Introduction
This checklist provides step-by-step due diligence guidance for in-house counsel and private practitioners when engaging service providers or suppliers who will also act as processors of personal data (processor), or to assist them when advising internal and external clients on these issues. The straightforward question-based format of the checklist can also be used by any other stakeholders (eg, members of the procurement team) when performing an initial high-level assessment of the data protection and cybersecurity compliance of a potential supplier.
The checklist addresses the following steps:
- Assess the details of the services and data processing
- Assess the supplier’s compliance with data protection and privacy requirements
- Assess the supplier’s cybersecurity compliance
- Assess whether any additional queries are necessary
The checklist is presented as a list of requirements that you can tick off as they are addressed. It is divided into the key areas to focus on when performing due diligence on potential processors. At the end of the document there are specific notes corresponding with each step in the checklist. Use the ‘Supplier response’ column to document any information received from the service provider or supplier.
For the purposes of this checklist, the controller is usually a customer looking to contract various services from a supplier who will also act as a processor of personal data. In this checklist the respective parties are generally referred to throughout as ‘customer’ and ‘supplier’.
Key definitions such as ‘controller’, ‘processor’, ‘data subject’, ‘personal data’, 'personal data breach' and ‘processing’ are further explained in How-to guide: Understanding key data protection definitions.
This checklist can be used in conjunction with section 3 of the following How-to guide: How to ensure compliance with the GDPR and Checklist: GDPR compliance self-assessment audit.
The EDPB has recently provided an opinion on certain obligations following from the reliance on processor(s) and sub-processor(s).
Step 1 – Assess the details of the services and data processing
| No. | Customer action |
|---|---|
| 1.1 | Obtain a description of the products, services or solutions and the data that is being processed |
| 1.2 | Check what the main data processing activities are that the supplier is undertaking |
| 1.3 | Check whether the supplier is a processor or a controller of this data |
| 1.4 | Check where the data is stored or recorded |
| 1.5 | Ensure you understand the terms of the contract with the supplier |
| 1.6 | Check who has access to the data and with whom the data is shared |
| 1.7 | Ensure you understand how the supplier intends to use personal data |
Step 2 – Assess the supplier’s compliance with data protection and privacy requirements
| No. | Customer action |
|---|---|
| General compliance with data protection laws | |
| 2.1 | Check how the supplier ensures compliance with applicable legislation and/or instructions (if supplier is a processor) with respect to the protection and processing of personal privacy data, which may include electronic communications, marketing etc |
| 2.2 | Check whether the supplier is registered with (or has notified) a relevant data protection regulator |
| Governance framework | |
| 2.3 | Check whether the supplier has a data protection officer (DPO) or someone else who has been designated to take responsibility for data protection |
| 2.4 | Check the terms of the supplier’s data protection and related policies and procedures that are in place in their organisation |
| Data protection training | |
| 2.5 | Check whether data protection training (including on applicable ePrivacy laws for any marketing services) is provided to relevant supplier staff |
| Investigations, complaints and requests | |
| 2.6 | Check whether the supplier has been the subject of any complaints or enforcement action regarding their data protection or ePrivacy compliance |
| 2.7 | Check whether there have been any material breaches of contractual obligations relating to data protection or data security |
| 2.8 | Check whether the supplier has received any complaints from data subjects in respect of the handling of their personal data |
| 2.9 | Ask for details regarding the process for assisting or dealing with data subject requests |
| 2.10 | Ask the supplier for details on responding to requests for access to data |
| Data breaches | |
| 2.11 | Check what processes, procedures and plans are in place to deal with a data breach |
| 2.12 | Check whether the supplier has experienced a security incident or data breach relating to personal data within their systems or control |
| 2.13 | Check whether the supplier’s staff and subcontractors handling personal data are subject to confidentiality obligations and confirm that they are made aware of the contractual obligations to the customer |
| Processors’ obligations | |
