GDPR Vendor Assessment questionnaire


The ‘GDPR Vendor Assessment questionnaire’ (available after log-in in English or Dutch) is a list of questions that data controllers can present to cloud suppliers (data processors). The questions will help companies ensure that their cloud suppliers will be compliant themselves, and will also process customer data in a compliant way.


Why this list?

The data controller always remains accountable for the data (e.g. employee data, customer files, patient records, etc.) should an event occur – even if they have delegated data handling, etc. to a supplier.

In the regulation, Recital 81 and article 24(1) specify that the controller may only appoint a processor/Cloud Service Provider (CSP) when it can be proven that the processor/CSP has the needed:

  • infrastructure
  • procedures
  • financial stability
  • expert knowledge, reliability and resources
  • competences to implement, manage and maintain the GDPR requirements.

The GDPR also requires specific contract clauses to be negotiated, assigning major responsibilities to both parties.  As a consequence, all contracts that continue to be in force after 25 May 2018 (or that begin after that date), must be reviewed and possibly renegotiated.

We have developed the GDPR Vendor Assessment questionnaire to support you to develop some of the content for such revised contract clauses, especially in terms of clearly defining responsibilities and/or proving accountability. This questionnaire focusses mostly on larger cloud providers, as cloud environments and infrastructures tend to more complex. Therefore, building a good assessment (as required by the GDPR) isn’t a simple task, and requires a more complex and elaborate series of questions.


How to maximise your value from the questionnaire:

Whether you are a data controller or a data processor (CSP), we encourage you to get the maximum value from the questionnaire:

  • Are you a data controller? This list gives you a head start on your road to compliance. Instead of starting from zero and building your own list of questions, you can use this one depending on the specific needs of your company.
  • Are you a data processor/CSP? Share this template with your clients, to avoid responding to many different lists. The assessment process is easier and faster for you and your clients.

To guarantee a complete and compliant assessment for the GDPR, make sure to work with both the main questions (column B) and the guidance questions (column C).

Also, keep in mind that the questionnaire assumes a certain familiarity with the GDPR and its processes (e.g. companies with an own DPO for instance). If you aren’t familiar with the GDPR, make sure you are supported by your data protection expert for information gathering.



We developed the list in cooperation with a group of data protection experts from data controllers in different economic sectors.  It was then reviewed by a group of major international & Belgian cloud providers.


Dear visitor,

Access to more information about this topic and/or to download the paper is easy and fast, but exclusively for Beltug members (just login to get access).

Beltug gathers a lot of information. Here you find the advantages of Beltug membership

The Beltug Team

Click here to login

>>> Back to overview