Security Assessment of External Suppliers

Art. 28 GDPR states: Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data.

The evaluation of the compliance of the Data Controller mainly concerns IT security aspects.

Through our methodology, we will therefore carry out an assessment of the supplier’s suitability in relation to its technical and organizational security measures.

This assessment, necessary in order to comply with the provisions of Article 28 GDPR, will be based on the verification of the adequacy of the technical and organizational infrastructure of the supplier in relation to the provision of the Italian Data Protection Authority of 27 November 2008 (and its subsequent amendments).

Secondly, the provider’s infrastructure will be subject to verification in relation to the controls deriving from the best practices contained in ENISA’s Technical Guidelines for the implementation of minimum security measures for Digital Service Providers.