Loading auth config...
Skip to main content
Lokker

Third-Party Vendor Management and DPAs Guide

This guide provides practical steps for managing third-party vendors that process personal data on your behalf. Learn how to assess vendors, draft Data Processing Agreements (DPAs), conduct ongoing monitoring, and ensure vendor compliance with GDPR, CCPA, and state privacy laws.

Table of Contents

Overview: Why Vendor Management Matters

GDPR Requirements:

  • Must have written contract with processors (Article 28)
  • Must ensure processors provide sufficient guarantees
  • Must monitor processor compliance
  • Liable for processor violations in some cases

CCPA/CPRA Requirements:

  • Must have contracts with service providers
  • Must ensure service providers don't "sell" data
  • Must verify service provider compliance
  • Must have contracts for "sharing" arrangements

State Privacy Laws:

  • VCDPA, CTDPA, CPA require contracts with processors
  • Must ensure processors comply with data processing requirements

Business Risks

Poor Vendor Management Can Lead To:

  • Data breaches through vendor systems
  • Non-compliance with privacy regulations
  • Fines and legal liability
  • Loss of customer trust
  • Business disruption

Key Principles

  1. Due Diligence: Assess vendors before engagement
  2. Written Contracts: Always have DPAs in place
  3. Ongoing Monitoring: Don't "set and forget"
  4. Risk-Based Approach: Focus resources on high-risk vendors
  5. Documentation: Keep records of all vendor assessments and contracts

Understanding Vendor Relationships

Types of Vendor Relationships

Data Processor (GDPR) / Service Provider (CCPA):

  • Processes personal data on your behalf
  • Acts under your instructions
  • Requires DPA

Data Controller:

  • Determines purposes and means of processing
  • Independent of your organization
  • May require different agreements (data sharing agreements)

Joint Controller:

  • You and vendor jointly determine processing
  • Requires joint controller agreement

Determining Vendor Type

Questions to Ask:

  1. Who determines what data is collected?

    • You determine = Processor
    • Vendor determines = Controller

  2. Who determines how data is used?

    • You instruct = Processor
    • Vendor decides = Controller

  3. Who has direct relationship with users?

    • You = Processor
    • Vendor = Controller

Example Classifications:

Vendor TypeExampleRelationship Type
ProcessorEmail service provider (Mailchimp)DPA Required
ProcessorCloud hosting (AWS)DPA Required
ProcessorAnalytics provider (Google Analytics)DPA Required
ControllerSocial media platform (Facebook)Data sharing agreement
ControllerAdvertising networkData sharing agreement
Joint ControllerCo-branded serviceJoint controller agreement

Vendor Privacy Assessment Process

Assessment Framework

Key Areas to Assess:

  1. Data Processing Practices
  2. Security Measures
  3. Compliance Certifications
  4. Geographic Data Storage
  5. Sub-Processor Usage
  6. Incident Response
  7. Data Retention
  8. User Rights Support

Vendor Assessment Questionnaire

Section 1: Company Information

Basic Vendor Information
  • Company name and legal entity
  • Contact information
  • Years in business
  • Number of employees
  • Geographic locations
  • Industry certifications (SOC 2, ISO 27001, etc.)

Section 2: Data Processing

Data Processing Details
  • What types of personal data will vendor process?
  • What is the purpose of processing?
  • How will vendor access the data?
  • Where will data be stored (geographic locations)?
  • How long will vendor retain data?
  • Will vendor create derived data or analytics?
  • Will vendor combine data with other sources?

Section 3: Security

Security Measures
  • What security certifications does vendor have? (SOC 2, ISO 27001, etc.)
  • What encryption is used (in transit, at rest)?
  • What access controls are in place?
  • How are security incidents handled?
  • What is vendor's breach notification process?
  • How often are security audits conducted?
  • What is vendor's security incident history?

Section 4: Compliance

Regulatory Compliance
  • Is vendor GDPR compliant?
  • Is vendor CCPA/CPRA compliant?
  • Does vendor support data subject rights requests?
  • How does vendor handle deletion requests?
  • Does vendor support data portability?
  • What is vendor's privacy policy?
  • Has vendor had any regulatory actions or fines?

Section 5: Sub-Processors

Sub-Processor Management
  • Does vendor use sub-processors?
  • What sub-processors are used?
  • How are sub-processors managed?
  • Can you object to sub-processors?
  • How are you notified of new sub-processors?
  • Do sub-processors have DPAs?

