Managing the list of suppliers is a crucial aspect for GDPR compliance of a website. The GDPR has indeed established strict rules on the protection of personal data, requiring companies to adopt appropriate measures to ensure the security and confidentiality of the data collected and processed. In this context, proper management of suppliers who process data on behalf of your website is essential. Here is a detailed guide on how to do it.

What is the purpose of the vendor list?

The vendor list of a website is a list where the third-party service providers used by the site are registered.

Using a service provided by a third party can involve the collection, processing, use, and storage of personal data by the third party. For example, if the Facebook pixel is installed on the website, it means that the company Meta has access to the data of users browsing your website.

On this, the GDPR is very clear: the data controller must adopt the necessary measures to protect the personal information that the company or a third party manages and processes. This is where the importance of the supplier list is understood.

The risks of suppliers not GDPR compliant

When it comes to privacy, prevention is a fundamental issue, but it is often neglected due to unawareness or misinformation.

For this reason, it is important to highlight the sanctions and responsibilities: if a company relies on suppliers who do not comply with the GDPR, it will be the company itself to pay for any violations.

The main risks that non-compliant suppliers with GDPR can cause to a company are:

1. Compromising the security of the personal data being processed.
2. Not following company policies and best practices.
3. Damaging the stability of the company, both internally and externally, with serious consequences for its reputation as well.

Among the concepts introduced by the GDPR is also the principle of privacy by design, which requires evaluating privacy risks already in the pre-selection phase of suppliers. In practice, when choosing an external supplier, you must verify their GDPR compliance and understand which security measures to adopt before selecting them, and then monitor their processes.

How to select a supplier while respecting the GDPR

Now that you know that with the new European Regulation, data controllers must also act as guarantors regarding how data is handled by their partners and suppliers, let's see specifically what actions need to be taken on your website to ensure a data collection in full compliance with the GDPR.

The vendor list is a fundamental part of the cookie banner. By law, in fact, the banner must clearly inform users about the vendors to whom their data will be sent if they choose to accept cookies.

Using a consent solution like Avacy, it is possible to scan the website and automatically detect the currently active vendors. However, it is important to consider that while the scanning process significantly automates the work, it is not 100% accurate due to the complexity of the technologies installed on some websites.

For this reason, it is possible to add, modify, or delete suppliers on your site manually directly from the cookie banner preferences panel.

Once the list of suppliers is saved and published, it is automatically displayed in the cookie banner on the website.

Preventive cookie blocking

To comply with GDPR regulations, remember to activate the preventive blocking for all your suppliers.

The principle of data minimization refers to the measures that companies must take to ensure that only the personal data strictly necessary for a specific purpose is processed. Essentially, this means that user data should not be accessible to your vendors without the explicit consent of the user, especially for cookies and other online tracking tools that are not strictly necessary for the functioning of your website.

For example, websites must display a cookie banner that allows users to decide which cookies to accept before they are installed on their device. This follows the GDPR's "privacy by default" principle, which states that privacy settings should be applied by default, without the user needing to make changes.

In addition, pre-blocking is crucial to prevent the use of non-essential cookies in visitors' browsers before they have given their consent. This ensures respect for users' privacy and ensures that data is collected and used in a legal, transparent, and secure manner.

Read Avacy's guide to discover how to activate preventive blocking.

Updating and periodic review of the suppliers list

The landscape of suppliers may change over time, as well as regulations and best practices regarding data protection. It is essential to update and periodically review the vendor list to ensure it remains compliant with the GDPR.