Strengthening Vendor Compliance: EDPB Guidance on Data Protection and Supply Chain Oversight
November 19, 2024
According to an article by DLA Piper, the European Data Protection Board (EDPB) recently released guidance clarifying data protection duties for organizations (“controllers”) that rely on third-party processors and their subprocessors. The guidance focuses on two main points: supply chain mapping and verifying vendor compliance.
Supply Chain Mapping
Controllers must fully understand their data processing chain. This involves knowing all processors and subprocessors by name and details like legal entity information, data they process, and their specific roles. This is not just about GDPR Article 28 compliance; it’s essential for transparency and handling data subject requests, such as requests for data access or deletion.
In practice, vendor data protection standards can lag behind commercial agreements, making proactive contract revisions critical. Controllers should ensure vendors are required to provide relevant details in a clear, usable format.
Verification of Vendor Compliance
Controllers must be able to verify processors’ adherence to data protection laws, especially regarding data security and international data transfers. Verification requirements vary based on data sensitivity. Reviewing subprocessor contracts may be necessary for high-risk data processing, while lower-risk scenarios might require only a contract confirmation. Due diligence may involve assessments through questionnaires, public information, or audits.
For international data transfers, controllers should check that processors handle data in line with GDPR’s Chapter V requirements, particularly when data is sent outside the European Economic Area (EEA). The EDPB advises using precise legal language to ensure compliance and avoid ambiguities.
The article suggests that financial institutions facing additional regulations like the Digital Operational Resilience Act (DORA) enhance supply chain oversight using the EDPB’s recommendations. DORA compliance will become mandatory on January 17, 2025.
Critical intelligence for general counsel
Stay on top of the latest news, solutions and best practices by reading Daily Updates from Today's General Counsel.
Daily Updates
Sign up for our free daily newsletter for the latest news and business legal developments.