Quote
The Assessor agrees with the Supplier that the Implementation Status is “Not Applicable”.
For Data Privacy questions, Allianz explicitly instructs Assessors to rely on the vendor’s self-assessment. As per the directive from Allianz on 3rd December 2025, a lack of supporting evidence for answers marked “Fully implemented and independently assessed”, “Fully implemented”, or “Not Applicable” shall not result in a downgrade of the risk score or trigger missing evidence escalations. This directive applies exclusively to Data Privacy questions and overrides the usual validation requirements.
All requirements for accepting a “Not Applicable” response are satisfied.
That is because the Supplier’s justification aligns with the service description provided by Allianz, which indicates that the control is not applicable to the nature of the services in scope. The service model does not involve activities or processing that would require the implementation of this control.
And because this question falls within the Data Privacy scope, the Assessor accepts the Supplier’s response on the basis of this Allianz directive. The service description supports the Supplier’s assessment that the control is out of scope and does not contradict the “Not Applicable” response.
The Assessor therefore finds that the Implementation Status is Not Applicable.
The Gap Severity is therefore Very Low, as defined in the Allianz Gap Severity Matrix.