Datenschutz bei Lieferanten – Was Unternehmen beachten sollten

Fast jedes Unternehmen verarbeitet täglich personenbezogene Daten. Diese werden gesammelt, gespeichert und verarbeitet. Die DSGVO umfasst EU-weit einheitliche Regelungen, die aufgrund der wachsenden Globalisierung dringend benötigt werden. Dadurch gelten dieselben Regeln für Geschäftspartner, Kunden und Lieferanten im In- und Ausland.

Auch von Lieferanten werden Daten erfasst und verwendet, insbesondere im Einkauf. Dazu gehören Kontaktdaten, Bestelllisten, Bankdaten und ähnliches. Aber welche Vorschriften gelten hier genau? Wie können Unternehmen sie am besten umsetzen? Und umgekehrt, was dürfen Lieferanten mit Ihren Daten tun? Dieser Artikel zeigt Ihnen, worauf Sie achten müssen.

Die wichtigsten Fakten in Kürze
  • Ähnlich wie beim Umgang mit Kunden müssen Unternehmen auch die persönlichen Daten der Lieferanten schützen.
  • Bei Nichteinhaltung der Anforderungen der DSGVO sehen sich Unternehmen hohen Geldstrafen gegenüber: Bußgelder von bis zu 20 Millionen Euro oder 2% des Jahresumsatzes können verhängt werden.
  • Supplier audits are a tool to facilitate the selection and assessment of suppliers, which can improve and ensure data protection.
  • Wenn Lieferanten auch Datenverarbeiter sind, werden Auftragsverarbeitungsvereinbarungen obligatorisch. Diese regeln, was der Lieferant mit den Daten tun darf. Dieser Vertrag bindet ihn, und die Einhaltung sollte jährlich überprüft werden.
Data protection in purchasing: How to protect personal data

Personal data is usually always involved when goods and components are purchased, and deliveries are managed. Since 2018, the General Data Protection Regulation (GDPR) has been in place to protect this data and dictate how certain information should be handled.

But regulations on data protection have not only existed since 2018. The GDPR standardizes national rules across Europe. However, there are exceptions to this, so-called opening clauses.

Standardization has the advantage, especially for multinational companies, that the same regulations regarding data protection apply to business partners, suppliers, and customers with whom they interact in other EU countries.

For example, you do not have to bother about whether you comply with the regulations of Spanish law (except for the opening clauses, e.g., often in labor law and medical data), but neither do you have to worry about whether your data is secure in Spain.

What is data protection?

Data protection primarily describes the security of personal data so that it is not accessible to anyone in public. There is a legal basis for processing this data. This means, on the one hand, that only the minimum amount of data required may be collected and, on the other hand, that the collected data must be protected from access by third parties.

In plain language, data protection requires,

  1. to collect only the absolutely necessary data (data minimization principle),
  2. to store this data only for the absolutely necessary time,
  3. to take the required security measures to protect the data in all data processes.
  4. there must be a legal basis for the processing (contract, consent, legitimate interests, etc.).

To this end, there are some requirements that companies must meet, such as data protection impact assessments or processing records. We have already written several articles on these topics, which cover the respective subject in detail.

In addition, data subjects have the right to control their data (informational self-determination). For example, they can revoke their consent to the processing or request information about the stored data at any time.

Was sind personenbezogene Daten?

Personal data is any information that can be attributed to a specific natural person and provides information about that person. Information about religion, health, trade union membership, sexuality, ethnic origin, and political views is especially worthy of protection.

But other personal data is also subject to protection; in the case of suppliers, this includes in particular:

  • General personal data (names, dates of birth, telephone numbers, addresses),
  • Identification numbers (social security number, tax number, identity card number),
  • bank data,
  • Online data (locations, IP addresses, passwords),
  • Physical characteristics (skin color, clothing size, gender),
  • Property data (land register entries, vehicle license plates, etc.)
  • Customer data (orders, account data, etc.)
  • Documents (testimonials, deeds, certificates) and more.

What is “Privacy by Design”?

The “Privacy by Design” principle describes the obligation to develop products so that the end product collects and stores as little user data as possible. This plays a role in all devices that collect information about their users and should or must transmit data to the manufacturer. As a company, you should always ask yourself why you need the data and whether there are other means (with less personal data) to achieve the intended purpose.

If products are to be optimized through the use and collection of data, manufacturers usually require the consent of users. To protect customer privacy, manufacturers should store data so that it can no longer be attributed to a natural person, for example, by anonymizing or pseudonymizing it.

It may not be immediately apparent, but this also affects how purchasing handles orders from suppliers. After all, developers and purchasing must take care to select components, functionalities, and suppliers that carry the “privacy by design” principle into account.

Who is responsible for data protection?

The company, not the supplier, is responsible for compliance with legal requirements and principles. This also applies to the installation of data-protecting components. Purchasers, in particular, must ensure that suppliers comply with the GDPR requirements – even if only according to their statements. This applies to hardware but also software components.

Purchasing should also check together with the development departments, production, and data protection officers whether the planned data collections are necessary or can be minimized. Remember that a large volume of data also means that data protection will subsequently be more complex and cost-intensive.

It should also always be checked whether other service providers, such as logistics companies and cloud services, meet the requirements of the GDPR. So before contracting them, purchasing and data protection officers should check that all regulations are complied with to protect the data subjects and the company under data protection law.

Obtain consent from suppliers

Personal data is diverse and collected by almost every company, especially in purchasing and when interacting with suppliers. Even a signature on an order is personal and, therefore, subject to data protection.

