Suppliers’ personal data
Personal data from (contact persons at) your suppliers can only be used within the context of your agreement and relationship with them.
You will of course also need to use and store some of this information for tax and other administrative purposes.
In the same way as you cannot use personal data from customers or clients for any purpose, you cannot use personal data relating to suppliers for other purposes than the purposes for which you obtained these data (purpose limitation).
When you process personal data of contact persons (employees or other) of your supplier, your legal basis to do so is “legitimate interest”, because you do not have a direct contract with these employees.
Legal bases to process your suppliers’ personal data
In general, you will process your suppliers’ personal data based on the following legal grounds:
Contractual obligation: if you need to process their personal data to be able to perform your obligations. For example, if you need to provide access to your supplier, you need their name to be able to do so.
Legal obligation: if you are required by law to process specific information. For example, if you are subject to VAT, you’ll need to process their VAT-number by law.
Legitimate interest: if you have a legitimate interest to process some personal data of your supplier, that overrides the interest of your supplier not to have its personal data processed. This applies, for example, to the processing of contact details of employees of your supplier.
Consent: if you need to rely on consent to be allowed to process personal data of your customer. You will need consent if, for example, you want to send marketing material to your suppliers.
Time for action!
Make sure that:
you don’t use personal data of (contact persons at) your suppliers in other ways than allowed,
you use the correct legal bases to process your customer’s personal data,
you inform your suppliers about the ways you process their data.