Next, draw up a list of all service providers and their services and check whether they pose any risks.

How you can check the risk

Head office of the service provider

The GDPR distinguishes between safe and unsafe third countries. Safe third countries include

• all EU member states
  
• All countries for which the European Commission has confirmed an adequate level of data protection in an adequacy decision: Andorra, Argentina, Canada (commercial organisations only), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay, Japan, the United Kingdom and South Korea. 

Data transfer to these countries is expressly permitted. With the conclusion of the new "EU-US Data Privacy Framework", the USA has also been a safe third country again since 10 July 2023. 

If your organisation uses a service provider from an insecure third country, it must ensure through appropriate contracts that the service provider adequately protects the personal data. To simplify such contractual safeguards, the EU Commission has adopted so-called "standard data protection clauses". These are a predefined set of contracts that can be used for this purpose.

Security mechanisms

When evaluating the service provider, it is also important to consider where the data processing takes place and what security mechanisms are in place for the technical protection of the data (e.g. end-to-end encryption, etc.).

In the end, you have to weigh up whether a service provider is acceptable for the planned assignment.