Section 6: Data Transfers

International Data Transfers
  • Will data be transferred outside your jurisdiction?
  • What countries will data be transferred to?
  • What safeguards are in place for transfers?
  • Are Standard Contractual Clauses (SCCs) used?
  • Are adequacy decisions relied upon?

Section 7: Business Continuity

Business Practices
  • What is vendor's financial stability?
  • What is vendor's business continuity plan?
  • How can you terminate the relationship?
  • What happens to data upon termination?
  • Can you export your data?
  • What is vendor's disaster recovery plan?

Assessment Scoring

Create Scoring System:

  • High Risk: Significant concerns, requires mitigation or alternative vendor
  • Medium Risk: Some concerns, requires DPA and monitoring
  • Low Risk: Minor concerns, standard DPA sufficient

Risk Factors:

  • Volume of data processed
  • Sensitivity of data
  • Security posture
  • Compliance track record
  • Geographic locations
  • Sub-processor usage

Data Processing Agreements (DPAs)

What Is a DPA?

A Data Processing Agreement (DPA) is a contract between:

  • Data Controller (you) - determines purposes of processing
  • Data Processor (vendor) - processes data on your behalf

Purpose:

  • Define vendor's obligations
  • Ensure vendor compliance
  • Protect your organization
  • Meet regulatory requirements

When Is a DPA Required?

GDPR:

  • ✅ Required for all processors (Article 28)
  • ✅ Must be in writing
  • ✅ Must include specific provisions

CCPA/CPRA:

  • ✅ Required for service providers
  • ✅ Must prohibit "selling" data
  • ✅ Must allow audits

State Privacy Laws:

  • ✅ VCDPA, CTDPA, CPA require contracts
  • ✅ Must include specific provisions

Required DPA Provisions (GDPR)

Article 28 Requirements:

  1. Subject Matter and Duration

    • What data is processed
    • How long processing continues

  2. Nature and Purpose

    • Types of processing
    • Purpose of processing

  3. Type of Personal Data

    • Categories of data subjects
    • Categories of personal data

  4. Obligations and Rights

    • Processor acts only on instructions
    • Processor ensures confidentiality
    • Processor implements security measures
    • Processor assists with data subject rights
    • Processor assists with compliance
    • Processor deletes or returns data at end

  5. Sub-Processing

    • Processor cannot engage sub-processors without authorization
    • Same obligations apply to sub-processors

  6. Data Subject Rights

    • Processor assists controller with rights requests

  7. Security

    • Processor implements appropriate technical and organizational measures

  8. Breach Notification

    • Processor notifies controller of breaches without undue delay

  9. Audit Rights

    • Controller can audit processor compliance

Required DPA Provisions (CCPA/CPRA)

Service Provider Contract Requirements:

  1. Prohibition on Selling

    • Service provider cannot sell personal information

  2. Use Limitations

    • Can only use data for business purpose specified
    • Cannot use for other purposes

  3. Certification

    • Service provider certifies it understands restrictions

  4. Notification of Non-Compliance

    • Service provider notifies if it can't comply

  5. Audit Rights

    • Can audit service provider compliance

DPA Template Structure

Standard DPA Sections:

  1. Definitions

    • Define key terms (personal data, processing, etc.)

  2. Scope and Purpose

    • What data is processed
    • Purpose of processing
    • Duration

  3. Processor Obligations

    • Act only on instructions
    • Confidentiality
    • Security measures
    • Sub-processor restrictions

  4. Controller Obligations

    • Provide instructions
    • Ensure lawful basis
    • Provide necessary information

  5. Data Subject Rights

    • How processor assists with rights requests
    • Response timelines

  6. Security

    • Security measures required
    • Breach notification procedures

  7. Data Transfers

    • International transfer provisions
    • Safeguards (SCCs, etc.)

  8. Audit and Compliance

    • Audit rights
    • Compliance certifications
    • Reporting requirements

  9. Data Return and Deletion

    • What happens at end of contract
    • Data return procedures
    • Deletion requirements

  10. Liability and Indemnification

    • Liability limitations
    • Indemnification provisions

  11. Term and Termination

    • Contract duration
    • Termination procedures

  12. General Provisions

    • Governing law
    • Dispute resolution
    • Amendments

DPA Checklist

GDPR Requirements
  • Subject matter and duration specified
  • Nature and purpose of processing specified
  • Type of personal data specified
  • Processor acts only on instructions
  • Confidentiality obligations
  • Security measures specified
  • Sub-processor restrictions included
  • Data subject rights assistance specified
  • Breach notification procedures
  • Audit rights included
  • Data return/deletion at end specified
CCPA/CPRA Requirements
  • Prohibition on selling personal information
  • Use limitations specified
  • Business purpose specified
  • Certification of understanding restrictions
  • Notification of non-compliance
  • Audit rights included
State Privacy Laws
  • Processing purposes specified
  • Data subject rights assistance
  • Security measures
  • Breach notification
  • Data return/deletion
  • Audit rights

