Which vendors require a GDPR processor agreement?

Any vendor processing personal data on your behalf: cloud storage, HR tools, CRM, email marketing, external IT administrators. Vendors that have no access to your personal data (office supplies, for example) are generally not processors.

What must a GDPR processor agreement contain?

At minimum: the nature and purpose of processing, which personal data and categories of data subjects are involved, obligations and rights of the controller, and security measures. Article 28(3) GDPR lists the full requirements. ComplianceHive includes a module for managing processor agreements as part of vendor management.

How do I keep track of vendors as my company grows?

Spreadsheets break down beyond 10-15 vendors. Ownership gets lost, review dates slip. A central tool with per-vendor ownership, automatic review reminders, and an audit log gives you an accurate overview at any point, even when staff changes or contracts expire.

Does NIS2 vendor management apply to my company even if I'm not directly NIS2-obligated?

Possibly. If you supply to NIS2-obligated organisations, they can impose contractual security requirements on you. Getting your vendor management structured early strengthens your position in tenders and client conversations.

Vendor management for GDPR and NIS2: from scattered lists to one clear overview

As your organisation grows, so does the number of vendors handling personal data or accessing your systems. Without a central overview, processor agreements go stale, security reviews get skipped, and nobody owns the follow-up.

ComplianceHive gives you one place to manage vendor obligations for both GDPR and NIS2. Per-tool pricing, no per-user fees. Your data stays in the EU.

Start your free trial View pricing

Common gaps in GDPR vendor management

Most organisations start with a spreadsheet. It works when you have five vendors. At twenty, things start slipping. A processor agreement expired six months ago and nobody noticed. Two departments manage the same vendor with different terms. When a data breach hits, nobody knows who the contact person is at the affected vendor.

Under GDPR, you need a processor agreement (Article 28) with every vendor that processes personal data on your behalf. No overview of your vendors means no overview of your obligations.

It gets real when the Dutch Data Protection Authority asks for a complete list of your processors within 48 hours. They want to see who has access to what data, what security measures are in place, and where the agreements are stored. Not just a list of names.

Active vendors and their data access scattered across teams and systems.
Processor agreements scattered across inboxes and shared drives.
Missed review dates and contract renewals.
Poor preparation for client questions, audits, and internal checks.

One workflow for privacy and supplier risk

ComplianceHive combines privacy information, responsibilities, and checkpoints in one workflow. Legal, security, and operations work from the same source. When a team member leaves or a vendor updates their terms, you keep control.

Per vendor, you record: the contract and processor agreement, the contact person, system and data access level, which personal data is processed, the risk class, and the planned review date. One person owns each vendor and gets automatic reminders when a review is due. No more "I thought you were handling that."

Not every vendor needs the same level of attention. A cloud storage service holding customer data is a different story from the company delivering office supplies. When assigning a risk class, look at a few concrete things: does the vendor process special categories of personal data (medical records, national ID numbers)? Is there data transfer outside the EU or EEA? Does the vendor have access to critical business systems? The more you answer "yes," the higher the risk and the more often you review that vendor.

ComplianceHive handles both risk classes in the same workflow. You set a review frequency per class. High-risk vendors might be reviewed quarterly, low-risk once a year. Reminders and tasks adjust automatically.

You pay per tool, not per user. Your team can grow without vendor management becoming a separate line item.

NIS2 and vendor management: what changes?

GDPR covers vendor management from a personal data angle. NIS2 adds a second layer: cyber risk and business continuity. Most SaaS vendors and IT service providers sit in both categories, because they process personal data and have access to your systems.

Article 21 of the NIS2 Directive (EU) 2022/2555 requires organisations to actively manage security risks in their supply chain. That goes beyond your direct vendors. You also need to map which risks you face through your vendors' own suppliers, and what security agreements exist across the chain.

For Dutch SMBs, this becomes relevant when you supply to an organisation that is NIS2-obligated. That client will contractually expect you to show how your security is arranged. The Dutch Cybersecurity Act (Cyberbeveiligingswet), expected mid-2026, makes these obligations law.

Getting structure in place now means less work when the law takes effect. Read more in our blog post about supplier management under NIS2.

Your GDPR obligations on vendor management

Article 28 GDPR requires a processor agreement with every vendor that processes personal data on your behalf. That covers HR tools, CRM systems, cloud storage, email marketing platforms, and external IT administrators.

Article 30 GDPR also requires that all processors appear in your Records of Processing Activities (RoPA), including any international transfers. Who are your cloud vendor's sub-processors? Is data stored on servers outside the EEA? You need to be able to show this. Read more about managing your GDPR processing register.

When a data breach involves one of your processors, the question regulators and data subjects will ask is simple: did you have the right agreements and controls in place? A current processor agreement and a documented review trail are your clearest answer. ComplianceHive helps you keep both ready.

A sub-processor is the party your processor uses to process personal data on your behalf. Your cloud CRM may use AWS for infrastructure, making AWS a sub-processor. Article 28(2) GDPR requires your processor to get your permission before engaging sub-processors. With cloud services especially, it matters to know which sub-processors exist and whether they operate outside the EU or EEA. ComplianceHive lets you document sub-processors per vendor.

Ready to structure your vendor management?

Start with a clear foundation. ComplianceHive covers GDPR and NIS2 vendor obligations in one workflow, without the enterprise overhead.

Learn more about GDPR processing register See what ComplianceHive covers

Frequently asked questions about GDPR vendor management

Which vendors require a GDPR processor agreement?: Any vendor processing personal data on your behalf: cloud storage, HR tools, CRM, email marketing, external IT administrators. Vendors that have no access to your personal data (office supplies, for example) are generally not processors.
What must a GDPR processor agreement contain?: At minimum: the nature and purpose of processing, which personal data and categories of data subjects are involved, obligations and rights of the controller, and security measures. Article 28(3) GDPR lists the full requirements. ComplianceHive includes a module for managing processor agreements as part of vendor management.
How do I keep track of vendors as my company grows?: Spreadsheets break down beyond 10-15 vendors. Ownership gets lost, review dates slip. A central tool with per-vendor ownership, automatic review reminders, and an audit log gives you an accurate overview at any point, even when staff changes or contracts expire.
Does NIS2 vendor management apply to my company even if I'm not directly NIS2-obligated?: Possibly. If you supply to NIS2-obligated organisations, they can impose contractual security requirements on you. Getting your vendor management structured early strengthens your position in tenders and client conversations.
What is the difference between a processor and a sub-processor under GDPR?: A sub-processor is the party your processor uses to process personal data on your behalf. Your cloud CRM may use AWS for infrastructure, making AWS a sub-processor. Article 28(2) GDPR requires your processor to get your permission before engaging sub-processors. ComplianceHive lets you document sub-processors per vendor.