If your department is responsible for finalizing agreements whose performance involves a contractor processing personal data on behalf of your company (e.g., data of clients, employees, job candidates), it is necessary to conclude a data processing agreement with that entity, which must meet the requirements of Article 28 of the GDPR. However, signing the agreement is not enough. A prior verification of the contractor is essential.
As a reminder:
A personal data controller is an entity that determines the purposes and means of personal data processing.
A processor is an entity entrusted by the controller with the processing of personal data. The processor processes data on behalf of the controller and for controller’s purposes.
So what do employees need to know to ensure that this process complies with data protection regulations?
Before signing a contract, it is necessary to verify the future contractor
The GDPR requires verification of the entity to which we intend to entrust services related to personal data processing. Such an entity must:
- ensure that its data processing will meet the requirements of the GDPR and protect the rights of data subjects,
- guarantee the implementation of appropriate technical and organisational measures for this purpose.
A declaration by the contractor that they meet these conditions is not sufficient. References or a history of previous long-term cooperation will not suffice either. A genuine assessment is necessary to ensure that the security measures implemented by the processor are adequate to the existing risks and enable them to fulfill the obligations arising from the entrustment.
So how can a contractor be verified?
The controller must evaluate whether the processor:
- has the necessary professional expertise to ensure appropriate security measures,
- has sufficient resources to fulfil its data security obligations,
- is reliable.
There is no exhaustive list of activities for contractor verification – it largely depends on the circumstances of the processing. However, the most common methods include:
Security questionnaire
The most common method is a security questionnaire completed by the processor, in which they provide information on, among other things, the functioning of their data protection system, applicable procedures, documentation maintained, employee awareness, systems used, security measures (technical, physical, organisational), and the use of further processors (sub-processors).
Depending on the nature of the services provided by the contractor and the scope of the entrusted data (and therefore the associated risks), the level of detail required in the questionnaire will vary.
Documentation review
The assessment of a contractor may require verifying the documentation relating to the area in which they act as a processor. Such a review may include, for example, data protection and information security policies, procedures, terms of service, reports from external data protection audits, certifications, such as compliance with ISO standards.
Analysis of declared technical and organisational measures
There may be situations where it is not possible to complete the questionnaire by the contractor. This may occur in particular with large suppliers who "impose" their own contract templates. In these cases, it may be possible to analyse the measures declared by the relevant entity, for example, those listed in the contractual documentation, in the terms and conditions or on the website. You could also try to obtain the necessary information by contacting the processor's data protection officer, if appointed, or the relevant data protection unit.
In some cases, proper verification may also require face-to-face meetings or inspections – it all depends on the circumstances of the case.
The controller should conduct an assessment based on the collected information. Importantly, the contractor's assessment should be documented.
In summary, the verification:
- must be conducted,
- must be effective, meaning it must allow the controller to determine whether the processor will apply such organisational and technical measures to the entrusted processing as are necessary to ensure data security and the protection of data subjects’ rights,
- must be documented – this is a requirement of the accountability principle; without proper documentation, the controller will not be able to demonstrate to the supervisory authority that it has fulfilled its obligations.
Only a positive assessment in this regard allows for the entrustment of personal data to the processor.
The verification of the contractor should be repeated throughout the duration of the collaboration. Evaluating the guarantees provided by the processor is an ongoing process.
Why is this important?
Despite entrusting personal data, the controller remains responsible for it. A data breach by the processor also triggers the controller's liability.
Failure to verify or improper verification of the contractor, as well as an absence of a data processing agreement or its insufficient content, constitutes a violation of the GDPR and may result in administrative fines, reputational damage and loss of customer trust.