| 2.14 | Check what controls the supplier has in place to ensure that the data is only processed on the customer’s (as the sole controller of the data) instructions |
| 2.15 | Check whether the supplier is proposing to subcontract any part of the work which involves the processing of personal data |
| 2.16 | Check whether any of the customer’s personal data will be processed outside of the European Economic Area (EEA) (including via remote access) |
| 2.17 | Check what assistance or support the supplier can give in respect of the customer’s obligations under the EU GDPR as a data controller |
Step 3 – Assess the supplier’s cybersecurity compliance
| No. | Customer action |
|---|---|
| 3.1 | Check the supplier’s technical and organisational security measures for the protection of personal data |
| 3.2 | Check whether the supplier has an approved information security policy in place |
| 3.3 | Check whether the supplier has procedures for information security incident management that include detection, resolution and recovery |
| 3.4 | Check whether information security relevant roles are identified, and responsibilities assigned within the supplier’s organisation |
| 3.5 | Check whether the supplier defines and implements a policy that addresses information security risks within the supplier’s relationships |
| 3.6 | Check whether the supplier defines and implements a policy that ensures that all functions have sufficient and appropriately qualified resources to manage the establishment, implementation and maintenance of information security |
| 3.7 | Check whether the supplier ensures that personnel with information security responsibilities are provided with suitable training |
| 3.8 | Check whether the supplier has a policy to control access to information and information processing facilities |
| 3.9 | Check whether the supplier has a policy to control the exchange of information via removable media |
| 3.10 | Check whether the supplier has a policy to manage the access rights of user accounts |
| 3.11 | Check whether the supplier has a policy – and deploys technical and organisational measures – to maintain the confidentiality of passwords and decryption keys |
| 3.12 | Check what measures the supplier has in place to prevent unauthorised access to their systems from outside their company |
| 3.13 | Check whether the supplier has a backup and disaster recovery policy and business continuity plans |
Step 4 – Assess whether any additional queries are necessary
| No. | Customer action |
|---|---|
| 4.1 | Consider whether any additional queries are necessary to address risks specific to the relevant products, services or solutions that are being procured |
This checklist is not exhaustive and there may be other matters to consider in the controller-processor relationship depending on the specific nature of the proposed arrangements with, and type of services being provided, by the relevant supplier.
Explanatory notes
Legal framework
In this checklist, references are made to ePrivacy law which is derived from the European Union’s Directive 2002/58/EC of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (the ePrivacy Directive). The EU is in the process of replacing the ePrivacy Directive with a new ePrivacy regulation. However, the final wording of the new ePrivacy regulation has yet to be agreed. The EU’s intention was that this new regulation would be implemented in 2018, the same year that the European Union’s General Data Protection Regulation (EU GDPR) was introduced. Until this proposed ePrivacy regulation becomes law, an uncomfortable and often confusing relationship between the EU GDPR and the ePrivacy Directive will remain, particularly in the areas of electronic marketing and cookies.
Unlike the EU GDPR which is a regulation (a binding legislative act that is applied in its entirely across the EU), the ePrivacy law is a directive, a legislative act that sets out a goal that all EU countries must achieve; however, it is up the individual EU member states to devise their own laws on how to reach these goals. The ePrivacy Directive has been implemented by legislation passed by each EU member state. Since at EU member state level the implementation laws on ePrivacy vary, this makes analysis of the relevant ePrivacy compliance requirements difficult to standardise. As a result, analysis of any particular EU member state ePrivacy law implementing the ePrivacy Directive does not form part this checklist.
The EU GDPR applies to all organisations’ marketing practices that involve personal data, while the ePrivacy Directive applies on top of the EU GDPR when organisations are marketing over electronic channels. The EU GDPR did not replace the ePrivacy Directive (although it has amended the definition of ‘consent’ to be used for the purposes of complying with the ePrivacy Directive). Suppliers will need to comply with both the EU GDPR and the ePrivacy Directive insofar as it relates to their marketing and data processing activities.
