Vendor Data Privacy Assessment: 10 Steps for Secure Supplier Evaluation
Verify whether your vendors and service providers meet GDPR requirements with this checklist. 10 steps for a structured data protection due diligence process.
Vendor Data Privacy Assessment: 10 Steps for Secure Supplier Evaluation
Why This Checklist Matters
As a data controller under the GDPR, you are liable not only for your own data processing but also for that of your processors. Every external service provider that processes personal data on your behalf, whether a cloud provider, IT service company, accountant, or cleaning firm with office access, must demonstrably meet GDPR requirements. A vendor's data protection violation can fall directly back on you as the contracting party.
Despite this, many organizations forgo a systematic data protection assessment of their vendors or conduct only a superficial review. The consequences range from invalid Data Processing Agreements through GDPR fines to complete data loss following a security incident at the vendor's end. This checklist gives you ten structured steps to assess your vendors thoroughly and traceably. Allow approximately 25 minutes per vendor.
The 10 Steps to Vendor Data Privacy Assessment
Step 1: Create a Vendor Register with Data Mapping
- Create a complete register of all vendors and service providers that have access to personal data or process it on your behalf. Record the company name, the nature of the service, the categories of data processed, the location of data processing, and the responsible contact person on your side. Do not overlook indirect access: the cleaning company that works alone in the office after hours, the IT service provider with remote maintenance access, or the document destruction service.
Step 2: Determine the Processing Relationship
- Clarify for each vendor whether a data processing relationship under Article 28 GDPR exists or whether another data protection arrangement applies. Not every collaboration involving data constitutes data processing on behalf of a controller. Distinguish between processor relationships, joint controllership under Article 26 GDPR, and independent controllership. The correct classification determines which contractual arrangements are required and who bears which obligations.
Step 3: Review or Execute a Data Processing Agreement (DPA)
- Ensure a complete and current DPA pursuant to Article 28 GDPR is in place with every processor. The DPA must govern the subject matter and duration of processing, the nature and purpose, the categories of data subjects and data, the processor's obligations, and the technical and organizational measures. Review existing DPAs for completeness and currency. For the secure exchange of contractual documents with vendors, use solutions like SendMeSafe that provide password-protected, auditable document exchange.
Step 4: Evaluate Technical and Organizational Measures
- Request up-to-date documentation of the vendor's technical and organizational measures (TOMs) and evaluate them. Check whether measures for encryption, access control, pseudonymization, recoverability, and regular testing are implemented. Compare the TOMs against the sensitivity of the data you are entrusting to the vendor. Highly sensitive data requires correspondingly higher protective measures. Do not settle for descriptions alone; where possible, request evidence and proof.
Step 5: Verify the Location of Data Processing
- Establish exactly where personal data is processed and stored, particularly for cloud services. Determine whether data is transferred to third countries outside the EEA and whether a valid legal basis exists for the transfer, such as an adequacy decision, Standard Contractual Clauses, or Binding Corporate Rules. Pay particular attention to US-based providers and verify whether they have joined the EU-US Data Privacy Framework. Document the server locations and sub-processors.
Step 6: Assess Sub-Processors
- Request a complete list of all sub-processors from the vendor and review it. Under Article 28(2) GDPR, the processor may only engage sub-processors with the controller's authorization. Check whether the DPA provides for general or specific authorization and whether you are notified of changes. Evaluate sub-processors using the same criteria as the primary vendor, especially regarding location and security measures.
Step 7: Review Security Certifications and Independent Assessments
- Ask about existing certifications and independent security assessments held by the vendor. Relevant certifications include ISO 27001 for information security, SOC 2 for service organizations, BSI C5 for cloud providers, and industry-specific standards. Certifications do not replace your own assessment but are a strong indicator of an established security management system. Verify the validity of certificates and the scope of the certification.
Step 8: Agree on Deletion and Data Return Procedures
- Contractually agree on how personal data will be deleted or returned upon termination of the relationship. The DPA must stipulate that the processor deletes or returns all personal data after processing ends and destroys existing copies, unless a statutory retention obligation exists. Request written proof of deletion and verify whether the vendor has a documented deletion policy.
Step 9: Agree on a Data Breach Notification Process
- Ensure the vendor will notify you of data protection breaches without undue delay and define the notification process contractually. The processor must inform you promptly so that you can meet your own 72-hour notification obligation to the supervisory authority. Agree on specific notification deadlines, communication channels, and contact persons. After contract execution, test the notification process in a joint drill.
Step 10: Secure Audit Rights and Schedule Regular Reviews
- Secure contractual audit rights and plan regular reviews of your vendors. Article 28(3)(h) GDPR grants you the right to conduct inspections or have them carried out by an independent auditor. Conduct annual vendor reviews in which you check the currency of the TOMs, compliance with the DPA, and the sub-processor list. Document the results and initiate corrective measures where deficiencies are found.
Summary
Assessing your vendors' data protection practices is not a one-time exercise but an ongoing process. The ten steps in this checklist ensure that every service provider processing personal data on your behalf demonstrably meets GDPR requirements. From the vendor register and the DPA through to the regular audit, you create a documented and defensible foundation that protects you in the event of an inspection.
For the secure exchange of sensitive documents with your vendors, use tools like SendMeSafe that provide encryption, access control, and end-to-end auditability. This way, the document exchange within your vendor assessment itself becomes a model for sound data protection practice.
Frequently Asked Questions
How often should I review my vendors?
A full review should take place at least once per year. For vendors processing particularly sensitive data or those with a history of issues, semi-annual reviews are recommended. In addition, event-driven reviews should be conducted when the vendor makes changes to its sub-processors, security measures, or processing locations.
What should I do if a vendor refuses to sign a DPA?
If a vendor refuses to sign a DPA or will only accept an incomplete agreement, this is a serious red flag. Without a valid DPA, you may not entrust personal data to the vendor. Seek a discussion and explain the legal necessity. If the vendor does not comply, you must terminate the relationship and find a GDPR-compliant alternative provider.
Do I also need to assess small service providers like cleaning companies?
Yes, if they can potentially access personal data. A cleaning company that works alone in the office and has access to unlocked cabinets, screens, or printers is relevant from a data protection perspective. However, the scope of the assessment can be proportionate to the risk. For low-risk scenarios, a confidentiality agreement and basic security rules are often sufficient.
Does this checklist apply to cloud services and SaaS providers?
Yes, cloud services and SaaS providers are typical processors and require particularly thorough assessment. For cloud services, pay special attention to the location of data processing, the sub-processor chain, encryption at rest and in transit, and the ability to achieve data portability and complete deletion at contract termination.