Vendor Onboarding Privacy Review

Onboarding Process

Step 1: Initial Assessment

Pre-Engagement Assessment
  • Complete vendor assessment questionnaire
  • Review vendor's privacy policy
  • Review vendor's security certifications
  • Check vendor's compliance track record
  • Assess vendor risk level
  • Determine if vendor is acceptable

Step 2: Contract Negotiation

DPA Negotiation
  • Review vendor's standard DPA (if provided)
  • Compare to your DPA template
  • Identify gaps or concerns
  • Negotiate required provisions
  • Ensure all regulatory requirements included
  • Finalize DPA terms

Step 3: Documentation

Document Vendor Relationship
  • Execute DPA
  • Document vendor in vendor inventory
  • Categorize vendor risk level
  • Document data processing details
  • Set up monitoring schedule
  • Assign vendor manager

Step 4: Implementation

Vendor Setup
  • Configure vendor according to DPA
  • Set up data access controls
  • Configure data retention settings
  • Test data subject rights processes
  • Verify security measures
  • Train staff on vendor usage

Vendor Inventory

Maintain Vendor Database:

Vendor NameTypeRisk LevelDPA StatusData TypesReview Date
MailchimpProcessorMedium✅ SignedEmail, Name2025-07-01
StripeProcessorHigh✅ SignedPayment, Billing2025-06-01
Google AnalyticsProcessorLow✅ SignedUsage Data2025-08-01

Information to Track:

  • Vendor contact information
  • DPA execution date
  • Data processing details
  • Sub-processors used
  • Compliance certifications
  • Review schedule
  • Risk assessment results

Ongoing Vendor Compliance Monitoring

Monitoring Activities

Regular Reviews:

  • Annual Reviews: Comprehensive assessment of all vendors
  • Quarterly Reviews: High-risk vendors
  • Ad-Hoc Reviews: When issues arise or practices change

What to Monitor:

  • Security incidents or breaches
  • Changes to vendor's privacy practices
  • New sub-processors
  • Compliance certification renewals
  • Vendor financial stability
  • Regulatory actions against vendor

Monitoring Checklist

Security Monitoring
  • Review vendor security incident reports
  • Check for vendor data breaches
  • Verify security certifications are current
  • Review security audit reports
  • Monitor vendor security updates
Compliance Monitoring
  • Review vendor privacy policy updates
  • Verify vendor supports data subject rights
  • Test data deletion processes
  • Review vendor compliance certifications
  • Check for regulatory actions
Contract Compliance
  • Verify vendor following DPA terms
  • Review sub-processor notifications
  • Check data retention compliance
  • Verify data location compliance
  • Review audit reports
Business Continuity
  • Monitor vendor financial stability
  • Review vendor business updates
  • Check for vendor acquisitions/mergers
  • Review vendor service level agreements
  • Monitor vendor performance

Vendor Review Schedule

High-Risk Vendors:

  • Comprehensive review: Quarterly
  • Security check: Monthly
  • Compliance check: Quarterly

Medium-Risk Vendors:

  • Comprehensive review: Semi-annually
  • Security check: Quarterly
  • Compliance check: Semi-annually

Low-Risk Vendors:

  • Comprehensive review: Annually
  • Security check: Semi-annually
  • Compliance check: Annually

Vendor Risk Categorization

Risk Factors

Data Sensitivity:

  • High: Health data, financial data, SSN, biometrics
  • Medium: Contact info, purchase history, location data
  • Low: Public information, anonymized data

Data Volume:

  • High: Large volumes of personal data
  • Medium: Moderate volumes
  • Low: Minimal data

Processing Activities:

  • High: Complex processing, AI/ML, profiling
  • Medium: Standard processing
  • Low: Simple processing

Security Posture:

  • High: Strong security, certifications, good track record
  • Medium: Adequate security, some certifications
  • Low: Weak security, no certifications, incidents

Geographic Risk:

  • High: Data in risky jurisdictions
  • Medium: Data in acceptable jurisdictions
  • Low: Data in privacy-friendly jurisdictions

Risk Categories

High Risk:

  • Process sensitive data (health, financial)
  • Large data volumes
  • Complex processing
  • Weak security posture
  • Risky geographic locations
  • Action: Enhanced due diligence, strict DPA, frequent monitoring