Step 1 – Assess the details of the services and data processing
Step 1 of the checklist is designed to place the proposed agreement and your due diligence in context by drawing out the key aspects of the contractual relationship between the customer as controller and the supplier as processor. This will include what services the supplier is providing, what type of data they are processing and how they are processing it as well as the contractual framework under which the services will be provided, and where the data will be processed.
The purpose of Step 1 is for the customer to understand the background to the arrangements that they are assessing. For example, if the customer intends to engage a cloud-services provider, they will first need to understand what services or products the provider is offering, what kind of personal data they process, how and where they process it, how and where they store the personal data and what the contractual terms are (as this may have an impact on data retention, deletion, etc). Background setting is important in order to contextualise the rest of the assessment.
1.1 Obtain a description of the products, services or solutions and the data that is being processed
The description of the products, services or solutions and the data that is being processed should include the following:
- key processing activities of the supplier;
- the types and estimated volumes of data being processed;
- categories of data subjects to whom the processing relates; and
- whether special categories of personal data or data about criminal offences or convictions are being processed.
1.2 Check what the main data processing activities are that the supplier is undertaking
Examples of the types of data processing activities that a supplier might undertake include collecting data, profiling, automated decision-making, analytics, research and development, customer insight, merging, linking datasets, enriching data, and anonymising data, etc.
1.3 Check whether the supplier is a processor or controller of this data
In checking whether the supplier is a processor or controller, ask the supplier to provide confirmation for each data type and activity listed.
Please note that this checklist is mainly designed to help customers entering into data processing agreements with suppliers who act as processors; however, it is important to clarify with any supplier whether they envisage acting as a processor with respect to all personal data that they process as part of their relationship with the customer or whether, in relation to some of the data, they envisage acting as a controller. Consider including contractual terms on the processing of the personal data, even if that part of the processing means the supplier is separate independent or joint controller.
See further Checklist: Assessing whether an organisation is a controller or processor under the GDPR.
1.4 Check where the data is stored or recorded
If the data is stored in a cloud-based facility, check where the servers are located and who operates them. The customer should also obtain information about how and where the data is backed up and (if relevant) what transfer mechanism is used to comply with the EU GDPR.
1.5 Ensure you understand the terms of the contract with the supplier
Check what the term of the contract is, how long the data is retained by the supplier, what end-of-contract or services support is provided regarding the return or secure deletion of the customer’s data.
1.6 Check who has access to the data and with whom the data is shared
Check who has access to the data and who the data is shared with – for example, the supplier’s staff, offshore support teams, other group companies of the supplier or other third parties such as sub-processors.
1.7 Ensure you understand how the supplier intends to use personal data
For the customer to comply with their obligations as a controller under relevant data protection laws, they will need to fully understand how the suppliers (as processors) they contract with intend to use (or treat) any personal data they share with them.
In particular, check whether the supplier does any research and development/product or service improvement, etc, using customer data (whether personally identifiable or anonymised) and also check whether the supplier sells or commercialises customer data in any way (whether personally identifiable or anonymised).
This step is designed to dig deeper to understand whether the supplier intends to use shared personal data for any other purposes which may not be immediately apparent from the responses to the other queries above.
Step 2 – Assess the supplier’s compliance with data protection and privacy requirements
Step 2 of the due diligence process focuses on obtaining information about the supplier’s compliance with data protection and privacy requirements. The customer needs to investigate what technical and organisational security measures the supplier has in place to comply with relevant data protection requirements (ie, policies, procedures, compliance documentation, the appointment of a Data Protection Officer (DPO), registration with, or notification to a relevant data protection authority in their jurisdiction, EU GDPR article 28 requirements (see below), processes in place to address security incidents, internal training, processes for investigations and enforcement actions, etc).
Article 28(1), EU GDPR, requires that a controller of personal data shall only engage processors to process personal data on their behalf if those processors give:
'sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject'.
