Vet Your Data Processors: The Forum Case

In January 2022, the President of the Personal Data Protection Office of Poland fined Forum Marketing and Sales SA, a data controller, and PITKA Technologies, a data processor, for not implementing appropriate technical and organizational measures to ensure the security of personal data. Specifically, Forum failed to exercise its GDPR right to audit and inspect PITKA, leading to a significant data breach of its customers’ personal data. 

Controllers need to avoid making these same mistakes. One, make sure you have in place contractual safeguards with your data processors that document the parties’ ongoing obligations, robustly protect personal data and alleviate risk. Two, ensure that your data processors’ security measures meet required standards, using due diligence questionnaires with technical questions about the processor’s data security environment. Three, choose data processors that have in place certifications such as ISO 27001, demonstrating they have formally satisfied stringent requirements. Finally, conduct audits and inspections of your processor, and regularly review and update your processor’s contract.