Beltug publishes GDPR Vendor Assessment questionnaire for members

Companies in Europe are busy paving the road towards compliance with the GDPR, which becomes active on 25 May 2018.  Beltug has been developing a range of pragmatic and valuable tools to support our members. They are available on our website (after log-in).

The newest tool is the ‘GDPR Vendor Assessment questionnaire’, which data controllers can present to cloud suppliers (data processors). The questions will help companies ensure that their cloud suppliers will be compliant themselves, and will also process customer data in a compliant way.

Why this list?

The data controller always remains accountable for the data (e.g. employee data, customer files, patient records, etc.) should an event occur – even if they have delegated data handling, etc. to a supplier.

In the regulation, Recital 81 and article 24(1) specify that the controller may only appoint a processor/Cloud Service Provider (CSP) when it can be proven that the processor/CSP has the needed:

The GDPR also requires specific contract clauses to be negotiated, assigning major responsibilities to both parties.  As a consequence, all contracts that continue to be in force after 25 May 2018 (or that begin after that date), must be reviewed and possibly renegotiated.

We have developed the GDPR Vendor Assessment questionnaire to support you to develop some of the content for such revised contract clauses, especially in terms of clearly defining responsibilities and/or proving accountability. This questionnaire focusses mostly on larger cloud providers, as cloud environments and infrastructures tend to more complex. Therefore, building a good assessment (as required by the GDPR) isn’t a simple task, and requires a more complex and elaborate series of questions.

How to maximise your value from the questionnaire:

Whether you are a data controller or a data processor (CSP), we encourage you to get the maximum value from the questionnaire:

To guarantee a complete and compliant assessment for the GDPR, make sure to work with both the main questions (column B) and the guidance questions (column C).

Also, keep in mind that the questionnaire assumes a certain familiarity with the GDPR and its processes (e.g. companies with an own DPO for instance). If you aren’t familiar with the GDPR, make sure you are supported by your data protection expert for information gathering.


We developed the list in cooperation with a group of data protection experts from data controllers in different economic sectors.  It was then reviewed by a group of major international & Belgian cloud providers.

Upcoming workshop 5 October

The Vendor Assessment questionaire will be discussed at the Beltug N-Sight on "GDPR - Assessing your cloud providers, insights from Engie & preparing for the day after", 5 October 2017. Learn how to maximise its usefulness, as well as how to prepare for the situation after the GDPR goes into effect, and how multinational company Engie is incorporating data protection in processes throughout the company.