GDPR questionnaire for suppliers
In the process of adapting or implementing the GDPR to companies, providers with access to data (known as data processors) must be identified and make them a GDPR questionnaire. In this outsourcing process, data controllers are subject to the text of Art. 28.1, which states “will choose only one person in charge that offers sufficient guarantees to apply appropriate technical and organizational measures”.
How is this duty of care fulfilled properly? Is sending a questionnaire to the supplier enough? What do you do if it is impossible for the supplier to answer a questionnaire? Let’s break this down.
In the relationship between the controller and the processors, it is increasingly common for the former to send the latter a questionnaire with a list of questions to verify the level of diligence of the provider in its compliance with the GDPR.
There are a large number of casuistries, but the most frequently asked questions are usually:
- If the provider has carried out adequate training for its staff. Remember that we already dealt with this topic in a post a few weeks ago.
- If employees have signed a confidentiality agreement.
- If the provider subcontracts part or all of the service.
- If the provider has appointed a Data Protection Officer.
- If the provider has implemented a protocol for the detection and notification of security incidents. See the information from the AEPD here.
- If the provider has some type of certification in terms of information security.
As said, the type and number of questions can be very varied, but here the question is whether the controller has peace of mind in sending this questionnaire and has the provider complete it.
Faced with this question, we can affirm that sending this questionnaire certainly demonstrates a significant initial degree of awareness of the processor and that, therefore, it is in line with ensuring that the provider in question also complies with the GDPR. However, there are two important issues at this point:
- On many occasions, no evidence is requested regarding the answers given by the provider and, therefore, the controller simply limits himself to believing the answers to the questionnaire. This, from the outset, is not good practice and it is always recommended that, together with the response, the provider be asked to provide evidence or proof that a specific obligation is actually being fulfilled. For example: asking if confidentiality agreements have been signed is fine, but the correct thing to do is not only to request the model but also to verify that it has actually being signed. And so, with many of the aspects related to the questionnaire: such as, accrediting training (if it is indicated that any has been given) or, in the case of subcontracting, providing the existing contract with subcontractors.
- On the other hand, the relationship between a controller and a processor can be something flexible and modified over time. It is for this reason that completing an initial questionnaire may be valid for that moment, but the answers may also become out of date very quickly. For this reason, it is recommended that the actions in order to verify the degree of compliance of providers should be carried out regularly.
And what if the provider never answers a GDPR questionnaire?
The contracting of services that imply access to data, in many cases, involves cloud providers that will never respond to a request to fill out a questionnaire.
What is the level of diligence specified in these cases? Well, in these cases, we must attend to the public information of the provider. Undoubtedly, the conditions of service are an indicator as to whether or not they meet their obligations as data processors.
We must also be guided, in these cases, by any international safety certifications or standards that the provider may have and, as in the previous case, activate regular reviews so that these conditions or certifications are not modified or expire.
In conclusion, and as we have pointed out on many occasions, the outsourcing of services to third parties is a trend that is unlikely to stop. From small freelancers or professionals to larger companies, the casuistry of providers with access to data continues to grow: the use of a cloud CRM or ERP, worker time control applications, personnel selection processes, email marketing, etc.
Identifying and inventorying these providers and ensuring that they comply with the GDPR throughout the term of the contractual relationship with them is one of the most important challenges for companies that want to comply with data protection regulations.
If you want to know more about this GDPR questionnaire and do you want to implement it to your suppliers, contact us!
Information on data protection
LEGAL IT GLOBAL 2017, SLP
Providing the service.
Sending the newsletter.
Compliance with the service provision.
Your data will not be shared with any third party, except service providers with which we have signed a valid service agreement.