For these purposes, it is important that the customer performs adequate due diligence on any suppliers that it wishes to engage to process personal data on its behalf (as a processor). This is an ongoing requirement and therefore should be repeated at regular intervals and in particular as processing operations evolve.
This checklist is intended to address this requirement and includes some additional questions that go beyond this, such as in relation to cybersecurity, cloud computing and marketing services (to the extent relevant).
Other key parts of article 28, EU GDPR, are focused on the mandatory terms that need to be included in contracts by controllers when they engage processors to act on their behalf, as well as other aspects related to the appointment by such processors of sub-processors.
See further How-to guide: How to ensure compliance with the GDPR.
2.1 Check how the supplier ensures compliance with applicable legislation and/or instructions (if supplier is a processor) with respect to the protection and processing of personal privacy data which may include,, electronic communications, marketing etc
Verify whether and how the supplier ensures compliance with relevant data protection laws (including the EU GDPR, the ePrivacy Directive (as implemented by EU member states) and associated EU member state data protection laws), as applicable depending on the nature and jurisdictional scope of the products, services or solutions.
Confirm how the supplier can support the customer in complying with the customer’s obligations under data protection laws including, but not limited to; responding to data subject requests, notifying the customer if they reasonably believe an instruction may not comply with applicable law, giving all the relevant information if a personal data breach occurs, etc.
2.2 Check whether the supplier is registered with a relevant data protection regulator
The customer should check if the supplier is registered with, or has notified a relevant data protection regulator. Confirm their registration number (if applicable). If the supplier is not registered, ask them to explain why this is not required or not relevant to the products, services or solutions they are providing. In some cases, registration with a data protection regulator may not be necessary; however, the supplier should explain why this is the case.
2.3-2.4 Governance framework
As the customer has an explicit obligation under EU GDPR article 28 to choose an appropriate processor, the customer should take steps to understand the supplier’s governance framework. This means, for example:
- verifying if the supplier has named a DPO or other person who has been tasked with taking responsibility for the data protection and privacy aspects of the supplier’s organisation;
- checking the terms of the supplier’s data protection and related policies and procedures that are in place in their organisation, how compliance with these policies and procedures is monitored and how frequently are they reviewed;
- checking for the supplier’s adherence to any recognised industry accreditations, standards or approved codes of conduct; and
- uncovering any instances of prior non-compliance with data protection-related requirements, such as data breaches, contractual breaches or regulatory investigations (see ‘Investigations, complaints and requests’ (2.6-2.10) and ‘Data breaches’ (2.11-2.13) below).
This part of the checklist is intended to ensure that the customer verifies whether the supplier provides sufficient guarantees that they have implemented appropriate technical and organisational measures to ensure their processing meets EU GDPR requirements and standards. A supplier who is not able to provide compelling information in this section may have an immature data protection programme in place and their suitability should therefore be questioned.
2.5 Check whether data protection training (including on applicable ePrivacy rules for any marketing services) is provided to relevant supplier staff
While there is no specific EU GDPR obligation that mandates controllers to check the levels of training offered by processor organisations, best practice indicates that a controller should assess the level of data protection and privacy training that a processor provides its staff as part of ascertaining whether the supplier provides ‘sufficient guarantees’ as referred to in the notes to Step 2 – Assess supplier’s compliance with data protection and privacy requirements, above.
Untrained or improperly trained staff can put the processor (and by extension the controller) at risk of infringing the EU GDPR, for example, due to mishandling of personal data, mishandling of requests from data subjects, or data breaches caused by human error.
If data protection training is provided, ask the supplier to provide details (including on the frequency, format and content of training).