Medium Risk:

  • Process moderate sensitivity data
  • Moderate data volumes
  • Standard processing
  • Adequate security
  • Acceptable geographic locations
  • Action: Standard DPA, regular monitoring

Low Risk:

  • Process low sensitivity data
  • Minimal data volumes
  • Simple processing
  • Strong security
  • Privacy-friendly locations
  • Action: Standard DPA, annual review

Risk Assessment Matrix

Data SensitivityData VolumeSecurityGeographyRisk Level
HighHighWeakRiskyCRITICAL
HighMediumMediumAcceptableHIGH
MediumMediumStrongAcceptableMEDIUM
LowLowStrongFriendlyLOW

Sub-Processor Management

What Are Sub-Processors?

Sub-processors are vendors that your vendor uses to provide services. For example:

  • Your email vendor (Mailchimp) uses AWS for hosting
  • AWS is Mailchimp's sub-processor
  • AWS processes your data indirectly

Sub-Processor Requirements

GDPR Requirements:

  • Processor cannot engage sub-processor without authorization
  • Same obligations apply to sub-processors
  • Must notify controller of new sub-processors
  • Controller can object to sub-processors

CCPA/CPRA Requirements:

  • Service provider can use sub-processors
  • Sub-processors must be bound by same restrictions
  • Must notify of sub-processor changes

Sub-Processor Management Process

Step 1: Initial Disclosure

Vendor Sub-Processor List
  • Request vendor's sub-processor list
  • Review sub-processors used
  • Assess sub-processor risk
  • Approve or object to sub-processors
  • Document approved sub-processors

Step 2: Ongoing Management

Sub-Processor Changes
  • Require vendor to notify of new sub-processors
  • Review new sub-processor risk
  • Approve or object to new sub-processors
  • Update sub-processor list
  • Verify sub-processors have DPAs

Step 3: Monitoring

Sub-Processor Compliance
  • Verify sub-processors comply with restrictions
  • Monitor sub-processor security
  • Review sub-processor certifications
  • Check for sub-processor incidents

Sub-Processor Approval Process

When Vendor Adds New Sub-Processor:

  1. Vendor Notifies You (as required by DPA)
  2. You Review Sub-Processor:
    • Check sub-processor's privacy practices
    • Review security posture
    • Assess geographic location
    • Review compliance certifications
  3. You Decide:
    • Approve: Add to approved list
    • Object: Request vendor use alternative
    • Request More Info: Ask for additional details
  4. Document Decision in vendor file

Vendor Termination and Data Return

Termination Scenarios

Common Reasons for Termination:

  • Contract expiration
  • Vendor non-compliance
  • Security breach
  • Business needs change
  • Vendor acquisition/merger
  • Vendor going out of business

Termination Process

Step 1: Notice and Planning

Termination Planning
  • Review DPA termination provisions
  • Provide required notice to vendor
  • Plan data migration (if needed)
  • Identify alternative vendor (if needed)
  • Set termination timeline

Step 2: Data Export

Data Export
  • Request data export from vendor
  • Verify data completeness
  • Export data in usable format
  • Store exported data securely
  • Verify data integrity

Step 3: Data Deletion

Vendor Data Deletion
  • Request vendor delete all your data
  • Verify deletion from primary systems
  • Request deletion from backups
  • Request deletion from sub-processors
  • Obtain deletion confirmation
  • Document deletion

Step 4: Final Verification

Termination Verification
  • Verify all data returned or deleted
  • Confirm vendor compliance with termination
  • Update vendor inventory
  • Close vendor file
  • Archive DPA and documentation

Data Return Requirements

What Should Be Returned:

  • All personal data in vendor's possession
  • Data in structured, commonly used format
  • Data in readable format
  • All derived data (if applicable)
  • Metadata associated with data

Timeline:

  • Typically 30-60 days after termination
  • May vary by DPA terms
  • Should be specified in DPA

Data Deletion Requirements

What Should Be Deleted:

  • All personal data from vendor systems
  • Data from backups (when possible)
  • Data from sub-processor systems
  • Derived data and analytics
  • Logs containing personal data

Deletion Confirmation:

  • Vendor should provide written confirmation
  • Should specify what was deleted
  • Should confirm deletion from all systems
  • Should include sub-processor deletion

Vendor Audit Rights and Procedures

Audit Rights

GDPR:

  • Controller has right to audit processor
  • Can conduct audits or request audit reports
  • Processor must cooperate

CCPA/CPRA:

  • Can audit service provider compliance
  • Service provider must cooperate

State Privacy Laws:

