What GDPR obligations does a document scanning provider have?

A scanning provider is a data processor under GDPR. They must: process data only on your instructions, maintain confidentiality, implement appropriate security measures, not use sub-processors without your consent, assist with data subject requests, delete data at contract end, demonstrate compliance, and allow audits. A Data Processing Agreement is legally required.

How do I check if a scanning provider is GDPR compliant?

Request their Data Processing Agreement and review it against GDPR Article 28(3). Ask for ISO 27001 certification and verify it is UKAS-accredited. Visit their facility to see security controls. Ask for evidence of staff DBS checks and data protection training. Confirm where data is stored (UK/EU preferred). Check breach notification procedures. Ask for references from regulated sectors.

How to Vet a Scanning Provider for GDPR Compliance

If your documents contain any personal data — names, addresses, dates of birth, financial details, health information, employment records — your scanning provider is a data processor under GDPR. As the data controller, you are legally responsible for ensuring that processor handles data lawfully, securely and in compliance with the regulation. Simply choosing a cheap provider and hoping for the best is a compliance failure.

What GDPR Requires of a Data Processor

Under Articles 28 and 32 of the GDPR, a data processor must:

Process personal data only on documented instructions from the controller (you)
Ensure all staff processing data are bound by confidentiality obligations
Implement appropriate technical and organisational security measures
Not engage sub-processors without your prior written authorisation
Assist you in responding to data subject rights requests (subject access requests, erasure requests)
Delete or return all personal data at the end of the contract
Make available all information necessary to demonstrate compliance
Allow and contribute to audits and inspections

These are not optional — they are legal requirements. A scanning provider that cannot demonstrate compliance with these requirements is not a suitable processor for personal data.

The Data Processing Agreement

A Data Processing Agreement (DPA) is mandatory under GDPR Article 28(3). The DPA is a legally binding contract between you (controller) and the scanning provider (processor) that must specify:

Subject matter and duration: What data is being processed and for how long
Nature and purpose: The scanning project specifics — what documents, what output
Types of personal data: Names, financial data, health data, etc. — be specific
Categories of data subjects: Employees, customers, patients, etc.
Controller’s obligations and rights: Your right to instruct and audit
Processor’s obligations: Security measures, confidentiality, sub-processor restrictions, breach notification, data deletion

Ask for the provider’s standard DPA before signing any contract. Review it against GDPR requirements — a template that simply states “we comply with GDPR” is not sufficient. The DPA should contain specific, detailed provisions.

Technical and Organisational Measures

GDPR Article 32 requires appropriate security measures. For a scanning provider, this means specific controls you should verify:

Technical Measures

Encrypted storage for scanned files (AES-256 or equivalent)
Encrypted data transfer (SFTP, TLS 1.2+, encrypted media)
Access controls — staff can only access projects they are assigned to
Firewalls, anti-malware and intrusion detection on all systems handling data
Regular security patching and vulnerability management
Secure backup with encryption
Audit logging — recording who accessed what data and when

Organisational Measures

DBS-checked staff with confidentiality agreements
Regular data protection training — documented and refreshable
Physical security — restricted access, CCTV, secure document storage
Documented information security policies and procedures
Incident management and breach response process
Clear desk and clear screen policies
Secure disposal of waste paper (cross-cut shredding minimum)

Breach Notification

Under GDPR Article 33, if a personal data breach occurs, you must notify the ICO within 72 hours. This means your scanning provider must notify you even faster — ideally within 24 hours — so you have time to assess the breach, determine whether notification is required and prepare the report.

Check that your provider’s breach notification process includes:

A defined internal process for identifying and escalating potential breaches
A commitment to notify you within a specific timeframe (24-48 hours)
A description of what information they will provide: nature of the breach, data affected, number of records, likely consequences, measures taken
Named contacts on both sides for breach communication

Where Data Is Stored

GDPR restricts transfers of personal data outside the European Economic Area (EEA). Ask:

Where are your servers physically located? UK or EU data centres are simplest for compliance
Do you use any cloud services that might store data outside the EEA?
Are backups stored in the same jurisdiction?
If you use sub-processors, where are they based?

If the provider stores data outside the EEA, they need appropriate safeguards in place — Standard Contractual Clauses, adequacy decisions, or other approved mechanisms. For most UK scanning projects, the simplest approach is to use a provider whose infrastructure is entirely UK-based.

End of Contract

GDPR requires that processors delete or return all personal data when the processing is complete. Verify:

The DPA specifies what happens to data at contract end — deletion or return
There is a defined retention period after project completion (typically 30-90 days for QA), after which all data is securely deleted
The provider will confirm deletion in writing
Deletion includes backup copies, not just primary storage
If physical documents are being retained or destroyed, the process and timeline are documented

How to Verify Claims

Providers will tell you they are GDPR compliant. Verification requires evidence:

ISO 27001 certificate: Ask for a copy and check the certification body is UKAS-accredited. Verify the scope covers their scanning operations, not just their head office
DPA review: Read it properly — does it address all Article 28(3) requirements?
Facility visit: See the physical and technical controls in person
Training records: Ask for evidence of staff data protection training
Audit rights: The DPA should give you the right to audit — exercise it, or at least confirm the right exists
References: Ask for references from organisations in regulated sectors (healthcare, legal, financial) who have vetted the provider’s compliance

Get a Free Quote

Every project is different, so the best way to understand your options is to get in touch with our team. We provide clear, no-obligation advice — usually within the same day.

Call us on 01691 650355 or use the form below.