Under the GDPR Article 28(1), ‘the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject’. In other words, data controllers are responsible for ensuring that their third-party data processors adhere to rigorous data protection standards.

For the data controller to ensure that this is the case, so-called vendor due diligence procedures should be followed. Vendor due diligence helps organizations evaluate the data processing activities of their potential data processors to ensure compliance and minimize the risk of data breaches. By conducting due diligence, businesses can safeguard their customers’ personal data, maintain regulatory compliance, and protect their reputation.

In general, key components of vendor due diligence include:

1. Vendor selection. Before engaging with a vendor, organizations must carefully assess their data protection practices. This involves reviewing their privacy policies, data handling procedures, and security measures (including encryption, access controls, vulnerability management, incident response plans, employee training programs and disaster recovery procedures, etc.) to determine if they align with GDPR requirements. Vendor selection also includes understanding of locations of where shared personal data will be processed, matters of international data transfer.
2. Contractual obligations. Under the GDPR Article 28(3), ‘processing by a processor shall be governed by a contract or other legal act under Union or Member State law […]’. Such contracts with data processors are usually referred to as ‘Data Processing Agreements’. Those should include specific clauses that outline data protection responsibilities, confidentiality obligations, and the requirement to process data only as instructed by the data controller. These agreements should also address issues such as data breach notification, data retention, and data transfer mechanisms.
3. Sub-processor due diligence. If a data processor engages subcontractors (sub-processors) to process personal data on their behalf, a data controller must ensure that those contractors also adhere to GDPR requirements. The data processor should provide transparency regarding sub-processor relationships and obtain the data controller’s prior specific or general written authorisation. In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.
4. Ongoing Monitoring. Data controllers should regularly review their processors’ compliance with the GDPR and reassess their data protection practices. This can involve periodic audits, security assessments, and maintaining open communication channels to address any emerging concerns.

To effectively implement vendor due diligence under the GDPR, data controllers should consider the following practices:

1. Develop a vendor management Program. Establish a structured vendor management program that includes policies, procedures, and guidelines for vendor due diligence. This program should outline the steps to be followed, the criteria for vendor selection, and the ongoing monitoring process.
2. Training. Once vendor management policies, procedures, and guidelines are developed and implemented, the relevant personnel should be properly trained to ensure they understand how those policies, procedures, and guidelines should be applied.
3. Collaboration and communication. Foster open and transparent communication channels with data processors. Regularly engage in discussions regarding data protection practices, share information on changes in regulatory requirements, and seek assurance that data processors are actively maintaining compliance.
4. Documentation. Maintain proper documentation of all vendor due diligence activities, including assessments, audits, contractual agreements, and communication records. These records serve as evidence of compliance efforts and can be valuable in demonstrating accountability to regulatory authorities, if required.

As an example of approach from one of the EU’s supervisory authorities, in 2021, Danish data protection authority (Datatilsynet) published a guiding model helping to understand what approaches and methodologies towards vendor assessment might be taken.

Depending on the risk level the processing poses and on the credibility of the data processors, the due diligence exercise falls within one of the six concepts. If, for example, a data controller undertakes the data processing which is low risk, and it uses a trustworthy and widely recognised data processor, then Concept 1 will apply to the due diligence, meaning that there is no need to actively audit the data processor. By contrast, if the processor lacks credibility and/or if the risks are high, this may lead to the Concept 6 to be applicable, meaning that this requires full-scale assessment of risks to the data subjects, supplemented with own or third-party audit and/or subsequent supervision.

DPOrganizer can help companies with conducting due diligence in respect of their data processors in different ways, depending on the needs. Feel free to reach out to us to learn more!