TargetCW Privacy
Global Privacy & Data Protection Office


Worker, Vendor and Client Resource

GDPR and Vendor Compliance: Warning from Facebook


Knowing if your vendors are compliant with GDPR has now became an imperative piece of knowledge that every business will want to have. With the scandal surrounding Facebook, GDPR is in the crosshairs of all organizations. While you might have ensured that your own business is in sync with keeping the highest standards of data privacy, if you pass on any information on your customers to another company you will want to know they are also complying. Third party vendor agreements have the requirement of being updated in line with contemporary GDPR guidelines and all parties will bear a responsibility for handing over customer details to a vendor that leaves themselves open to a GDPR breach.

Understanding the stage at which your vendor is at in their GDPR compliance is something that with the joint liability, you now have a need to know. This article will cover the aspects of GDPR which are changing for your vendor and give you a guide of what to make sure of when confirming vendor compliance. It will help you to determine if your vendor is placing you in a position that might breach customer data safety and end up with your facing a potential liability for a future data breach.



Article 28 of the GDPR has added a new requirement which third-party vendor agreements must comply with, and Articles 32 and 36 also open up a need for vendors to work in a transparent manner to show a transparent compliance. An obligation has been put on vendors to assist you with compliance including by notifying any supervisory authority or data subject of any breach of data. Vendors are now also responsible for offering assistance completing an impact assessment of your data protection.

Vendors have a requirement of either deleting or returning all of the personal data they hold on you or your customers once the services relating to the processing have been provided. They are also responsible for deleting any other copy of the information that they have within their computer system or printed out in hard copy form. Vendors also have to be prepared to prove that they are GDPR compliant and you have the right to ask to review this proof at any time.


Updating Definitions

If your current agreement contains definitions that were based on the Directive you will need to update them with the GDPR implementation. This would include the revised definition of personal data to include location data and online identifiers and reference to sensitive personal data such as genetic factors, biometric data or anything concerning a person’s sexual orientation. The terms ‘consent’ and ‘genetic data’ are added to already existing definitions under the Directive.

If you are a privacy shield certified entity receiving personal data from the EU, you need to ensure that your agreements are in compliance with the onward transfer requirements including the onus on third-party agents receiving personal data on an EU citizen to provide the same protection level on privacy as is defined by the Privacy Shield principles. If you did not certify the Privacy Shield before September 2016 you have to make sure that your vendor agreements are in compliance with the defined onward transfer requirements before now being allowed to certify.

Vendors will find that the significant increase in fines of 4% of a company’s annual global turnover or €20 million will be something that requires increased liability insurance. There has not been any mention about a split of the fine between responsible parties, so it remains to be seen to what proportion a vendor will be held liable for information partly breached by them and partly by another company. Insurance policies will have to be reviewed to ensure that they have enough of a cap to offer full coverage on any liability breach.

The GDPR will complicate the relationship you have with your vendors for a few reasons, not least of which is the joint liability held between the controller and the processor. Currently, data protection law is in force against data controllers, companies that decide the process of data processing, but the GDPR has extended that obligation of compliance to data processors as well. This means any company that carries out data processing at the direction of any data controller. Joint liability is established in the GDPR which means that either side could expose the other compliant side to fines or other types of sanctions. It is therefore a necessity to consider the GDPR compliance of your vendor as important as your own.

The responsibility for compliance in data sourcing is also clarified in the GDPR with an obligation created for acquiring personal data within a compliant manner, including by having the consumer’s consent. This applies to first-hand data held by a company as well as other sources of data, such as third-party data brokers or dealer networks. Most likely this will create a need for firms to make a more detailed process for the verification of source data compliance.

The GDPR also defines the need for companies to practice ‘data protection by design’ which means that the process and data protection principles should be built in within all business transactions which involve the handling of any personal data in an end-to-end manner instead of being considered after any transaction.

Questions that you will want to ask your vendor include how their products or services will help practice good data protection and ‘data protection by design’. This would include a secure information exchange, access codes, breach detections and data leakage prevention.

Asking what the vendor’s GDPR compliance strategy is will help to clarify the matter quickly. Vendors should either already have this fully in place or be working steadfastly on producing it. Ask the vendor if they have assigned a data protection officer within their company and ask how they are gaining consent to hold or use data given by customers.

Ask about the reflection of the GDPR within sales and service agreements and remember that due to the joint liability, you have the right to know. 



The GDPR is complicating the way in which businesses handle information, but in doing so it is creating a much higher level of safety for personal data than ever previously existed. While it might not sound like something that you want to do, you have an onus of responsibility under the GDPR to ensure that your vendors are also compliant, otherwise you will face the joint liability with the vendor for any breaches.

It is now becoming more important than ever to operate an offense in terms of creating solid GDPR terms and sticking to them, making sure everyone you deal with in business also has well rounded data protection procedures, and sticking to them ongoing, with every customer, all the time. The only way to be sure your company and your vendor is GDPR compliant you must take the time to consider the processes that have been put in place. If your vendor has not done anything to safeguard customer data and still is not planning to implement a change, you should consider making a change of vendor. If not, you could help vendors in reaching their well-rounded compliance by suggesting that they appoint a data protection officer and pointing out the different aspects of GDPR which play an immediate importance.