Data Protection and Privacy

To meet the TISAX “Data Protection and Privacy” requirement, you must implement data protection controls that comply with the privacy laws applicable to your operations, explicitly including GDPR for EU processing. Operationally, this means you can prove lawful processing, manage processors through agreements, run privacy impact assessments where risk warrants, and execute data subject rights reliably. (VDA ISA Catalog v6.0)

Key takeaways:

• Map personal data processing end-to-end, then tie each activity to a lawful basis, purpose, retention, and security controls. (VDA ISA Catalog v6.0)
• Put enforceable third-party terms in place (DPAs and transfer terms where needed) and operationalize oversight, not just paperwork. (VDA ISA Catalog v6.0)
• Build a repeatable DPIA and data subject rights workflow with evidence that it works under time pressure. (VDA ISA Catalog v6.0)

Compliance leaders often treat “data protection and privacy” as a policy exercise. TISAX assessors will treat it as an operating model: you need to show that privacy requirements are designed into how data is collected, used, shared, stored, and deleted across products, plants, IT, and the supply chain. The VDA ISA requirement is short, but the audit expectation is concrete: privacy compliance is a control set with owners, triggers, workflows, and audit trails. (VDA ISA Catalog v6.0)

For automotive suppliers and OEMs, this gets complicated fast because personal data can show up in HR, customer contacts, visitor logs, telematics-related programs, prototype testing, security monitoring, and third-party collaboration portals. Privacy risk also concentrates in cross-border processing, shared services, and processor ecosystems (cloud, payroll, benefits, recruiting, ticketing, and managed security). (VDA ISA Catalog v6.0)

This page translates the requirement into a build list you can execute: what scope to include, what controls to implement first, what evidence to retain, and how to answer the questions assessors and internal audit will ask.

Regulatory text

Requirement (VDA ISA 2.4.1): “Implement data protection controls compliant with applicable data privacy regulations, including GDPR for EU operations.” (VDA ISA Catalog v6.0)

Operator interpretation: You must identify which privacy laws apply to your processing, then implement controls that make compliance provable. At minimum, be ready to show: (1) governed processing (records, purposes, lawful basis), (2) enforceable third-party processing terms, (3) risk assessment via privacy impact assessments where appropriate, and (4) an executable process for data subject rights. (VDA ISA Catalog v6.0)

Plain-English meaning (what “good” looks like)

You can answer, with evidence, four questions for any meaningful processing activity:

1. What personal data do we process, and why? Purpose, lawful basis/authority, and who the data subjects are. (VDA ISA Catalog v6.0)
2. Where does it go? Systems, countries, internal recipients, and third parties. (VDA ISA Catalog v6.0)
3. How do we control it? Access control, retention/deletion, incident handling, and security measures appropriate to sensitivity. (VDA ISA Catalog v6.0)
4. How do we respond? Data subject rights requests are logged, verified, fulfilled, and closed consistently. (VDA ISA Catalog v6.0)

If you cannot produce these answers quickly for high-risk areas (HR systems, customer contact databases, monitoring tools, cloud platforms), expect findings.

Who it applies to (entity + operational context)

In scope entities: Automotive suppliers and OEMs assessed against VDA ISA/TISAX expectations. (VDA ISA Catalog v6.0)

In scope operations: Any function that processes personal data, including:

• HR, recruiting, payroll, benefits administration
• Sales/account management and customer support
• Physical security (badging, CCTV where linked to individuals)
• IT operations and security monitoring (logs linked to users)
• Engineering test programs involving individuals (participants, drivers, user testing)
• Any third party processing personal data on your behalf (cloud/SaaS, managed services, consultants) (VDA ISA Catalog v6.0)

Common scoping trap: Teams scope privacy only to HR. Assessors will sample across functions and third parties, especially where data flows outside the organization.

What you actually need to do (step-by-step)

1) Establish ownership and a privacy control inventory

• Assign an accountable owner for privacy controls (often the DPO or privacy lead) and control owners for HR, IT, Security, Procurement, and key business units. (VDA ISA Catalog v6.0)
• Build a control inventory aligned to the requirement themes: processing governance, third-party agreements, DPIAs, and data subject rights. (VDA ISA Catalog v6.0)

Deliverable: Privacy control matrix with owners, triggers, and evidence outputs.

