Privacy Recertification & Vendor Onboarding Processes

The GDPR does not prescribe a fixed recertification period but requires regular review of technical and organizational measures (Article 28(3)(h) GDPR). In practice, supervisory authorities recommend annual recertification cycles for high-risk data processors. For vendors with lower risk, intervals of two to three years are sufficient. ADVISORI supports risk classification and defining appropriate review cycles for your entire vendor portfolio.

Structured data protection onboarding covers several mandatory steps: first, data protection due diligence reviewing the vendor's technical and organizational measures. Then a risk assessment to classify the processing risk. The third step is concluding a Data Processing Agreement (DPA) under Article

28 GDPR. Finally, documentation in the record of processing activities and integration into the ongoing monitoring system must be ensured. ADVISORI supports each step with standardized checklists and templates.

Without regular recertification, significant compliance risks can accumulate: outdated technical measures at the vendor go undetected, changes in processing practices are not captured, and sub-processors are engaged without knowledge. In the worst case, fines under Article

83 GDPR of up to

10 million euros or 2% of annual turnover apply. Add to this liability risks toward data subjects and potential reputational damage. ADVISORI helps close these gaps through systematic monitoring processes.

For large vendor portfolios, risk-based prioritization is key: high-risk processors are reviewed annually, medium risks every two years, low risks every three years. Automated reminder systems ensure no deadlines are missed. Standardized questionnaires and self-assessment tools reduce manual effort. ADVISORI develops tailored workflows for each portfolio with automated escalation processes and centralized documentation.

Documentation includes: current data processing agreements, evidence of the vendor's technical and organizational measures, risk assessment results, audit protocols and checklists, correspondence on identified deficiencies, action plans and proof of implementation. For onboarding, due diligence reports, entry in the processing register, and initial approval are added. ADVISORI ensures all documents are archived in an audit-proof manner.

The initial assessment during onboarding is more comprehensive, evaluating the vendor's fundamental suitability. Recertification focuses on changes since the last review: new sub-processors, modified processing activities, updated technical measures, and security incidents that occurred. Both processes require risk assessment, but recertification shifts focus to change control. ADVISORI designs both reviews to build on each other, creating a seamless audit trail.

Supervisory authorities primarily check accountability: Is there a complete register of all data processors? Are current DPAs in place? Have regular controls been conducted and documented? How are sub-processors managed? Was the response to data protection incidents correct? ADVISORI specifically prepares organizations for such audits by documenting all processes and systematizing the evidence trail.