Procurement workflow surface
General Data Protection Regulation (GDPR) — vendor disclosure form
This is a sample disclosure form a procurement team can adapt for vendor RFPs and ITTs evaluating systems against General Data Protection Regulation (GDPR). The provision-specific questions below were derived from the catalog's coverage cells; before issuing, a qualified procurement lawyer should review the adapted version against your jurisdiction's contract law. This form is NOT legal advice (see charter §7.4).
1. Vendor identification
2. AI system identification
3. Provision-specific questions
- Biometric Identification. Does the offered system perform biometric identification within scope of General Data Protection Regulation (GDPR) (Art. 9 special-category processing (biometric data for unique identification); Art. 22 ADM with safeguards)? If yes, declare which sub-class applies (real-time / post-hoc / categorisation) and the legal basis under which it is offered for deployment.
(Cite: Art. 9 special-category processing (biometric data for unique identification); Art. 22 ADM with safeguards)
- Transparency Obligations. Provide the documentation required under the transparency obligations of General Data Protection Regulation (GDPR) (Arts. 12-14 (information to data subjects); Art. 13(2)(f) + 14(2)(g) meaningful information about ADM logic; Art. 22(3) suitable safeguards) — including (as applicable) model card, system card, training-data summary, evaluation results, and known limitations.
(Cite: Arts. 12-14 (information to data subjects); Art. 13(2)(f) + 14(2)(g) meaningful information about ADM logic; Art. 22(3) suitable safeguards)
- Individual Redress. Describe the end-user redress + complaint channel offered for the system, including documented appeal path and response-time commitment, consistent with General Data Protection Regulation (GDPR) (Art. 77 DPA complaint; Art. 79 effective judicial remedy; Art. 80 collective representation by NGOs; Art. 82 right to compensation; Art. 83 administrative fines).
(Cite: Art. 77 DPA complaint; Art. 79 effective judicial remedy; Art. 80 collective representation by NGOs; Art. 82 right to compensation; Art. 83 administrative fines)
- Training-Data Rights. Identify the legal basis for training-data sourcing for the offered system (including copyright, consent, and any text-and-data-mining exemptions relied upon) and confirm consistency with General Data Protection Regulation (GDPR) (Art. 5(1)(b) purpose limitation; Art. 6 lawful basis; Art. 9 special-category overlay for sensitive training data; Art. 5(1)(c) data minimisation).
(Cite: Art. 5(1)(b) purpose limitation; Art. 6 lawful basis; Art. 9 special-category overlay for sensitive training data; Art. 5(1)(c) data minimisation)
4. Documentation enclosures expected
Tick each enclosure attached to the vendor response. Missing enclosures should be explained in the “Variances” field below.
- End-user redress + complaint-channel procedure
- Training-data summary / provenance log
- Vendor company registration + insurance certificates
- Sub-processor / supply-chain list (including model upstream)
5. Vendor attestation
The undersigned, on behalf of the vendor, attests that the disclosures above are true and complete to the best of their knowledge at the date signed, and undertakes to notify the buyer in writing within 30 days of any material change to those disclosures.
This is a sample form derived from the catalog at /wiki/gdpr. Adapt before issuing. Not legal advice; not jurisdiction-specific. See charter §7.4.