Organizations can use this checklist to assess the GDPR compliance status of third-party vendors and partners with whom they share personal data, ensuring they adhere to the required standards.
Responsible Party: [YOUR NAME]
Date of Last Review: June 9, 2050
Next Scheduled Review: June 9, 2051
Identify all third-party vendors and partners that handle personal data.
Check vendor contracts for GDPR compliance clauses.
Assess the necessity and proportionality of sharing personal data with each vendor.
Ensure that a Data Processing Agreement (DPA) is in place with each vendor.
Verify that the DPA includes clauses required by GDPR Article 28.
Confirm the DPA details of both parties' data protection responsibilities.
Evaluate the security measures implemented by vendors to protect personal data.
Verify encryption methods, access controls, and data breach response procedures.
Assess the physical and logical security of data storage facilities and systems.
Check if vendors transfer personal data internationally and evaluate their safeguards.
Ensure vendors follow GDPR rules for data transfers outside the EEA.
Review data transfer mechanisms like SCCs or BCRs.
Confirm that vendors have processes in place to fulfill data subject rights requests.
Ensure vendors meet GDPR response timelines for data subject requests.
Review data subject rights: access, rectification, erasure, and portability procedures.
Verify that vendors have procedures to detect, report, and investigate data breaches.
Ensure vendors report data breaches promptly and review response procedures.
Limit vendors to collecting and processing only the necessary personal data.
Ensure vendors delete or anonymize unneeded personal data.
Review and ensure contract data retention complies with GDPR.
Assess vendors' practices for engaging subprocessors and ensure GDPR compliance.
Ensure vendors get pre-approval before using subprocessors.
Review subprocessor agreements for GDPR compliance.
Evaluate vendors' adherence to privacy by design and default principles.
Ensure vendors prioritize data protection and privacy in their products.
Review vendor DPIAs.
Ensure vendors train employees on GDPR and data protection.
Verify that vendors maintain records of employee training and awareness activities.
Assess vendor communications for GDPR commitment.
Set up systems to audit and monitor vendor GDPR compliance.
Conduct regular assessments or audits of vendor practices and controls.
Review audit reports and address identified issues promptly.
By checking the box below, I acknowledge that I have reviewed and completed the GDPR compliance checklist for vendor management.
Completed by: [YOUR NAME]
Date: June 9, 2050
Templates
Templates