To efficiently manage its vendors, most Austrian companies established strong information lines and a close cooperation between its legal and sales departments. Furthermore, IT security and – if designated – the data protection officer are involved when it comes to initial and ongoing verification of the implemented concepts. While the focus mostly lies on initial screening prior to an engagement, ad hoc as well as regular audits have become more attractive during the last two years. This is mainly caused by the overall increase of cyber threats, attacks, and incidents. In addition, most companies currently struggle with conducting required Transfer Impact Assessments ('TIAs') as regards vendors situated outside the EEA in a third country lacking a valid adequacy decision by the European Commission ('the Commission').

Due diligence audit prior to any engagement

Article 28 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') requires a data controller to ensure that any data processor engaged provides sufficient guarantees to implement appropriate technical and organisational measures ('TOMs') in compliance with the requirements of the GDPR. In Austria, this proof of concept is mainly done by companies' IT departments: They either provide the vendor with a finalised set of technical requirements and expectations – which needs to be accepted and adhered to by the processor – or ask for the vendor's TOMs. In the latter case, the controller needs to undertake a due diligence examination of the vendor's security measures, business continuity, and recovery plans, as well as emergency/incident processes. The level of detail of such audit mainly depends on the type of services outsourced to or received by the vendor: the more the services cover technical aspects, the more the IT department is in the lead of the evaluation and audit of the prospective vendor. In practice, many Austrian companies use check lists and colour code systems to facilitate day-to-day decisions on low-risk vendors. In case of critical outsourcing, in particular in highly regulated areas (e.g. banks, insurances, pharma industry), usually a detailed in-depth analysis is conducted and documented for potential future audits initiated by competent Regulators and Supervisory Authorities.

Contract negotiations and strategy

In parallel to technical audits and check-ups, the legal and sales departments commence contract negotiations in order to cover both legal requirements as well as commercial conditions. In Austria, the hot topics of discussion usually are:

• whether the controller shall formally accept the compliance of vendor's TOMs with Article 32 of the GDPR or, instead, if the vendor shall be responsible (and liable) for the fitness of the implemented levels of security and its future development;
• the need and required level of detail of any supplementary measures required;
• if and to what extent the controller's right to object to changes or engagement of sub-processor needs to be based on objective reasons;
• if audits are limited in scope and/or frequency and who shall bear its costs; and
• the scope and overall cap of vendor's liability in case of violations of GDPR and fines being imposed.

In particular, the last two points have a direct commercial impact, which leads to the requirement of regular consultation between legal and sales teams to balance overall project and business interests.

Ensuring sufficient guarantees with third-country vendors

The concerns of the European Court of Justice in its ruling on the invalidity of the Privacy Shield in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) had and still continues to have a great impact on the market as it requires additional safeguards, mitigating measures, and binding commitments to be implemented. In Austria, the focus in negotiations lies on limitation of risks, particularly US authorities exercising unlawful access to data without data subjects being provided with effective remedies. Thus, supplementary measures need to be implemented, which usually consist of:

• factual limitations by ensuring encryption for the duration of the agreement; and
• supplementary contractual safeguards reflecting the market standard as well as European Data Protection Board guidelines and Recitals of the Commission's decision on the update of Standard Contractual Clauses.

Further, each data exporter needs to conduct and document a TIA, considering the specific circumstances and agreed measures. While US providers already proactively support European data controllers in providing the required information for this task, vendors in other third countries are often not used to this process. This puts a lot of pressure on Austrian controllers, in particular SMEs that are usually lacking the required resources to steer a provider who is confronted with the legal requirements for its first time.

Ongoing vendor management and audits

As soon as a vendor has successfully completed its initial due diligence audit and contractual negotiations have been finalised, a regular audit plan and its management is required. In Austria, this is efficiently conducted by large companies, regulated enterprises and IT service providers only. All other companies often refrain from doing regular checks of the factual and legal situation. If checks are conducted, companies tend to use checklists which are distributed and completed by the vendor to reduce inhouse resources.

Ad hoc audits are usually initiated only if (i) requested by the competent authority or (ii) a data breach arises in a vendor's sphere. In such a scenario, external professionals are often engaged to gather all facts of the case for a possible mandatory data breach notification and for the setup to prove the implemented measures to remedy any wrongdoing and to justify the continuation of the business relationship with the vendor concerned.

Transparency via privacy notices

In Austria, vendors merely acting as data processors - like IT service providers or cloud providers - are usually not listed with contact details in privacy notices as this would regularly lead to information overload. Instead, mere categories are used in line with Article 13 of the GDPR. Vendors acting as data controllers themselves are, on the other hand, exhaustively named together with the applicable purpose and legal justification of the conducted data transfer.

However, in case of requests for information based on Article 15 of the GDPR, it is still highly disputed if specific recipients or mere categories of recipients need to be disclosed to the requesting data subject. While the Austrian civil courts are in favour of the free choice of the vendor as to which approach to follow based on the wording of Article 15 of the GDPR (in German, English, and French 'or' is used), the Austrian data protection authority tends to be more reluctant. As a result, the Austrian Supreme Court recently asked the CJEU to provide a preliminary ruling on this matter (see OGH, 6 Ob 159/20f), which is expected during 2022.

Conclusion

Proper and well-balanced vendor management requires a lot of legal expertise, practical experience, know-how on the respective market practice, as well as sensitivity and good will of all parties involved. Even established strategies and approaches need to be frequently monitored and continuously adjusted to comply with the developing case law and applicable laws.

Axel Anderl Managing Partner
[email protected]
Nino Tlapak Partner
[email protected]
DORDA Rechtsanwälte GmbH, Vienna