Supplier Data Processing Agreement

Since 2018 there is a new regulation regarding the collecting and processing of personal data from EU Citizens, which is called the General Data Protection Regulation GDPR). The EU GDPR is currently enforced, and the first fines were already given to famous companies, such as Google, British Airways, Marriott International (110 Mln EUR), H&M (35 Mln EUR), TIM (27.8 Mln EUR), Austrian Post (18 Mln EUR), and more GDPR Fines were given. This regulation replaces the 1995 Data Protection Directive, makes changes to the way data is handled and processed in the EU. A Supplier Data Processing Agreement is an important measure to implement if you want to be compliant with the GDPR.

What should a Data Processing Agreement include?

A Supplier Data Processing Agreement should include the following:

1. stipulates the rights and obligations of the controller and processor (henceforth referred to as the ‘Parties’’) in the context of processing personal data on behalf of the controller.
2. applies to all activities for which the processor’s employees or any subcontractors that he/she has tasked with processing the controller’s personal data.
3. terms used in this contract are to be understood in accordance with their respective definitions in the EU General Data Protection Regulation (GDPR).

The nature and purpose of processing the data according to GDPR:

Processing the data consists of the following: collecting, compiling, organizing, sorting, saving, adapting or changing, separating, recalling, using, publishing or transferring, distributing or any other form of provision, replication or linking, restricting, deleting, or destroying data. The data is processed for the following purpose: 

• Introduction
• Area of application
• Scope and duration of the data processing
• Scope
• Duration
• Nature and purpose of collecting, processing, or using the data:
• Nature and purpose of processing the data
• Type of data
• Categories of persons affected
• Obligations of the processor
• Technical and organizational measures
• Stipulations on correcting, deleting, and blocking data
• Subcontracting
• Rights and obligations of the Controller
• Notification obligations
• Instructions
• Ending the commissioned processing
• Remuneration
• Liability
• Contractual penalty
• Right to extraordinary termination
• Miscellaneous
• Appendix 1: Technical and organizational measures
• Appendix 2: Permitted subcontractors
• Appendix 3: Individuals authorized to issue instructions

How to perform an internal GDPR audit?

According to the EU GDPR, you are required to identify and minimize the data protection risks of your organization. The documentation of processing activities is a legal requirement under the EU GDPR, which also probably your organization needs to comply with. It's therefore highly important that you document your data processing activities and that you also support good data governance, and help you to demonstrate your compliance with other aspects of the GDPR. This GDPR Data Audit Procedure Form explains those steps and lists all of the documentation, policies, and procedures you need to have in place, and gives an overview of how far you are with your compliance journey. This way, if you keep track of those steps taken, it helps you to become GDPR compliant. 

The purpose of an Internal Audit is an analysis of the personal data protection system of the organization or company. During the audit, the auditors shall check compliance with the Data Protection Law and GDPR requirements. The auditors check the documents and procedures and look for evidence that the procedures are respected. In case of noncompliance or error, the auditors shall start corrective or preventive actions. One of the benefits of the audit are recommendations for improvement. 

The top management has the responsibility to develop and monitor Data Protection System. If the organization has DPO  (Data Protection Officer), he/she is responsible for Internal Audit Procedure. At least once a year the Internal Audit should be conducted.

1. The management appoints internal auditors and provides means for their training.
2. Internal auditors are responsible to initiate corrective actions in case of noncompliance. 
3. The management approves the Audit Plan.
4. Internal auditors are responsible to initiate corrective actions in case of noncompliance and contribute to the Internal Audit Report. 

Download this GDPR Supplier Data Processing Agreement if your organization collects personal data directly from EU Citizens and you want to have a clear overview of how far you are compliant with the Privacy directive. For more GDPR Document Templates, check out this mandatory documentation, policies, and procedures you must have if you want to become GDPR compliant, check out:

• GDPR Document Templates
• Overview GDPR Documents for Compliance