Vendor Privacy Due Diligence

Vendor Privacy Due Diligence

Overview

GDPR Article 28(1) requires controllers to use only processors providing "sufficient guarantees to implement appropriate technical and organisational measures" to meet GDPR requirements and protect data subject rights. This obligation means controllers must conduct thorough privacy due diligence before engaging any vendor that will process personal data. The European Data Protection Board (EDPB) Guidelines 07/2020 on controller and processor concepts reinforce that this assessment must be documented and proportionate to the risk involved.

At Summit Cloud Partners, the Vendor Privacy Due Diligence Program establishes a structured process for evaluating prospective vendors before any personal data processing begins.

Due Diligence Framework

Phase 1: Initial Screening

Before engaging in detailed evaluation, determine whether the vendor will process personal data at all.

Processing Determination Checklist:

Data Flow Preliminary Analysis:

Map the anticipated data flows before proceeding:

1. What categories of personal data will the vendor process?
2. How many data subjects are affected (approximate volume)?
3. Will special category data (Article 9) be involved?
4. Where will processing occur geographically?
5. Will the vendor engage sub-processors?

Phase 2: Privacy Risk Questionnaire

Summit Cloud Partners issues a standardized Privacy Risk Questionnaire to all prospective vendors scoring above the initial screening threshold.

Section A — Legal and Governance

Section B — Technical Security Controls

Section C — Data Handling Practices

Section D — Certifications and Attestations

Phase 3: Technical Controls Assessment

Beyond questionnaire responses, Summit Cloud Partners conducts independent verification of critical controls.

Assessment Methods:

1. Documentation Review: Examine vendor security policies, procedures, and architectural documentation
2. Certification Verification: Independently verify certification validity with issuing bodies
3. Technical Testing: Where contractually permitted, conduct or review penetration test results
4. Reference Checks: Contact existing clients of the vendor regarding privacy practices
5. Public Record Search: Review breach notification databases, regulatory actions, and news reports

Control Verification Matrix:

Phase 4: Data Flow Analysis

Document the complete data flow for the proposed processing arrangement.

Data Flow Documentation Requirements:

Data Flow: Summit Cloud Partners → [Vendor Name]

1. Data Categories:
   - [List each category of personal data]
   - Classification level per category (Public/Internal/Confidential/Restricted)

2. Data Subjects:
   - [List each category of data subject]
   - Approximate volume per category

3. Transfer Mechanism:
   - Method: [API / SFTP / Direct database access / etc.]
   - Encryption: [Protocol and strength]
   - Authentication: [Method]

4. Processing Locations:
   - Primary: [Country, City, Data Center]
   - Backup/DR: [Country, City, Data Center]
   - Support access: [Countries where staff may access data]

5. Sub-processors:
   - [List known sub-processors with location and function]

6. Data Retention:
   - Processing retention: [Duration]
   - Backup retention: [Duration]
   - Post-termination: [Return/deletion timeline]

7. Return Path:
   - Data subject requests forwarded via: [mechanism]
   - Response SLA: [timeframe]

Phase 5: Sufficiency Decision

The DPO or Privacy Team Lead reviews all collected evidence and issues a documented sufficiency decision.

Sufficiency Decision Criteria:

Decision Outcomes:

• Approved (weighted score 4.0+): Vendor provides sufficient guarantees. Proceed to DPA negotiation.
• Conditionally Approved (weighted score 3.0–3.9): Vendor requires supplementary measures or contractual safeguards before engagement. Document conditions.
• Rejected (weighted score below 3.0): Vendor does not provide sufficient guarantees. Document reasons. May be reconsidered after vendor remediation.

Documentation Requirements per Article 5(2) Accountability:

The due diligence file must contain:

1. Completed Privacy Risk Questionnaire with vendor responses
2. Evidence of verification activities performed
3. Data flow analysis documentation
4. Sufficiency scoring worksheet
5. Written decision with rationale
6. Approval signature from DPO or designated privacy lead
7. Date of assessment and scheduled reassessment date

Ongoing Obligations

Due diligence is not a one-time exercise. Article 28(1) imposes a continuing obligation to ensure processors maintain sufficient guarantees. Summit Cloud Partners conducts:

• Annual Reassessment: Full questionnaire refresh for high-risk vendors, abbreviated for standard risk
• Trigger-Based Review: Reassessment triggered by vendor breach, regulatory action, material service change, or certification lapse
• Continuous Monitoring: Automated alerts on vendor security posture changes via risk monitoring services

Key Regulatory References

• GDPR Article 28(1) — Controller obligation to use processors with sufficient guarantees
• GDPR Article 28(3) — Required DPA provisions
• GDPR Article 5(2) — Accountability principle
• GDPR Article 30(2) — Processor records of processing
• GDPR Article 35 — DPIA requirements
• EDPB Guidelines 07/2020 — Controller and processor concepts under GDPR
• EDPB Recommendations 01/2020 — Supplementary measures for international transfers