPIA where applicable | Art. 35 | Unverified — see section 10 | Unverified | — |
6. Findings — ePrivacy / cookies
Include this section only if Step 1 concluded the ePrivacy regime applies, or if the AZ controller processes personal data via cookies.
| # | Requirement | Anchor | Evidence | Status | Note |
|---|---|---|---|---|---|
| 6.1 | No non-essential trackers fire before consent | ePrivacy Directive Art. 5(3); EDPB 05/2020 | … | … | … |
| 6.2 | Granular consent by purpose / category | EDPB 05/2020 | … | … | … |
| 6.3 | Active, unambiguous consent action | Planet49 C-673/17 | … | … | … |
| 6.4 | "Reject" parallel to "Accept" on first layer | CNIL, Garante, etc. enforcement | … | … | … |
| 6.5 | Banner is informed (purposes, parties, retention) | Art. 13 GDPR + EDPB 05/2020 | … | … | … |
| 6.6 | Free consent (no impermissible cookie wall) | EDPB 05/2020 §38–41 | … | … | … |
| 6.7 | Withdrawal as easy as granting | Art. 7(3) GDPR | … | … | … |
| 6.8 | Persistent re-access to preferences | EDPB 05/2020 | … | … | … |
| 6.9 | Cookie policy lists individual cookies (name, party, purpose, retention) | Member-state practice | … | … | … |
| 6.10 | IAB TCF deployment integrity (if used) | IAB Europe TCF Policies; Belgian APD 21/2022 | … | … | … |
| 6.11 | [AZ] Cookies processing personal data — basis under Law 998 | Law No. 998-IIIQ | … | … | … |
7. Cross-border transfers
7.1 Outbound from Azerbaijan (Law No. 998-IIIQ)
| Recipient / category | Destination | Basis stated | Status | Note |
|---|---|---|---|---|
| … | … | … | … | … |
7.2 Outbound from EU/EEA to AZ (GDPR Chapter V), if applicable
| Flow | Mechanism (Art. 45 / 46 / 49) | Status | Note |
|---|---|---|---|
| … | … | … | … |
8. Operator registration assessment (AZ)
| Question | Finding | Status |
|---|---|---|
| Does processing fall within categories of information systems requiring registration? | Likely / Possibly / Unlikely / Unverified | — |
| Does the privacy notice reference registration? | Yes / No | Green / Amber / Red |
| Controller's legal identity disclosed sufficiently to permit verification? | Yes / No | Green / Red |
Recommendation: [One sentence.]
9. Prioritised remediation list
Number each fix. Tag with [AZ] / [EU] / [ePrivacy]. Order by severity, then by ease of implementation.
- [Red] [EU] [Fix description]
- [Red] [AZ] [Fix description]
- [Amber] [ePrivacy] [Fix description]
- …
For each item, include in one to two sentences: what to change, why, and which finding row(s) it closes.
10. Assumptions and limitations
- What materials the auditor reviewed and what was missing.
- What the auditor could not verify from the materials provided (e.g., back-end consent logs, Art. 30 records, SCC text, TIA).
- Whether the audit relied on a translated text and the implications.
- Whether a live network capture or cookie scanner output was available; if not, the cookie audit is partial.
- Specific recommendations for further verification (request documents from controller; live audit using browser developer tools; verify operator registration with the competent authority).
This audit is a compliance assessment of the materials provided. It is not legal advice and does not create a lawyer-client relationship. Statutory citations refer to the current consolidated text as of the date above; verify against the official source.