2.6-2.10 Investigations, complaints and requests
As the customer has an explicit obligation under EU GDPR article 28 to choose an appropriate processor, the customer should take steps to understand if the supplier has been subject to any relatively recent complaints, investigations, or requests for access to data. The queries should cover any investigations, notices or enforcement from a relevant supervisory authority, any material breaches of contractual obligations with other customers relating to data protection or data security, and complaints from data subjects in respect of handling their personal data.
See also below for further details on certain steps in respect of investigations, complaints and requests.
2.6 Check whether the supplier has been the subject of any complaints or enforcement action regarding their data protection or ePrivacy compliance
Check whether the supplier has been investigated or received any complaints, notices or enforcement action from the relevant data protection or industry regulator in their jurisdiction regarding their data protection or ePrivacy compliance. If they have, ask the supplier to provide details (including the issues, outcomes and actions taken to avoid any repeat infringements).
2.7 Check whether there have been any material breaches of contractual obligations relating to data protection or data security
Check whether there have been any material breaches of the supplier’s contractual obligations to their customers relating to data protection or data security in the last three years. If so, ask the supplier to provide details (on a no-names basis and include any action taken to avoid any repeat breaches).
2.8 Check whether the supplier has received any complaints from data subjects in respect of the handling of their personal data
Check whether the supplier has received any complaints from data subjects in respect of the handling of their personal data in the last 12 months. If so, ask the supplier to provide further information.
2.9 Ask for details regarding the process for assisting or dealing with data subject requests
The customer should ask the supplier to provide details regarding the systems, processes and procedures they have in place to assist or deal with a data subject’s requests involving the customer’s personal data. How quickly is the supplier able to assist or respond?
2.10 Ask the supplier for details on responding to requests for access to data
Ask the supplier to provide details and examples of how they would deal with or challenge requests from law enforcement or government authorities for access to data (eg, under USA S702 FISA executive powers and laws).
2.11-2.13 Data breaches
Under the EU GDPR, processors have a number of independent statutory obligations relating to security and notification of personal data breaches to the controller. A customer (as controller) should ensure that any due diligence they perform on a supplier (as processor) includes establishing the supplier’s process for notification of personal data breaches to the customer. Specifically, if a processor becomes aware of a personal data breach, they must notify the relevant controller without undue delay (although the customer will often want to impose a specific timeframe on this in the processing contract). Note that a controller has 72 hours to notify the relevant supervisory authority from when it becomes aware of certain personal data breaches.
See further How-to guide: How to reduce the risk of a GDPR data breach.
A processor must also assist the controller in complying with its obligations regarding personal data breaches. During due diligence, the customer would want to establish the extent of the support that it can expect to receive from the supplier.
See also below for further details on certain steps with respect to data breaches.
2.11 Check what processes, procedures and plans are in place to deal with a data breach
The customer should check what processes, procedures and plans the supplier has in place to deal with a data breach. How quickly will the supplier notify the customer if a breach occurs? What information will the supplier include in the notification?
2.12 Check whether the supplier has experienced a security incident or data breach relating to personal data within their systems or control
Check whether the supplier has experienced a security incident or data breach relating to personal data within their systems or control in the last three years. Ask whether the supplier has reported a security incident or data breach to a customer/controller and/or relevant supervisory authority . If the answer is yes, ask the supplier to provide details.
2.13 Check whether the supplier’s staff and subcontractors handling personal data are subject to confidentiality obligations and confirm that they are made aware of the contractual obligations to the customer
Check whether all the supplier’s staff and subcontractors handling personal data are subjected to contractual obligations of confidentiality and made aware of the supplier’s data protection obligations under their contract with the customer.
2.14-2.17 Processors’ obligations
Under the EU GDPR, processors have a number of direct statutory obligations in terms of how they engage and interact with their controllers (some of these are also reflected in the mandatory terms under article 28(3), EU GDPR, which are to be included in the contract when a controller appoints a processor). A controller (the customer) should ensure that any due diligence they perform on a supplier includes the provisions listed below.
