GDPR

Definition

GDPR is the General Data Protection Regulation, a European Union regulation that governs how organizations collect, use, share, secure, and retain personal data, while granting individuals defined rights over the processing of their information.

What is GDPR?

GDPR stands for General Data Protection Regulation. It applies to the processing of personal data of individuals in the European Union and, in many cases, to organizations outside the EU that offer goods or services to those individuals or monitor their behavior. The regulation is not limited to technology companies. It affects employers, manufacturers, retailers, procurement teams, and service providers that handle personal data.

The regulation works by imposing legal obligations on controllers and processors. Organizations must identify a lawful basis for processing, provide transparent notices, respect data subject rights, keep data secure, and ensure that personal data is processed only for specified purposes. In procurement, GDPR is especially relevant when suppliers handle employee, customer, patient, or user data on the buyer’s behalf.

What Counts as Personal Data Under GDPR

Personal data means any information relating to an identified or identifiable natural person. That can include obvious items such as names, email addresses, and phone numbers, but it also extends to identifiers, online data, location information, employee records, and combinations of information that can identify a person indirectly.

This broad definition matters in vendor management because a contract may appear operational in nature while still involving personal data through support logs, access credentials, contact records, or behavioral usage data.

Controller and Processor Responsibilities

A controller determines the purposes and means of processing, while a processor handles personal data on the controller’s behalf. The distinction matters because contractual obligations, instructions, sub-processing rules, and breach notification duties differ depending on the role each party plays.

Procurement and legal teams need to determine that role before signing a contract. If a supplier is acting as processor, the agreement usually requires detailed data-processing terms covering security, retention, assistance with rights requests, audit rights, and use of sub-processors.

GDPR in Procurement and Supplier Management

Procurement cannot treat GDPR as a late-stage legal review. Data protection considerations affect supplier selection, architecture, hosting location, support model, access controls, and subcontracting choices. Due diligence should examine how a supplier secures data, limits access, manages incident response, and supports deletion, portability, and other regulatory obligations.

The regulation also influences cross-border contracting. If personal data moves outside the European Economic Area, the transfer mechanism and the risk environment become part of the sourcing decision, not just a legal afterthought.

Rights, Governance, and Enforcement

GDPR gives individuals rights that include access, rectification, erasure in certain circumstances, restriction, objection, and data portability where applicable. Organizations need operational processes to respond to those rights within required timelines and to document how decisions are made.

Supervisory authorities can impose significant penalties for non-compliance, but enforcement risk is not the only concern. Weak data protection also creates contractual, reputational, and operational exposure when suppliers cannot handle incidents or demonstrate lawful processing discipline.

Frequently Asked Questions about GDPR

What does GDPR require from companies that use suppliers to process data?

When a supplier processes personal data on a company’s behalf, GDPR requires more than a general confidentiality clause. The buyer must use a compliant data-processing agreement, give documented instructions, assess the supplier’s security and sub-processing arrangements, and ensure the supplier can support breach response and data subject rights. In other words, vendor oversight is a core GDPR obligation, not an optional procurement preference.

Does GDPR apply only to companies located in Europe?

No. GDPR can apply to organizations outside Europe if they offer goods or services to individuals in the EU or monitor their behavior. A non-EU company may therefore fall within scope because of how it collects website data, manages employee records, or uses service providers. The law is triggered by the data relationship and processing context, not simply by where the company is incorporated.

Why is GDPR important in procurement?

Procurement is often the function that selects and contracts the suppliers who will process personal data, host systems, provide software support, or access internal records. If data protection is not assessed during sourcing, the organization may sign a commercially attractive contract that creates major regulatory and operational exposure. Procurement therefore plays a direct role in privacy-by-design and vendor accountability.

What is the difference between a controller and a processor under GDPR?

A controller decides why and how personal data will be processed. A processor handles that data on the controller’s behalf according to instructions. The distinction is critical because it determines contractual obligations, allocation of responsibility, and the extent of operational control each party has. In supplier relationships, the roles should be identified deliberately rather than assumed from generic contract language.