The Biling Health Resort

Gdpr Vendor Agreement

As businesses around the world grapple with the implications of GDPR, it`s important for them to ensure that their vendor agreements comply with the new regulation. GDPR, or General Data Protection Regulation, is a law created by the European Union that came into effect on May 25, 2018. It is designed to protect the privacy and personal data of EU citizens and applies to any company that processes their data. In this article, we will outline the key aspects of a GDPR vendor agreement and how businesses can ensure they are compliant.

What is a GDPR vendor agreement?

A GDPR vendor agreement is a contract between a business and a third-party vendor that outlines the terms of how personal data is collected, processed, and stored. The agreement is designed to ensure that the vendor is GDPR compliant and that they are treating the personal data with the necessary care and attention it requires.

What are the key elements of a GDPR vendor agreement?

The GDPR vendor agreement should include the following key elements:

1. Data processing instructions: This section should outline what personal data will be processed, the purpose of the data processing, and how the data will be processed.

2. Data protection measures: The vendor is required to implement appropriate technical and organizational measures to protect the personal data from unauthorized access, disclosure, destruction, or alteration.

3. Confidentiality: The vendor should agree to keep the personal data confidential and not disclose it to any third parties without the business`s consent.

4. Sub-processing: If the vendor needs to engage a sub-processor to process personal data on their behalf, they should obtain the business`s consent and ensure that the sub-processor is GDPR compliant.

5. Data subject requests: The vendor should cooperate with the business in responding to data subject requests, such as requests to access, rectify, erase, or restrict processing of personal data.

6. Data breach notification: The vendor should notify the business without undue delay if there is a data breach. The notification should include the nature of the breach, the categories of data affected, the likely consequences, and the measures taken to mitigate the breach.

How can businesses ensure their vendor agreements are GDPR compliant?

To ensure that their vendor agreements are GDPR compliant, businesses should follow these steps:

1. Conduct a risk assessment: Businesses should assess the risks associated with their data processing activities and identify any vendors that process personal data on their behalf.

2. Review and update vendor agreements: Businesses should review their existing vendor agreements and update them to ensure they comply with GDPR. If a vendor agreement does not comply with GDPR, businesses should renegotiate the terms or terminate the agreement.

3. Monitor vendor compliance: Businesses should monitor their vendors` compliance with GDPR and ensure that they are implementing appropriate technical and organizational measures to protect personal data.

4. Obtain GDPR certifications: Businesses can consider obtaining GDPR certifications, such as ISO 27001, which demonstrate that they have implemented appropriate data protection measures.


In conclusion, GDPR is a complex regulation that requires businesses to ensure that their vendor agreements are compliant. By following the key elements of a GDPR vendor agreement outlined above, businesses can ensure that their personal data is protected and that they are complying with GDPR. As GDPR continues to evolve, it`s important for businesses to stay up to date on any changes to the regulation and adjust their vendor agreements accordingly.