- Controller’s instructions – a processor can only process the personal data on instructions from a controller (unless otherwise required by law). To do otherwise may render that processor a controller (article 28(10), EU GDPR).
- Sub-processors – a processor must not engage another processor (ie, a sub-processor) without the controller’s prior specific or general written authorisation. If authorisation is given, the processor must put in place a contract with the sub-processor with terms that offer an equivalent level of protection for the personal data as those in the contract between the processor and the controller (articles 28(2) and (4), EU GDPR).
- Security – a processor must implement appropriate technical and organisational measures to ensure the security of personal data, including protecting against accidental or unlawful destruction or loss, alteration, unauthorised disclosure or access (article 32, EU GDPR).
- Notification of potential data protection infringements – a processor must notify the controller immediately if any of the controller’s instructions would lead to a breach of the EU GDPR or local data protection laws (article 33(2), EU GDPR).
- International transfers – the EU GDPR includes a prohibition on transferring personal data otherwise than in accordance with the provisions of the EU GDPR, which applies equally to controllers and processors. As a result, a processor must ensure that any transfer outside the EEA is authorised by the controller and complies with the EU GDPR’s transfer provisions (chapter V, EU GDPR).
- Data breaches – this obligation has been covered in the data breaches section above at 2.11-2.13 (articles 32 and 33(2), EU GDPR).
See also below particular points to note with respect to processors’ obligations.
2.15 Check whether the supplier is proposing to subcontract any part of the work which involves the processing of personal data
Check whether the supplier is proposing to subcontract any part of the work (involving the processing of personal data) that they will carry out on the customer’s behalf. If so, check the following:
- whether the supplier will obtain the customer’s prior consent or written authorisation for the use of sub-processors and allow the customer to object to any replacements;
- what due diligence the supplier will carry out on sub-processors;
- whether the supplier will have a contract in place with its sub-processors that includes data processing obligations and whether those clauses will be substantially the same as the clauses in the contract they have in place with the customer;
- whether the supplier can provide a list of proposed sub-processors that they intend to use initially for the customer’s pre-approval; and
- whether the supplier can provide the customer with copies of the relevant subcontracts or data processing agreements on request.
2.16 Check whether any of the customer’s personal data will be processed outside of the EEA (including via remote access)
Check whether the supplier, or any third parties acting on the supplier’s behalf (eg, affiliates, group companies, etc), will be processing any of the customer’s personal data outside of the EEA (including via remote access). If so, the supplier should confirm:
- locations and data flows; and
- how the supplier will fulfil the obligation of adequate protection in respect of the data to be transferred (eg, standard contractual clauses or binding corporate rules, transfer impact assessments, supplementary measures such as encryption, anonymisation or split processing, which will be used to mitigate the risks of access to personal data by foreign government authorities).
2.17 Check what assistance or support the supplier can give in respect of the customer’s obligations under the GDPR as a data controller
Check what assistance or support the supplier can give in respect of the customer’s obligations under the EU GDPR as a data controller regarding:
- security;
- data protection impact assessments and prior consultation with regulators; and/or
- provision of information demonstrating both parties’ compliance with the GDPR (including audit rights).
Step 3 – Assess the supplier’s cybersecurity compliance
Step 3 of the due diligence checklist will focus on the supplier’s technical and organisational security measures for ensuring that personal data is kept secure in accordance with the requirements under the EU GDPR. The questions will cover, for example, information security policies, security incident management, disaster recovery policy, personnel training and technical and organisational measures.
The customer should be mindful of the nature of the services the supplier will be providing, what role data plays in the provision of these services, the quantity of data handled by the supplier and the supplier’s specific characteristics. The checklist may need to be adapted depending on each transaction’s specific features, the supplier’s level of technological sophistication, and the amount and sensitivity of the data that the supplier will be processing for the customer.
