How to write a GDPR third-party questionnaire – with examples

Under the GDPR (General Data Protection Regulation), organisations can be held responsible for data breaches that occur at suppliers that don’t have appropriate protections in place.

That’s why it’s essential that organisations review third parties’ data protection practices before partnering with them. This is often assessed with what is known as a third-party risk assessment questionnaire, or a vendor risk assessment.

These assessments can help organisations meet the requirements of Article 28(1) of the GDPR.

It states that where processing is to be carried out on behalf of a controller, the controller must only use processors that provide adequate assurances that they implement appropriate technical and organisational measures to meet the requirements of the GDPR and protect data subjects’ rights.

The assessment also ensures that organisations comply with Article 28(2), which states that the processor must not engage another processor without prior authorisation from the controller.

But what should you include in your third-party questionnaire? In this blog, we provide a list of questions that should be sent to all potential suppliers.

What to include in a GDPR supplier questionnaire

  1. Who is your DPO (data protection officer)?

A DPO is responsible for advising an organisation on how to comply with its legal requirements concerning data processing. They are also the point of contact regarding data protection and privacy matters.

As such, they are the person best suited to complete the questionnaire.

Note that not all organisations are required to appoint a DPO. You may wish to provide an option for the third party to state this, and in which case, they should identify the person responsible for their GDPR compliance.

2. Do you provide regular staff awareness training?

Staff awareness is a core GDPR compliance requirement. It’s essential to prevent employees making basic data protection or privacy mistakes, and highlights the appropriate course of action when a data breach occurs.

Rather than simply requesting a yes/no answer, you may ask the third party to provide further details on their training programme. This might include a question on how often training courses occur and what the courses cover.

3. What tools and processes does your organisation use to monitor the way personal data is processed and maintained?

This question refers to the organisation’s commitment to the GDPR’s data processing principles.

Organisations must only process personal data if they have a lawful basis to do so, they collect data only when it’s necessary, they ensure the information remains accurate and up to date, and they remove personal data from their systems when it’s no longer required.

4. Where does your organisation intend to store personal data on our behalf?

You want specifics on how the personal data is going to be managed. Will it be held separately, will there be physical copies of the data, will it be held on the third party’s own systems or in the Cloud? Will the data be stored internationally? If so, where, and are appropriate safeguards in place?

5. What methods do you use for sanitising personal data?

Depending on the purpose for processing personal data, the third party may be able to encrypt or anonymise certain information. This would decrease the risks associated with processing.

6. What processes or tools do you have for detecting security incidents?

Incident response is a crucial aspect of data protection. Organisations that can spot a breach promptly are able to close the vulnerability and stop further damage occurring.

Managing your supply chain with DQM GRC

Given the risks associated with poor third-party data protection practices, it’s understandable that many organisations want expert advice.

Those that get caught out may find themselves liable for a hefty GDPR fine and significant reputational damage.

But with DQM GRC’s Supply Chain Audit, you can be sure that third parties can be trusted to work alongside you and have evidence that you’re doing your utmost to comply with the GDPR should there be a data breach.

Our team of experts will design an audit programme around your risks and controls, and seek answers from your suppliers and processors about their practices. You will receive a report that identifies areas of good practice and highlights deficiencies, supported by recommendations to resolve or mitigate them.


  • Luke Irwin

    Luke Irwin is a former writer for DQM GRC. He has a master's degree in Critical Theory and Cultural Studies, specialising in aesthetics and technology.

    View all posts

Add a Comment

Your email address will not be published. Required fields are marked *