  • Generally include audit rights
  • Must be specified in contract

Types of Audits

1. Self-Attestation

  • Vendor provides written attestation
  • Less resource-intensive
  • Good for low-risk vendors

2. Audit Reports

  • Vendor provides third-party audit reports
  • SOC 2, ISO 27001 reports
  • Good for medium-risk vendors

3. On-Site Audits

  • You conduct audit at vendor location
  • Most thorough
  • Good for high-risk vendors

4. Remote Audits

  • Vendor provides access to systems remotely
  • Review documentation and processes
  • Good alternative to on-site

Audit Procedures

Planning the Audit:

Step 1: Determine Audit Scope
  • Define what to audit (security, compliance, data handling)
  • Identify systems and processes to review
  • Set audit timeline
  • Determine audit type (self-attestation, report, on-site)
Step 2: Request Audit
  • Notify vendor of audit request
  • Provide audit scope and requirements
  • Schedule audit date
  • Request necessary documentation
Step 3: Conduct Audit
  • Review vendor documentation
  • Interview vendor staff
  • Review security controls
  • Test data handling processes
  • Verify compliance with DPA
Step 4: Document Findings
  • Document audit findings
  • Identify compliance gaps
  • Create remediation plan
  • Share findings with vendor
  • Follow up on remediation

Audit Frequency

Recommended Frequency:

  • High-Risk Vendors: Annually or bi-annually
  • Medium-Risk Vendors: Every 2-3 years
  • Low-Risk Vendors: Every 3-5 years or as needed

Factors Affecting Frequency:

  • Vendor risk level
  • Data sensitivity
  • Past audit results
  • Security incidents
  • Regulatory changes

Common Vendor Management Challenges

Challenge 1: Vendor Refuses to Sign DPA

Problem: Vendor won't sign your DPA or insists on using their own.

Solutions:

  • Negotiate middle ground (combine both DPAs)
  • Use vendor's DPA but add addendum with your requirements
  • Consider alternative vendors if vendor won't comply
  • Escalate to legal/compliance teams
  • Document refusal and risk assessment

Challenge 2: Vendor Uses Unapproved Sub-Processors

Problem: Vendor adds sub-processors without notifying you.

Solutions:

  • Include notification requirements in DPA
  • Require advance notice (30-60 days)
  • Include right to object in DPA
  • Regular sub-processor list reviews
  • Consider termination if vendor doesn't comply

Challenge 3: Vendor Has Security Incident

Problem: Vendor experiences data breach affecting your data.

Solutions:

  • Ensure breach notification requirements in DPA
  • Require notification within 24-72 hours
  • Request detailed incident report
  • Assess impact on your data
  • Determine if notification to users/regulators needed
  • Review vendor's remediation plan
  • Consider terminating relationship if severe

Challenge 4: Vendor Changes Practices

Problem: Vendor changes privacy practices or terms without notice.

Solutions:

  • Require advance notice of material changes in DPA
  • Review changes for compliance impact
  • Negotiate changes if needed
  • Consider termination if changes unacceptable
  • Update DPA if practices change significantly

Challenge 5: Managing Many Vendors

Problem: Too many vendors to manage effectively.

Solutions:

  • Prioritize by risk level
  • Focus resources on high-risk vendors
  • Use vendor management software
  • Standardize processes and templates
  • Automate where possible (certification tracking, etc.)
  • Consider vendor consolidation

Implementation Checklist

Phase 1: Foundation (Week 1-2)

Set Up Vendor Management Program
  • Create vendor assessment questionnaire
  • Develop DPA template
  • Create vendor inventory system
  • Define risk categorization criteria
  • Establish vendor review schedule
  • Assign vendor management responsibilities

Phase 2: Current Vendor Assessment (Week 3-6)

Assess Existing Vendors
  • Inventory all current vendors
  • Categorize vendors by risk level
  • Assess each vendor's privacy practices
  • Review existing contracts/DPAs
  • Identify gaps in current DPAs
  • Prioritize vendors for DPA updates

Phase 3: DPA Implementation (Week 7-12)

Execute DPAs
  • Negotiate DPAs with high-risk vendors first
  • Execute DPAs with all processors
  • Document DPA execution dates
  • Store DPAs in centralized location
  • Update vendor inventory with DPA status

Phase 4: Ongoing Management (Ongoing)

Establish Monitoring
  • Set up vendor review schedule
  • Conduct initial vendor reviews
  • Monitor vendor security incidents
  • Review vendor policy updates
  • Track compliance certifications
  • Conduct audits as needed

Last Updated: 2025-01-17