How Do You Manage Your Suppliers When Processing Order Data?
If a supplier or service provider, i.e. someone who is to provide services in your interest (processor), is commissioned, then an agreement must be concluded here. Certainly nothing new and practice that has been practiced for you for years. But now this also applies to those suppliers who, for example, operate the server for you, do payroll accounting, provide data center services, collect customer data, operate the website, do data backup, etc. You must also have an agreement with them in order to lock data processing.
This agreement deals with the instruction on the exclusive processing of personal data for the purpose of fulfilling the contract.
Be Able To Provide Information
As the person responsible, you should be able to provide the following information to your responsible data protection supervisory authority:
- The processor is able to meet all the requirements of the GDPR and the BDSG and he can give guarantees regarding the security of data processing and ensure the necessary technical and organizational measures.
- Sub-contractors are only commissioned if additional or generally valid written approval has been granted in advance.
- The order data processing agreement (ADV) corresponds to the legal minimum requirements.
Check Supplier Agreements
As a result, you have to re-examine all agreements with your contractors with regard to compliance with data protection and, if necessary, agree on the corresponding ADVs here. Various service providers, for example operators of data center services or cloud solutions, already offer such ADVs themselves. However, it remains your responsibility to check these, adjust them if necessary and then close them.