Data protection at vendors – What companies should keep in mind
Almost every company deals with personal data daily. These are collected, stored, and processed. The GDPR includes EU-uniform regulations, which are urgently needed due to growing globalization. Thus, the same rules apply to business partners, customers, and vendors at home and abroad.
Data from vendors is also collected and used, especially in purchasing. This includes contact data, order lists, bank details, and similar. But which regulations apply here precisely? How can companies best implement them? And conversely, what are vendors allowed to do with your data? This article shows you what you need to consider.
The most important facts in brief
- Similar to dealing with customers, companies must also protect the personal data of vendors.
- In case of non-compliance with the requirements of the GDPR, companies face high fines: up to 20 million euros or 2% of the annual turnover can be imposed as penalties.
- Vendor audits are a tool to facilitate the selection and assessment of vendors, which can improve and ensure data protection.
- If vendors are also processors, order processing agreements become mandatory. These regulate what the vendor is allowed to do with the data. This contract binds him, and compliance should be audited annually.
Data protection in purchasing: How to protect personal data
Personal data is usually always involved when goods and components are purchased and deliveries are managed. Since 2018, the General Data Protection Regulation (GDPR) has been in place to protect this data and dictate how certain information should be handled.
But regulations on data protection have not only existed since 2018. The GDPR standardizes national rules across Europe. However, there are exceptions to this, so-called opening clauses.
Standardization has the advantage, especially for multinational companies, that the same regulations regarding data protection apply to business partners, vendors, and customers with whom they interact in other EU countries.
For example, you do not have to bother about whether you comply with the regulations of Spanish law (except for the opening clauses, e.g., often in labor law and medical data), but neither do you have to worry about whether your data is secure in Spain.
What is data protection?
Data protection primarily describes the security of personal data so that it is not accessible to anyone in public. There is a legal basis for processing this data. This means, on the one hand, that only the minimum amount of data required may be collected and, on the other hand, that the collected data must be protected from access by third parties.
In plain language, data protection requires,
- to collect only the absolutely necessary data (data minimization principle),
- to store this data only for the absolutely necessary time,
- to take the required security measures to protect the data in all data processes.
- there must be a legal basis for the processing (contract, consent, legitimate interests, etc.).
To this end, there are some requirements that companies must meet, such as data protection impact assessments or processing records. We have already written several articles on these topics, which cover the respective subject in detail.
In addition, data subjects have the right to control their data (informational self-determination). For example, they can revoke their consent to the processing or request information about the stored data at any time.
What is personal data?
Personal data is any information that can be attributed to a specific natural person and provides information about that person. Information about religion, health, trade union membership, sexuality, ethnic origin, and political views is especially worthy of protection.
But other personal data is also subject to protection; in the case of vendors, this includes in particular:
- General personal data (names, dates of birth, telephone numbers, addresses),
- Identification numbers (social security number, tax number, identity card number),
- bank data,
- Online data (locations, IP addresses, passwords),
- Physical characteristics (skin color, clothing size, gender),
- Property data (land register entries, vehicle license plates, etc.)
- Customer data (orders, account data, etc.)
- Documents (testimonials, deeds, certificates) and more.
What is “Privacy by Design”?
The “Privacy by Design” principle describes the obligation to develop products so that the end product collects and stores as little user data as possible. This plays a role in all devices that collect information about their users and should or must transmit data to the manufacturer. As a company, you should always ask yourself why you need the data and whether there are other means (with less personal data) to achieve the intended purpose.
If products are to be optimized through the use and collection of data, manufacturers usually require the consent of users. To protect customer privacy, manufacturers should store data so that it can no longer be attributed to a natural person, for example, by anonymizing or pseudonymizing it.
It may not be immediately apparent, but this also affects how purchasing handles orders from vendors. After all, developers and purchasing must take care to select components, functionalities, and vendors that carry the “privacy by design” principle into account.
Who is responsible for data protection?
The company, not the vendor, is responsible for compliance with legal requirements and principles. This also applies to the installation of data-protecting components. Purchasers, in particular, must ensure that vendors comply with the GDPR requirements – even if only according to their statements. This applies to hardware but also software components.
Purchasing should also check together with the development departments, production, and data protection officers whether the planned data collections are necessary or can be minimized. Remember that a large volume of data also means that data protection will subsequently be more complex and cost-intensive.
It should also always be checked whether other service providers, such as logistics companies and cloud services, meet the requirements of the GDPR. So before contracting them, purchasing and data protection officers should check that all regulations are complied with to protect the data subjects and the company under data protection law.
Obtain consent from vendors
Personal data is diverse and collected by almost every company, especially in purchasing and when interacting with vendors. Even a signature on an order is personal and, therefore, subject to data protection.
This data may, therefore, only be stored for the duration of the order and must then be deleted in accordance with the statutory retention periods.
Suppose data is to be collected, for example, to enter the vendor into the database or because it is necessary for access to the company premises. In that case, the vendor must be comprehensively informed about the data collection and instructed about his right of revocation. This is usually done by referring to or attaching the data protection information to the relevant contracts.
