Help Center
News
Help Center
News
Getting Started
Compliance Settings
IT Settings
Risk Settings
Modules
Document
Documents & PoliciesAssessmentsControls & Technical and Organizational Measures (TOMs)Report ExplorerAsset RegisterInternational StandardsRecord of Processing Activities (ROPA)Exporting your ROPAVendorsData Protection Impact Assessments (DPIA)Legitimate Interest DocumentationsMeetings & ActivitiesRetentions & Deletions PeriodsData Collection Point (DCP)Add documents to vendors
Manage
React & Resolve
Sharing & Group functions
Assessments
Features
How-To Guides & Tips
Get Help
Release Notes

Vendors

Overview

In many cases, companies engage third parties to process data either on their behalf or in collaboration with them. To clearly document data flows and access to this information, the Priverion platform offers the Vendor Management.

Organize existing vendors efficiently, add new vendors, and record Sub-Vendors (so-called Downstream Processors) employed by your primary vendors for data processing. This lets you maintain an overview of your external partners and their roles in your data processing activities.

The overview divides your vendors into categories: All, Active, Draft, Inactive, Review, and Downstream Processors. This structure enables clear organization and targeted management.

  • Add new vendors: Use the Create button to add new vendors.
  • Edit existing vendors: Click on a vendor to view or update their details.

Creating new Vendors

Contact Details and Regulation

As with every element, you can create the vendor manually or download a shared one from the organization. This guide focuses on manual creation. If you would like to learn more about downloading elements, you can just read the corresponding guide.

Click on Create and select the option Create Vendor. Enter the required information:

  • Assign a responsible person from your team.
  • Select the current status.
  • Enter the vendor’s name.
  • Provide their complete address, including city, and select the corresponding country.
  • Select the applicable regulations for the vendor based on the countries where they operate.
  • Type: You must define the vendor's role concerning the processing activity. In practice, this distinction can be complex. If in doubt, consult your Data Protection Officer.
    • Processor: If the processing serves your organization and you determine how and why the data is processed, the vendor is categorized as a Processor.
    • Controller: If they process personal data for their purposes, their role is that of a Controller.
    • Processor & Controller: Some vendors act as controllers and processors for different processing activities or data. In this case, you should label them as Processor & Controller.
    • Joint Controller: If you and the vendor jointly determine the purposes and means of the processing, select Joint Controller.
    • Other: Use this category if none of the above apply.
  • Classification: This is purely for internal organization and is flexible. Select an existing classification attribute from the drop-down menu or create a new one by typing it into the field and selecting it.
  • Description: Describe who the vendor is and their specific tasks, particularly regarding processing your data.
  • Reason for sharing: Specify why you are sharing data with this vendor. Be as precise as possible.
  • Representatives and DPO: You can also provide details of the vendor’s representatives in other countries. Include their contact details if the vendor’s Data Protection Officer (DPO) is known.
  • Contract duration: Lastly, if applicable, you can specify the contract’s expiration date with the vendor.
  • Click Save once all the required information has been entered.

Managing existing Vendors

Click on an existing vendor to manage it.

General

 As with most elements, you may write notes by clicking the Notes button on the right or manage its Access by clicking the three horizontal dots in the top right corner.

The General page displays the information entered during the vendor creation. You can edit this information by clicking on Edit.

Documents

The Documents tab lists all documents uploaded for the vendor, such as the main contract, a data protection agreement, documentation of implemented TOMs, and general terms and conditions. All relevant vendor-related documents should be linked here.

  • Use Add to select documents from your library.
  • Select all relevant documents.
  • If the required document is not yet in the library, you can create it by selecting Create.
  • Click Add to list to finalize the selection.

For more details, refer to the guide on Documents and Policies.

Criticality

The Criticality tab allows you to document how vital the vendor is for your organization and its data processing activities. You can update this information by clicking Edit.

Using a 5-point scale ranging from very low to very high, you can assess:

  • Material Impact: Refers to the actual consequences or effects of the vendor’s actions on your organization. As a data controller, you are accountable for the actions of your processors. The material impact depends on the tasks the vendor performs.
  • Criticality of Service: Evaluates the importance or necessity of the services provided by the vendor. This assesses how crucial the vendor's processing activities are for achieving your objectives and requirements.
  • Overall Criticality: Represents the vendor's overall significance to your business operations. This considers various factors, such as the service itself, the volume of data processed, the sensitivity of the data, and the potential impact of a data breach.

Assets

Under the next tab, you can link all assets associated with the vendor. The process is the same as adding documents.

Transfers

Since it is common for data processors to engage sub-vendors, it is important to document where data flows. The Transfers tab provides an overview of all Sub-Vendors the vendor uses to process your data.

To link new Sub-Vendors:

  • Click Add and select the relevant vendor from the library.
  • To create a new vendor, click Create. The process is identical to creating regular vendors.

Once you have selected the vendors and clicked Next, you will be prompted to specify a legal basis for transferring data. For each Sub-Vendor, select the applicable legal basis.

If you need assistance determining the appropriate legal basis, consult your Data Protection Officer.

Tasks

The Tasks tab lists all tasks associated with this vendor. To link a new task to the vendor:

  • Click Add and select a task from the library, or
  • Create a new task by clicking Create afterward.

To learn more, follow the steps in the Tasks guide.

Assessments

Assessments are crucial for documenting vendors. If you have conducted an assessment, you can add it to this tab by clicking Add. You can also create new assessments by clicking Create afterward. 

To learn more, follow the guide about Assessments.

Workflow

The Workflow tab lets you view required actions or trigger a new workflow.

 



 

Was this article helpful?

English
Powered by Product Fruits