Do you really know how your supplier is looking after your data?

No man is an island and creative agencies rarely if ever operate in isolation. They form part of a network of organisations and individuals that come together to deliver services for their clients. Suppliers, partners, freelancers, employees and their clients are all using and sharing data between each other to do their jobs. So, it is vital that those who lead creative agencies understand the network that operates around their businesses when it comes to GDPR. In this edition of our GDPR series we explore how GDPR applies to your relationship with your suppliers.

GDPR in the supply chain really comes down to ensuring compliance, backed up by solid contractual agreements regarding how personal data will be stored and processed.

The starting point in understanding GDPR in the supply chain is to understand the two primary definitions – data controllers and data processors. A data controller is defined as a person (or in common with other persons) who determines the purposes for which and the manner in which any personal data are, or are-to-be, processed. A data processor is a body which processes personal data on behalf of the controller.

While you need to understand what role, you take with each of your suppliers, a central point to understand is that you are just as liable as your suppliers if the GDPR rules are broken. It is up to you to assess the people who you work with and to make sure that they have the systems and processes in place to comply with GDPR. And it will not just be for the here and now, but also for any legacy data stored between you. You must understand that you are the one being responsible for all suppliers you are using for any of your customers and employees.

The role of data controllers and processers is not new and previous data regulation has used these definitions. However, implementation will vary among EU member states.  For instance, some states will not require a data processing agreement at all, whereas others, like Germany, will. In any case, there is now a higher bar in place – firstly on the role of processors by directly regulating their actions and secondly on you – often the data controller – to prove that you have done your due diligence with any organisation that you share data with.

A worthwhile activity would be to draw up a map for the flow of personal data between you and your suppliers. Using this map, review all existing contracts that involve the processing of personal data to understand the data protection provisions included. It is unlikely that agreements signed before GDPR came into force will include all the clauses that are now required, so these will need updating.

As a data controller, you need to be content that suppliers meet the following obligations.

That they:

  • Cooperate with national supervisory authorities;
  • Implement and retain appropriate security standards;
  • Conduct the necessary data protection impact assessments;
  • Appoint a data protection officer;
  • Comply with the provisions of international data transfer.

You must also have a written data processing agreement in place between you and your supplier. Data accountability is an important factor and means that you and your suppliers are required to demonstrate – prove – that you are compliant. Absence of evidence is considered a breaking of the regulation so make sure everything is documented.

Your suppliers (the data processor) also need to fulfil their obligations. Key elements must include:

  • Only process data in accordance with the instructions of the controller;
  • Not sub-contract their activities out without the written consent of the data controller;
  • Demonstrate compliance always – keeping effective records that they can show controllers on request;
  • Notify the data controller of any breach of data security without delay.

One final point to consider that GDPR relates to EU citizen’s personal data – it is not geographically limited to the EU. So, if you have supplies based outside of the EU, but still handling EU citizens data, then they are still under the regulations.


By Judith Nink, Data Protection Officer, Eyeo

The largest data protection, privacy and security event of 2020, now available on-demand!

Featuring four whole days of keynote sessions, panel debates, and an opportunity to network and chew over all things data-related through discussions in public boards and virtual booths, PrivSec Global is now available to watch on-demand.

You can access the content from all four days, by registering for access to our PrivSec Global platform below.

Learn More and Register

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.