Those who do not comply with the legal obligations must expect heavy fines of up to 20 million euros or 2% of the annual turnover.
What obligations do companies have?
The list of obligations for companies is long. Explaining them all in detail would go too far here, but you will find detailed articles on the general duties on our website. Therefore, in the following, we will only deal with the most important points that play a role concerning suppliers.
Data collection and processing in relation to purchasing and supplies must also be recorded in the records of processing activities (ROPA). In addition to the action, the purpose and the relevant contact persons must also be specified.
Anyone who processes data on a large scale must, among other things, carry out a data protection impact assessment, i.e., a risk assessment that determines whether there is a purpose-means relationship. Only if the balance between the rights and freedoms of the data subjects and the economic interests of the company is in favor of the company may this legally be performed.
Concerning all processing, technical and organizational measures must be established in the company structures that protect personal data in the best possible way and minimize or, if possible, even eliminate data processing risks. This also applies to data from vendors and data that is transferred to vendors. One hundred percent protection is never possible, but you should come close.
If a data protection breach does occur, vendors must also be informed as quickly as possible if their data is affected. Companies should develop and integrate an emergency plan for this purpose, which can be retrieved automatically in case of doubt. This also includes contacting the relevant supervisory authority.
Our team has already created thousands of ROPAs and will be happy to support you. Get started right away with the right emergency plan, and contact our team for a no-obligation initial consultation. With the Priverion data protection platform, you have everything under control at all times.
Privacy information for vendors
One of the essential issues for companies and vendors is the provision of privacy notices or information for processing the personal data of supplier contacts.
This is publicly accessible information, e.g., on the website, which can be accessed at any time to find information about data protection.
The following information can be found regularly on this page:
- Data controller: here should be the name, address, and contact details related to the processing of vendors and their information.
- Data protection officer: the company’s contact details or external data protection officer can be found here. In some cases, the information overlaps with that of the data controller, but it should still be listed twice to create transparency.
- Collection and processing of personal data: This lists which categories of data are collected and stored from which data sources.
- Purpose of data processing and legal basis: Here, you will find the purpose of the processing and the associated legal requirements. For vendors, data is usually collected to initiate, establish, and handle business relationships.
- Recipients of the data: The recipients will be categorized and named here. If necessary, data is passed on to third parties such as customers, lawyers, subcontractors, notaries, authorities, audit companies, tax consultants, or similar during processing. In large companies, subsidiaries may pass on data to parent companies or vice versa, which must also be noted.
- Transfer to third countries: it must be stated whether and to which third countries data is transferred and to whom exactly.
- Storage period: it must be described how long the data will be stored. A declaration that the data will only be stored for the legally permissible duration is sufficient here, i.e., only for the necessary period or if retention obligations require this.
- Rights of the data subjects: Inform your vendors that they have the right to information, correction, deletion, restriction of processing, data portability, and objection.
- Homepage use: refer to the general data protection information on the homepage.
- Information on the right of objection: it is also obligatory to provide information on the right of objection following Art. 21 GDPR.
Further information may be required or helpful in individual cases, such as amendment clauses, automated decision-making, or provision requirements.
What is a vendor audit?
A vendor audit is an instrument for evaluating and selecting new or existing vendors. Here, the actual conditions of the vendors are compared with the target conditions and divided into various categories such as management, personnel, technical equipment, etc.
This way, errors, gaps, and potential for improvement can be filtered out. The goal of a vendor audit is, therefore, usually:
- Evaluation
- Selection
- Development
- Optimization
- Quality assurance
Caution: Data from the vendors and the company must be used for evaluation. During a vendor audit, large amounts of data are collected, which may be subject to data protection.
If a service provider is used for such an audit, care must be taken in this case to ensure that a contract processing agreement (“CPA”) is drawn up to ensure that the external service provider complies with the requirements of the GDPR.
A vendor audit makes sense, also with regard to data protection. Such an audit also evaluates whether vendors comply with the GDPR or whether there is potential for improvement here.
What data protection obligations do vendors have?
As companies, vendors naturally also meet the legal obligations of the GDPR towards their customers. Thus, vendors may also store, process, and use their customers’ data only if the GDPR permits this.
As always, this is only the case if the collection and processing of the data are necessary. Here, too, the data may only be stored for as long as the business relationship requires. So the question of the purpose and proportionality of the data collection also arises for vendors.
Especially for vendors, the question of data sharing often arises. In general, vendors, like all companies, must be able to demonstrate a legal basis when they collect, store, and process their data.
Otherwise, it remains to be stated that vendors are subject to the same rights and obligations as all other companies. This is particularly relevant when EU borders are crossed. Customers should, therefore, also be careful to work with vendors who observe and comply with the principles of the GDPR.
Conclusion
In principle, vendors have the same rights and obligations under the GDPR as all other data subjects and companies. All companies must take care to comply with the GDPR.
Some of the provisions of the GDPR are particularly important for business relationships with vendors and should, therefore, receive special attention.