EU GDPR: ensuring compliance when dealing with third parties or suppliers

Following the passing of the European Union’s (EU) GDPR, perhaps no other issue has exercised legal, IT and compliance departments more than how best to ensure businesses stay on the right side of the law while dealing with third parties or suppliers.

If your suppliers process personal data, they have to agree to standards set by the EU GDPR. Whilst other mechanisms are available, standard contractual clauses are probably the most common and most utilized when processing data outside the EU or the European Economic Area (EEA).

It is relatively straight forward when data flows within the EU/EEA or to another jurisdiction considered to be equivalent for data protection purposes, but practical issues arise when the personal data is processed on a regular basis and when the countries in question have less robust data protection laws in place. We have put together some key considerations to bear in mind as you think about how you manage your GDPR compliance when working with external suppliers.

Determine who is the controller and who is the processor

While it may seem simple to define who controls and who processes the data it is not always as clear as it seems. For example, there are instances when data is co-controlled by you and the local service provider. Like GDPR, your relationship with the supplier is constantly growing and changing. Therefore, it is very important to clearly set the scope and purpose of processing to determine whether your supplier may want to keep the data for purposes outside the scope of your engagement, and whether it would consequently make them a controller.

Understand what your suppliers are agreeing to

Suppliers from outside of the EU or EEA will want to negotiate certain terms. These areas of negotiation are likely to include liability provisions, time for reporting issues, making the information available for inspection and audits, as well as what technical and organizational measures must be put in place.

While this is perfectly natural, it is important to understand the reasons behind each suggested revision. Does it mean that they do not have in place what is required from them or is it a matter of having a more favorable engagement? The information that companies store and process, changes all the time, so it is vital to consider how each supplier is maintaining this data. Ensure you have a well-defined plan in place on how suppliers inform you about the way they collect or process your data – it will enable you to be the one in charge of managing the changes.

Set high IT security standards

Nearly every multinational will have their own set of IT security standards which are in accordance with EU GDPR – and can in some cases even be more stringent. However, if you have a local service provider in a remote and technologically challenged jurisdiction, it may be too costly for them to implement all the required IT security measures making it impossible to meet the EU GDPR requirements.

The cost of the internet itself or the time required to build a strong framework by the local supplier based in such a locale may be a sufficient argument to refuse further business. In this case you may need to consider engaging an international firm or make internal rearrangements to stop processing EU subjects’ data.

Talk to your suppliers about their obligations and cyber security insurance

Most suppliers around the world will have access to cyber security insurance and it is worth considering requesting that your suppliers take on this coverage. Many firms may actually be unaware of the cyber risks they face, so it may be worth speaking with them in person, visiting their offices to see how they actually handle data and to make sure they fully understand their obligations when signing the contract. It is important to do the actual assessment of each of your suppliers' environments.

Milda Valevice, In-house Legal Counsel, Vilnius
Citco GSGS Focus – Summer 2019