Checklist Legal/Compliance GDPR

GDPR Vendor Due Diligence Checklist

This checklist ensures compliance with GDPR requirements when engaging third-party vendors and processors who handle personal data. Organizations must conduct thorough due diligence before and during vendor relationships to meet obligations under Articles 28, 32, and 5 of the GDPR. Each item is tied to specific regulatory requirements and provides concrete verification steps. Use this checklist to document vendor assessments, contractual requirements, and ongoing monitoring activities.

  • Data Processing Agreement (DPA) in Place – Verify a signed Data Processing Agreement exists per Article 28(3) GDPR before any data transfer occurs. Document the execution date and scope of processing.
  • Processor Liability Clause Included – Confirm the DPA includes Article 82 GDPR liability terms specifying processor responsibility for damages caused by processing violations.
  • Sub-processor Authorization – Review Article 28(2) and 28(4) requirements; obtain list of all authorized sub-processors and verify written authorization mechanism is documented before sub-processor engagement.
  • Data Subject Rights Assistance – Confirm the DPA obligates the vendor to assist with Article 15-22 GDPR data subject access requests, rectification, erasure, and portability within specified timeframes.
  • Technical and Organizational Measures (TOMs) – Reference Article 32 GDPR; verify vendor documentation detailing encryption, access controls, pseudonymization, availability testing, and restoration procedures.
  • Data Protection Impact Assessment (DPIA) Participation – Per Article 35 GDPR, confirm vendor will provide necessary information and cooperate with DPIA completion for high-risk processing activities.
  • Data Breach Notification Obligation – Verify Article 33 GDPR requirement that vendor commits to notifying controller without undue delay of any personal data breach.
  • International Data Transfer Mechanisms – If applicable per Article 44-49 GDPR, confirm Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), or adequacy decisions are in place for transfers outside the EEA.
  • Audit and Inspection Rights – Document Article 28(3)(h) requirement granting the organization audit rights; verify vendor consent to inspections and provision of audit reports.
  • Data Deletion/Return Policy – Confirm per Article 17 GDPR that the vendor will delete or return all personal data upon contract termination within a defined timeframe.
  • Privacy Policy Alignment – Verify vendor's privacy practices, sub-processor list, and data retention policies align with information disclosed to data subjects under Article 13-14 GDPR.
  • Data Subject Consent Documentation – Per Article 7 GDPR, confirm vendor maintains records demonstrating freely given, specific, informed, and unambiguous consent where applicable.
  • Vendor Insurance and Indemnification – Verify vendor carries cyber liability and errors & omissions insurance; confirm indemnification clause covers GDPR violations and regulatory fines.
  • Security Assessment/Certification – Document vendor's security certifications (ISO 27001, SOC 2) or completion of a security questionnaire aligned with Article 32 GDPR standards.
  • Data Processing Records – Per Article 30 GDPR, confirm vendor maintains Records of Processing Activities (ROPA) including processing purposes, categories of data, retention periods, and recipients.
  • Training and Competency – Verify vendor staff handling personal data have received GDPR training and sign confidentiality/NDA agreements per Article 32(4) requirements.
  • Incident Response Plan – Review vendor's documented incident response and breach notification procedure to ensure alignment with Article 33(1) GDPR's requirement for notification without undue delay.
  • Annual Compliance Review – Schedule annual vendor re-assessment to confirm continued compliance with DPA terms, updated TOMs, and any regulatory changes under Article 28.