The company has an overview of the suppliers who handle personal data or business critical data or otherwise might affect the company’s IT security. The company has formulated appropriate IT security requirements and requirements for responsible data use towards the suppliers and has implemented them contractually. Larger companies conduct risk assessments of their suppliers.
4.1 Supplier lifecycle and risk assessment
The company should keep an account of suppliers who handle personal data and business-critical data and ensure that these suppliers are able to comply with the company’s requirements before entering into any agreement.
4.1.1 Supplier life cycle and risk assessment
4.2 IT security requirements in supplier relationships
The company should lay down requirements for IT security at its suppliers which process or could affect the security of personal and/or business-critical data. The aim is to ensure an agreed IT security level in the supplier’s deliveries and services, and to safeguard assets in the company itself in relation to suppliers.
4.2.1 IT security requirements in supplier relationships
4.3 Requirements for responsible data processing at suppliers
The company should lay down requirements for responsible data processing, including data ethics and data protection (cf. GDPR). Apart from ensuring that the use of data complies with the applicable laws and frameworks, the provider must meet the same criteria as the company itself in relation to D-seal.
4.3.1 Requirements for personal data processing at suppliers
4.3.2 Requirements for data ethical processing at suppliers