2) Create (or refresh) your record of processing activities (RoPA-style)

For each processing activity:

• Purpose and data categories
• Data subjects
• Systems and locations
• Recipients (internal) and third parties
• Retention and deletion approach
• Security measures at a high level (access control, encryption where applicable, monitoring) (VDA ISA Catalog v6.0)

Practical tip: Start with the processing most likely to be assessed: HRIS, payroll, identity platform, email/collaboration suite, ticketing system, visitor management, customer CRM. Expand from there.

3) Implement third-party data processing agreements (DPAs) and oversight

• Identify third parties that act as processors/sub-processors for your personal data. (VDA ISA Catalog v6.0)
• Put DPAs in place that specify processing instructions, confidentiality, security measures, breach notification, assistance with rights requests, and deletion/return. (VDA ISA Catalog v6.0)
• Operationalize oversight: maintain an inventory of processor relationships, track renewals, and require security/privacy assurances during onboarding and material changes. (VDA ISA Catalog v6.0)

Where teams fail: DPAs exist, but Procurement cannot show coverage for key tools, or the DPA doesn’t match actual processing (for example, a tool used for HR is contracted as “general IT services”).

4) Stand up a DPIA/PIA process with clear triggers

• Define triggers that require a DPIA/PIA (new systems processing sensitive data, monitoring technologies, large-scale processing, new data sharing, significant changes). (VDA ISA Catalog v6.0)
• Use a consistent template: description, necessity/proportionality, risk analysis, mitigating controls, residual risk acceptance, and approvals. (VDA ISA Catalog v6.0)
• Track DPIAs in a register and link them to the processing inventory entry. (VDA ISA Catalog v6.0)

Operator focus: Assessors will ask for examples. Have at least a few completed DPIAs tied to real deployments (security monitoring, HR tool changes, new customer portal).

5) Operationalize data subject rights (DSR) intake-to-closure

Build a workflow that covers:

• Intake channels (email/web form) and internal routing
• Identity verification and authorization steps
• Data discovery across systems (including key third parties)
• Response approval and communication
• Exceptions handling (document rationale)
• Closure evidence and metrics for operational control (VDA ISA Catalog v6.0)

Evidence expectation: A ticket trail showing you can run the process cleanly, including a dry run if you have limited request volume.

6) Tie privacy to security and incident response

• Make sure personal data incidents are triaged with privacy involvement. (VDA ISA Catalog v6.0)
• Ensure retention and deletion requirements are implementable technically (system settings, backups, archival). (VDA ISA Catalog v6.0)

Common hangup: “We have retention in policy” without proof that systems enforce it.

Required evidence and artifacts to retain

Keep artifacts that prove design and operation:

• Processing inventory (RoPA-style) and data flow diagrams for higher-risk areas (VDA ISA Catalog v6.0)
• DPIA/PIA policy, DPIA templates, completed DPIAs, and a DPIA register (VDA ISA Catalog v6.0)
• Third-party inventory of processors, signed DPAs, and renewal/change tracking records (VDA ISA Catalog v6.0)
• Data subject rights procedure, request logs/tickets, verification steps, fulfillment evidence, and communications (VDA ISA Catalog v6.0)
• Training/awareness records for staff handling personal data (role-based where relevant) (VDA ISA Catalog v6.0)
• Retention schedule and system-level evidence (screenshots/config exports, deletion job logs, archival rules) (VDA ISA Catalog v6.0)
• Incident response playbooks showing privacy engagement and post-incident documentation where applicable (VDA ISA Catalog v6.0)

Common exam/audit questions and hangups

Expect these lines of questioning:

• “Show me your processing inventory and pick one activity. Where is it stored, who accesses it, what’s the retention rule?” (VDA ISA Catalog v6.0)
• “List your key processors. Where are the DPAs, and how do you ensure sub-processors are controlled?” (VDA ISA Catalog v6.0)
• “Provide recent DPIAs and explain why others did not require one.” (VDA ISA Catalog v6.0)
• “Walk through your last data subject request end-to-end. Show evidence of identity verification and system searches.” (VDA ISA Catalog v6.0)

Hangup: Teams answer verbally but cannot produce artifacts quickly. Treat this as a documentation-and-workflow requirement.

