Fast jedes Unternehmen verarbeitet täglich personenbezogene Daten. Diese werden gesammelt, gespeichert und verarbeitet. Die DSGVO umfasst EU-weit einheitliche Regelungen, die aufgrund der wachsenden Globalisierung dringend benötigt werden. Dadurch gelten dieselben Regeln für Geschäftspartner, Kunden und Lieferanten im In- und Ausland.
Auch von Lieferanten werden Daten erfasst und verwendet, insbesondere im Einkauf. Dazu gehören Kontaktdaten, Bestelllisten, Bankdaten und ähnliches. Aber welche Vorschriften gelten hier genau? Wie können Unternehmen sie am besten umsetzen? Und umgekehrt, was dürfen Lieferanten mit Ihren Daten tun? Dieser Artikel zeigt Ihnen, worauf Sie achten müssen.
Personal data is usually always involved when goods and components are purchased, and deliveries are managed. Since 2018, the General Data Protection Regulation (GDPR) has been in place to protect this data and dictate how certain information should be handled.
But regulations on data protection have not only existed since 2018. The GDPR standardizes national rules across Europe. However, there are exceptions to this, so-called opening clauses.
Standardization has the advantage, especially for multinational companies, that the same regulations regarding data protection apply to business partners, suppliers, and customers with whom they interact in other EU countries.
For example, you do not have to bother about whether you comply with the regulations of Spanish law (except for the opening clauses, e.g., often in labor law and medical data), but neither do you have to worry about whether your data is secure in Spain.
Data protection primarily describes the security of personal data so that it is not accessible to anyone in public. There is a legal basis for processing this data. This means, on the one hand, that only the minimum amount of data required may be collected and, on the other hand, that the collected data must be protected from access by third parties.
In plain language, data protection requires,
To this end, there are some requirements that companies must meet, such as data protection impact assessments or processing records. We have already written several articles on these topics, which cover the respective subject in detail.
In addition, data subjects have the right to control their data (informational self-determination). For example, they can revoke their consent to the processing or request information about the stored data at any time.
Personal data is any information that can be attributed to a specific natural person and provides information about that person. Information about religion, health, trade union membership, sexuality, ethnic origin, and political views is especially worthy of protection.
But other personal data is also subject to protection; in the case of suppliers, this includes in particular:
What is “Privacy by Design”?
The “Privacy by Design” principle describes the obligation to develop products so that the end product collects and stores as little user data as possible. This plays a role in all devices that collect information about their users and should or must transmit data to the manufacturer. As a company, you should always ask yourself why you need the data and whether there are other means (with less personal data) to achieve the intended purpose.
If products are to be optimized through the use and collection of data, manufacturers usually require the consent of users. To protect customer privacy, manufacturers should store data so that it can no longer be attributed to a natural person, for example, by anonymizing or pseudonymizing it.
It may not be immediately apparent, but this also affects how purchasing handles orders from suppliers. After all, developers and purchasing must take care to select components, functionalities, and suppliers that carry the “privacy by design” principle into account.
The company, not the supplier, is responsible for compliance with legal requirements and principles. This also applies to the installation of data-protecting components. Purchasers, in particular, must ensure that suppliers comply with the GDPR requirements – even if only according to their statements. This applies to hardware but also software components.
Purchasing should also check together with the development departments, production, and data protection officers whether the planned data collections are necessary or can be minimized. Remember that a large volume of data also means that data protection will subsequently be more complex and cost-intensive.
It should also always be checked whether other service providers, such as logistics companies and cloud services, meet the requirements of the GDPR. So before contracting them, purchasing and data protection officers should check that all regulations are complied with to protect the data subjects and the company under data protection law.
Personal data is diverse and collected by almost every company, especially in purchasing and when interacting with suppliers. Even a signature on an order is personal and, therefore, subject to data protection.
This data may, therefore, only be stored for the duration of the order and must then be deleted in accordance with the statutory retention periods.
Suppose data is to be collected, for example, to enter the supplier into the database or because it is necessary for access to the company premises. In that case, the supplier must be comprehensively informed about the data collection and instructed about his right of revocation. This is usually done by referring to or attaching the data protection information to the relevant contracts.
Those who do not comply with the legal obligations must expect heavy fines of up to 20 million euros or 2% of the annual turnover.
The list of obligations for companies is long. Explaining them all in detail would go too far here, but you will find detailed articles on the general duties on our website. Therefore, in the following, we will only deal with the most important points that play a role concerning suppliers.
Data collection and processing in relation to purchasing and supplies must also be recorded in the records of processing activities (ROPA). In addition to the action, the purpose and the relevant contact persons must also be specified.
Anyone who processes data on a large scale must, among other things, carry out a data protection impact assessment, i.e., a risk assessment that determines whether there is a purpose-means relationship. Only if the balance between the rights and freedoms of the data subjects and the economic interests of the company is in favor of the company may this legally be performed.
Concerning all processing, technical and organizational measures must be established in the company structures that protect personal data in the best possible way and minimize or, if possible, even eliminate data processing risks. This also applies to data from suppliers and data that is transferred to suppliers. One hundred percent protection is never possible, but you should come close.
If a data protection breach does occur, suppliers must also be informed as quickly as possible if their data is affected. Companies should develop and integrate an emergency plan for this purpose, which can be retrieved automatically in case of doubt. This also includes contacting the relevant supervisory authority.
Our team has already created thousands of ROPAs and will be happy to support you. Get started right away with the right emergency plan, and contact our team for a no-obligation initial consultation. With the Priverion data protection platform, you have everything under control at all times.
One of the essential issues for companies and suppliers is the provision of privacy notices or information for processing the personal data of supplier contacts.
This is publicly accessible information, e.g., on the website, which can be accessed at any time to find information about data protection.
The following information can be found regularly on this page:
Further information may be required or helpful in individual cases, such as amendment clauses, automated decision-making, or provision requirements.
A supplier audit is an instrument for evaluating and selecting new or existing suppliers. Here, the actual conditions of the suppliers are compared with the target conditions and divided into various categories such as management, personnel, technical equipment, etc.
This way, errors, gaps, and potential for improvement can be filtered out. The goal of a supplier audit is, therefore, usually:
Caution: Data from the suppliers and the company must be used for evaluation. During a supplier audit, large amounts of data are collected, which may be subject to data protection.
If a service provider is used for such an audit, care must be taken in this case to ensure that a contract processing agreement (“CPA”) is drawn up to ensure that the external service provider complies with the requirements of the GDPR.
A supplier audit makes sense, also with regard to data protection. Such an audit also evaluates whether suppliers comply with the GDPR or whether there is potential for improvement here.
As companies, suppliers naturally also meet the legal obligations of the GDPR towards their customers. Thus, suppliers may also store, process, and use their customers’ data only if the GDPR permits this.
As always, this is only the case if the collection and processing of the data are necessary. Here, too, the data may only be stored for as long as the business relationship requires. So the question of the purpose and proportionality of the data collection also arises for suppliers.
Especially for suppliers, the question of data sharing often arises. In general, suppliers, like all companies, must be able to demonstrate a legal basis when they collect, store and process their data.
Otherwise, it remains to be stated that suppliers are subject to the same rights and obligations as all other companies. This is particularly relevant when EU borders are crossed. Customers should, therefore, also be careful to work with suppliers who observe and comply with the principles of the GDPR.
In principle, suppliers have the same rights and obligations under the GDPR as all other data subjects and companies. All companies must take care to comply with the GDPR.
Some of the provisions of the GDPR are particularly important for business relationships with suppliers and should, therefore, receive special attention.