vendor-termination-data
Vendor Termination Data Return and Deletion
Overview
GDPR Article 28(3)(g) requires that at the choice of the controller, the processor shall "delete or return all the personal data to the controller after the end of the provision of services relating to processing, and delete existing copies unless Union or Member State law requires storage of the personal data." This termination obligation ensures that personal data does not persist at a former processor beyond the legitimate processing period.
The EDPB Guidelines 07/2020 (paragraph 108) emphasize that this obligation extends to all copies, backups, and derived data — not just production data. The deletion must be verifiable, and the controller should obtain written certification.
At Summit Cloud Partners, the Vendor Termination Data Protocol provides a structured process for managing data return and deletion when vendor relationships end.