Frequent implementation mistakes (and how to avoid them)

1. Inventory without ownership. Fix: assign a business owner per processing entry and enforce change management on material updates. (VDA ISA Catalog v6.0)
2. DPAs stored, not governed. Fix: connect DPAs to the third-party inventory and procurement lifecycle (onboarding, renewal, tool changes). (VDA ISA Catalog v6.0)
3. DPIAs run only after incidents. Fix: add DPIA triggers to project intake and architecture/security review gates. (VDA ISA Catalog v6.0)
4. DSR process is theoretical. Fix: run tabletop exercises and document results; ensure third parties can support searches and deletions. (VDA ISA Catalog v6.0)
5. Retention is aspirational. Fix: implement deletion and access controls at the system level and retain admin evidence. (VDA ISA Catalog v6.0)

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for this requirement, so this page focuses on auditability and operational risk: failed privacy controls create exposure through third-party processing, uncontrolled data sprawl, and inability to respond to rights requests or incidents in a defensible way. (VDA ISA Catalog v6.0)

Practical 30/60/90-day execution plan

First 30 days (stabilize and make scope real)

• Confirm applicable privacy regimes per operating footprint; document the applicability decision. (VDA ISA Catalog v6.0)
• Stand up a processing inventory for the highest-risk functions and systems; name owners. (VDA ISA Catalog v6.0)
• Inventory processor third parties and locate existing DPAs; identify gaps. (VDA ISA Catalog v6.0)
• Publish a minimum-viable DSR workflow with intake, verification, and routing. (VDA ISA Catalog v6.0)

By 60 days (operationalize controls)

• Implement a DPIA process with triggers tied to project intake and third-party onboarding. (VDA ISA Catalog v6.0)
• Remediate priority DPA gaps for high-risk processors; align contracts to actual processing. (VDA ISA Catalog v6.0)
• Run at least one DSR dry run across core systems and a key processor; capture evidence. (VDA ISA Catalog v6.0)
• Validate retention/deletion settings for core systems; document configuration evidence. (VDA ISA Catalog v6.0)

By 90 days (make it auditable and repeatable)

• Expand processing inventory coverage beyond core systems; add data flow diagrams for complex areas. (VDA ISA Catalog v6.0)
• Complete DPIAs for major high-risk processing; formalize risk acceptance where residual risk remains. (VDA ISA Catalog v6.0)
• Implement an ongoing review cadence: third-party processor list, DPA renewals, DPIA register, and DSR log quality checks. (VDA ISA Catalog v6.0)
• If you use Daydream to manage third-party due diligence, connect processor inventory records to DPA status, DPIA triggers, and evidence storage so audits become a retrieval exercise, not a scramble. (VDA ISA Catalog v6.0)

Frequently Asked Questions

Do we need GDPR controls if we don’t have an EU legal entity?

If you process personal data in an EU operational context or otherwise fall under applicable privacy regulations, you still need controls that meet those obligations. Document your applicability analysis and keep it current as your customer base and processing locations change. (VDA ISA Catalog v6.0)

What’s the minimum “proof” an assessor will accept for data subject rights?

A written procedure plus ticketed evidence that requests are tracked, verified, fulfilled, and closed. If you lack real requests, run a dry run and retain the workflow outputs and approvals. (VDA ISA Catalog v6.0)

How deep does the processing inventory need to go?

Deep enough to show control: purpose, categories, systems, recipients/third parties, retention, and security measures for each meaningful activity. Start with high-risk systems and expand until coverage matches your operational reality. (VDA ISA Catalog v6.0)

Are DPAs only for “vendors”?

No. Any third party processing personal data on your behalf can require processor terms, including consultants, managed service providers, and cloud platforms. Maintain a processor list so coverage is provable. (VDA ISA Catalog v6.0)

What triggers a DPIA in practice?

Define triggers tied to risk and change: new systems, new data categories, new monitoring, new sharing, or material changes to existing processing. The key is consistency and a register that shows decisions, not just completed DPIAs. (VDA ISA Catalog v6.0)

How do we stop privacy controls from turning into a one-time project?

Put privacy into existing gates: procurement onboarding, security/architecture review, project intake, and incident response. Then audit your own artifacts (processing inventory, DPA coverage, DPIA register, DSR log) on a recurring cadence. (VDA ISA Catalog v6.0)