Gdpr Checklist for Third Party Agreements

The General Data Protection Regulation (GDPR) has brought a lot of changes to how businesses handle personal data. This includes third-party agreements, where businesses entrust outside entities with the processing of customer or employee data. To ensure compliance with the GDPR, companies need to have a thorough understanding of how these agreements work and what steps they need to take to protect their customers’ privacy rights. Here is a GDPR checklist for third-party agreements:

1. Identify all third-party agreements that involve data processing.

The first step in the checklist is to identify all third-party agreements that involve the processing of personal data. This includes agreements with service providers, vendors, and contractors that have access to customer or employee data. GDPR requires businesses to know and document all third-party companies with whom they share data.

2. Review the agreements to ensure GDPR compliance.

Once all third-party agreements have been identified, the next step is to review them to ensure that they comply with GDPR regulations. This includes checking that the agreements clearly outline the nature, duration, and purpose of the data processing, and that the data processing activities are lawful.

3. Ensure that sufficient security measures are in place.

Data security is a crucial element of GDPR compliance. Ensure that all third-party agreements have adequate security measures in place to protect the personal data they process. These security measures should be reviewed regularly to ensure they remain effective.

4. Check for proper data transfer mechanisms.

If personal data is transferred between countries, GDPR requires that appropriate transfer mechanisms are in place to ensure that the data is protected. Check that all third-party agreements comply with GDPR requirements regarding international data transfer.

5. Ensure that third-party data processors are GDPR compliant.

As a company entrusting data to a third-party data processor, it is essential to ensure that the processor is GDPR compliant. This includes checking that the processor has the necessary technical and organizational measures in place to ensure the protection of personal data.

6. Document all third-party agreements.

Finally, it is essential to document all third-party agreements that involve the processing of personal data. This documentation should include details of the data processing activities, the data transferred, the security measures in place, and any data breaches that occur.


In summary, GDPR compliance of third-party agreements requires businesses to identify all such agreements, review them for GDPR compliance, ensure adequate security measures, check for proper data transfer mechanisms, verify that third-party data processors are GDPR compliant, and document all agreements. By following this checklist, businesses can ensure that their third-party agreements comply with GDPR regulations and protect their customers` privacy rights.