Strengthening Vendor Compliance: EDPB Guidance on Data Protection and Supply Chain Oversight

According to an article by DLA Piper, the European Data Protection Board (EDPB) recently released guidance clarifying data protection duties for organizations (“controllers”) that rely on third-party processors and their subprocessors. The guidance focuses on two main points: supply chain mapping and verifying vendor compliance.

Supply Chain Mapping

Controllers must fully understand their data processing chain. This involves knowing all processors and subprocessors by name and details like legal entity information, data they process, and their specific roles. This is not just about GDPR Article 28 compliance; it’s essential for transparency and handling data subject requests, such as requests for data access or deletion.

In practice, vendor data protection standards can lag behind commercial agreements, making proactive contract revisions critical. Controllers should ensure vendors are required to provide relevant details in a clear, usable format.

Verification of Vendor Compliance

Controllers must be able to verify processors’ adherence to data protection laws, especially regarding data security and international data transfers. Verification requirements vary based on data sensitivity. Reviewing subprocessor contracts may be necessary for high-risk data processing, while lower-risk scenarios might require only a contract confirmation. Due diligence may involve assessments through questionnaires, public information, or audits.

For international data transfers, controllers should check that processors handle data in line with GDPR’s Chapter V requirements, particularly when data is sent outside the European Economic Area (EEA). The EDPB advises using precise legal language to ensure compliance and avoid ambiguities.

The article suggests that financial institutions facing additional regulations like the Digital Operational Resilience Act (DORA) enhance supply chain oversight using the EDPB’s recommendations. DORA compliance will become mandatory on January 17, 2025.