GDPR Vendor Management Compliance Checklist

Before engaging any processor, assess their technical and organizational measures, security certifications (ISO 27001, SOC 2), previous data breaches, and GDPR compliance capabilities. Document findings and approval decision.

Ensure all processors sign written DPAs before processing begins, containing all mandatory elements under Article 28(3): subject matter, duration, nature and purpose of processing, type of personal data, categories of data subjects, controller obligations and rights.

DPA must specify that processor will process personal data only on documented instructions from controller, including transfers to third countries. Include procedures for processor to inform controller if instructions violate GDPR or Member State law.

DPA must mandate that all processor employees, contractors, and agents authorized to process personal data are subject to legally binding confidentiality obligations or professional duty of confidentiality.

Document specific security measures processor must implement per Article 32, including encryption, pseudonymization, access controls, security testing frequency, and incident response procedures. Reference processor's security certifications.

Define whether controller provides specific or general authorization for sub-processors. For general authorization, require processor to inform controller of any sub-processor changes with minimum 30-day notice and right to object.

Require processors to provide and maintain an up-to-date list of all sub-processors, including name, location, processing activities, and applicable data protection measures. Review and approve each sub-processor per DPA terms.

Verify that processor imposes the same data protection obligations from your DPA onto sub-processors through written sub-processing agreements. Processor remains fully liable to controller for sub-processor performance.

DPA must require processor to assist controller in responding to data subject requests (access, rectification, erasure, portability) by appropriate technical and organizational measures, considering the nature of processing.

DPA must obligate processor to assist controller in ensuring Article 32 security compliance, conducting DPIAs under Article 35, and prior consultations with supervisory authorities under Article 36.

DPA must require processor to notify controller without undue delay and within specified timeframe (recommended: 24 hours) after becoming aware of a personal data breach, with sufficient detail to assess Article 33 notification obligations.

DPA must specify that processor deletes or returns all personal data to controller at controller's choice after end of provision of services, and deletes existing copies unless storage required by EU or Member State law.

DPA must grant controller and auditors the right to conduct audits and inspections of processor facilities and records. Specify audit frequency, notice period, scope, and processor cooperation obligations. Require annual third-party audit reports.

For processors located outside EEA or using non-EEA sub-processors, implement valid transfer mechanisms: adequacy decisions, Standard Contractual Clauses (SCCs), Binding Corporate Rules, or certification mechanisms. Conduct Transfer Impact Assessments.

Use the European Commission's 2021 SCCs (Decision 2021/914) for transfers to third countries without adequacy decisions. Complete all modules and annexes appropriate to controller-processor relationship. Conduct and document Transfer Impact Assessments.

Assess whether destination country laws enable public authority access that undermines SCC protections. Document assessment of legal framework, practical experience, and supplementary measures. Follow EDPB Recommendations 01/2020.

Document all processors and categories of recipients in Article 30 ROPA, including processor name, processing activities, location, transfer mechanisms if applicable, and DPA execution date.

Review each processor's continued compliance with DPA obligations annually. Collect SOC 2/ISO 27001 reports, review security incident reports, verify sub-processor list accuracy, and assess any material changes to processing activities.

Create documented procedures to terminate vendor access, verify data deletion per Article 28(3)(g), obtain written certification of deletion, and update ROPA. Test procedures with sample vendor quarterly.

Provide training to procurement, legal, and business teams on Article 28 requirements, DPA negotiation, vendor due diligence, and escalation procedures. Update training annually to reflect enforcement trends and regulatory guidance.