If the supplier is found to be not compliant or inadequate in terms of the cybersecurity measures it has implemented, the customer may either opt to not engage with this supplier or alternatively may require the supplier to improve or supplement the cybersecurity measures that they currently implement, or apply any other measure the customer considers appropriate for their relationship with the supplier. This will be a commercial matter for the customer and will depend on several factors, including their risk appetite, maturity of their procurement processes and market opportunities.
If the customer is a financial entity and engaging an ICT service provider, there may be a need to comply with additional requirements under DORA.
See also below for further details on certain steps with respect to cybersecurity compliance.
3.1 Check the supplier’s technical and organisational security measures for personal data
Check the details of the supplier’s technical and organisational security measures for ensuring that any personal data they process is kept secure in accordance with the requirements under the EU GDPR, as relevant to the products, services or solutions that they provide.
Ask the supplier to provide a list of any information security certifications, accreditations and registrations they hold (eg, ISO 27001 standards, SOC II or SOC III reporting, or PCI-DSS) and copies of any testing reports, such as penetration testing reports.
3.10 Check whether the supplier has a policy to manage the access rights of user accounts
Check whether the supplier has a policy to manage the access rights of staff and contractor user accounts that ensures access to data on a ‘need-to-know basis’ (including deactivation as part of offboarding procedures).
3.12 Check what measures the supplier has in place to prevent unauthorised access to their systems from outside their company
Check what measures the supplier has in place to prevent unauthorised access to their systems from outside their company, including virus and firewall detection and protection, and protection against malware, phishing and other attacks.
3.13 Check whether the supplier has a backup and disaster recovery policy and business continuity plans
Check whether the supplier has a backup and disaster recovery policy and business continuity plans. Either request a copy of this policy from the supplier or request that the supplier provides comprehensive details.
Step 4 – Assess whether any additional queries are necessary
4.1 Consider whether any additional queries are necessary to address risks specific to the relevant products, services or solutions that are being procured
If the supplier is offering specialised services (eg, marketing to consumers, cloud hosting, outsourcing, etc), the customer may need to include a set of specific queries to cover the particularities of their service offering. For example, if the customer is engaging a supplier as a marketing partner they may need to consider, for example, queries related to the EU GDPR or ePrivacy law compliance regarding sale of data lists (eg, SMS, email, etc), marketing campaigns and user marketing preferences. Some of these enquiries may include the following:
- check that the supplier’s processes and procedures for the sale of any lists of personal data via SMS or email are EU GDPR and ePrivacy law compliant; and
- check that the supplier’s processes and procedures in respect of any SMS or email marketing campaigns are compliant with the EU GDPR or ePrivacy law.
Other questions may be relevant and necessary if the supplier operates in a different sector.
Additional resources
Related Lexology Pro content
How-to guides:
Understanding key data protection definitions
How to comply with data processing principles under the GDPR
How to ensure compliance with the GDPR
How to establish a valid lawful basis for processing personal data under the GDPR
How to transfer personal data lawfully outside the European Economic Area
How to reduce the risk of a GDPR data breach
How to deal with a GDPR data breach
How to deal with a supervisory authority dawn raid
Checklists:
GDPR compliance self-assessment audit
Assessing whether an organisation is a controller or processor under the GDPR
Lawful processing of personal data under the GDPR
Obtaining and managing consent under the GDPR
Making an international transfer of personal data under the GDPR
Data subject access rights under the GDPR
What to include in your organisation’s privacy notice
When and how to appoint a data protection officer
Complying with cookie requirements under the ePrivacy Directive and the GDPR
Reliance on information posted:
While we use reasonable endeavours to provide up to date and relevant materials, the materials posted on our site are not intended to amount to advice on which reliance should be placed. They may not reflect recent changes in the law and are not intended to constitute a definitive or complete statement of the law. You may use them to stay up to date with legal developments but you should not use them for transactions or legal advice and you should carry out your own research. We therefore disclaim all liability and responsibility arising from any reliance placed on such materials by any visitor to our site, or by anyone who may be informed of any of its contents.