This data may, therefore, only be stored for the duration of the order and must then be deleted in accordance with the statutory retention periods.

Suppose data is to be collected, for example, to enter the supplier into the database or because it is necessary for access to the company premises. In that case, the supplier must be comprehensively informed about the data collection and instructed about his right of revocation. This is usually done by referring to or attaching the data protection information to the relevant contracts.

Those who do not comply with the legal obligations must expect heavy fines of up to 20 million euros or 2% of the annual turnover.

What obligations do companies have?

The list of obligations for companies is long. Explaining them all in detail would go too far here, but you will find detailed articles on the general duties on our website. Therefore, in the following, we will only deal with the most important points that play a role concerning suppliers.

Data collection and processing in relation to purchasing and supplies must also be recorded in the records of processing activities (ROPA). In addition to the action, the purpose and the relevant contact persons must also be specified.

Anyone who processes data on a large scale must, among other things, carry out a data protection impact assessment, i.e., a risk assessment that determines whether there is a purpose-means relationship. Only if the balance between the rights and freedoms of the data subjects and the economic interests of the company is in favor of the company may this legally be performed.  

Concerning all processing, technical and organizational measures must be established in the company structures that protect personal data in the best possible way and minimize or, if possible, even eliminate data processing risks. This also applies to data from suppliers and data that is transferred to suppliers. One hundred percent protection is never possible, but you should come close.

If a data protection breach does occur, suppliers must also be informed as quickly as possible if their data is affected. Companies should develop and integrate an emergency plan for this purpose, which can be retrieved automatically in case of doubt. This also includes contacting the relevant supervisory authority.

Our team has already created thousands of ROPAs and will be happy to support you. Get started right away with the right emergency plan, and contact our team for a no-obligation initial consultation. With the Priverion data protection platform, you have everything under control at all times.

Privacy information for suppliers

One of the essential issues for companies and suppliers is the provision of privacy notices or information for processing the personal data of supplier contacts.

This is publicly accessible information, e.g., on the website, which can be accessed at any time to find information about data protection.

The following information can be found regularly on this page:

  1. Data controller: here should be the name, address, and contact details related to the processing of suppliers and their information.
  2. Data protection officer: the company’s contact details or external data protection officer can be found here. In some cases, the information overlaps with that of the data controller, but it should still be listed twice to create transparency.
  3. Collection and processing of personal data: This lists which categories of data are collected and stored from which data sources.
  4. Purpose of data processing and legal basis: Here, you will find the purpose of the processing and the associated legal requirements. For suppliers, data is usually collected to initiate, establish, and handle business relationships.
  5. Recipients of the data: The recipients will be categorized and named here. If necessary, data is passed on to third parties such as customers, lawyers, subcontractors, notaries, authorities, audit companies, tax consultants, or similar during processing. In large companies, subsidiaries may pass on data to parent companies or vice versa, which must also be noted.
  6. Transfer to third countries: it must be stated whether and to which third countries data is transferred and to whom exactly.
  7. Storage period: it must be described how long the data will be stored. A declaration that the data will only be stored for the legally permissible duration is sufficient here, i.e., only for the necessary period or if retention obligations require this.
  8. Rights of the data subjects: Inform your suppliers that they have the right to information, correction, deletion, restriction of processing, data portability, and objection.
  9. Homepage use: refer to the general data protection information on the homepage.
  10. Information on the right of objection: it is also obligatory to provide information on the right of objection following Art. 21 GDPR.

Further information may be required or helpful in individual cases, such as amendment clauses, automated decision-making, or provision requirements.

What is a supplier audit?

A supplier audit is an instrument for evaluating and selecting new or existing suppliers. Here, the actual conditions of the suppliers are compared with the target conditions and divided into various categories such as management, personnel, technical equipment, etc.

This way, errors, gaps, and potential for improvement can be filtered out. The goal of a supplier audit is, therefore, usually:

  • Evaluation
  • Selection
  • Development
  • Optimization
  • Quality assurance

Caution: Data from the suppliers and the company must be used for evaluation. During a supplier audit, large amounts of data are collected, which may be subject to data protection.

If a service provider is used for such an audit, care must be taken in this case to ensure that a contract processing agreement (“CPA”) is drawn up to ensure that the external service provider complies with the requirements of the GDPR.

A supplier audit makes sense, also with regard to data protection. Such an audit also evaluates whether suppliers comply with the GDPR or whether there is potential for improvement here.

What data protection obligations do suppliers have?

As companies, suppliers naturally also meet the legal obligations of the GDPR towards their customers. Thus, suppliers may also store, process, and use their customers’ data only if the GDPR permits this.

As always, this is only the case if the collection and processing of the data are necessary. Here, too, the data may only be stored for as long as the business relationship requires. So the question of the purpose and proportionality of the data collection also arises for suppliers.

Especially for suppliers, the question of data sharing often arises. In general, suppliers, like all companies, must be able to demonstrate a legal basis when they collect, store and process their data.

Otherwise, it remains to be stated that suppliers are subject to the same rights and obligations as all other companies. This is particularly relevant when EU borders are crossed. Customers should, therefore, also be careful to work with suppliers who observe and comply with the principles of the GDPR.


In principle, suppliers have the same rights and obligations under the GDPR as all other data subjects and companies. All companies must take care to comply with the GDPR. 

Some of the provisions of the GDPR are particularly important for business relationships with suppliers and should, therefore, receive special attention.

Click to access the login or register cheese Click to access the login or register cheese Click to access the login or register cheese