Supplier Management and Supply Chain · Borgstena Group

Supplier Management and Supply Chain

Normative and operational documentation on data protection and information security applicable to the suppliers and the supply chain of the Borgstena Group.

Home › Borgstena › Supplier Management and Supply Chain

Reference#PEPD-0846-20260526

Version202605

Date26 May 2026

NatureInstitutional page

Demonstrating Borgstena's commitment to compliance and accountability in the management of suppliers and the supply chain, and reinforcing transparency and information in the contractual relationship, this page brings together the main policies, operational procedures, procurement instructions and security measures in force in the organisation.

1. Framework

The management of suppliers and the supply chain takes place at the intersection of two essential regulatory frameworks: Regulation (EU) 2016/679 (GDPR), as regards the protection of personal data processed by suppliers and their employees, and Directive (EU) 2022/2555 (NIS 2), as regards the security of information and cybersecurity throughout the supply chain. This interplay is reflected in the documentation below, in which the references to the GDPR, NIS 2 or GDPR+NIS 2 are expressly indicated.

This page complements, at the operational level, the Data Processing Policy in Relations with Suppliers, the Special Data Processing Information Sheet — Suppliers' Representatives or Employees, and the other reference documentation of the Data Protection Platform.

2. Applicable documentation

Data processing

General Conditions for the Processing of Personal Data by Processors

General conditions applicable to the processing of personal data carried out by Borgstena's processors, under Article 28 of the GDPR.

Processing instructions

General Instructions for the Processing of Personal Data for Processors

Operational instructions for the processing of personal data by Borgstena's processors, in the exercise of the obligations arising from the processor contract.

Supply chain security

Supply Chain Security Policy

NIS 2Security policy applicable to the supply chain, aligned with Directive (EU) 2022/2555.

Risk assessment

Operational Procedure for Supplier Risk Assessment and Classification

NIS 2Operational procedure for the assessment and classification of the risk associated with each supplier, from the integrated perspective of data protection and cybersecurity.

Incident management

Unified Procedure for Incident Notification and Management

NIS 2Unified procedure for the notification and management of incidents involving suppliers, covering personal data breaches and cybersecurity incidents.

Compliance requirements

Minimum Compliance Requirements for Critical Suppliers and Processors

NIS 2Set of minimum compliance requirements applicable to suppliers and processors considered critical.

Contractual clauses

Standard Contractual Clauses for Data Protection and Information Security

NIS 2Standard contractual clauses to be incorporated into supplier contracts, in matters of personal data protection and information security.

Audits

Procedure for Integrated Supplier Audits

NIS 2Procedure for carrying out integrated audits of suppliers, covering the dimensions of data protection and cybersecurity.

Training and awareness

Data Protection and Cybersecurity Training and Awareness Guide for Suppliers

NIS 2Reference guide for the training and awareness of suppliers' employees in data protection and cybersecurity matters.

Due diligence

Supplier Pre-Assessment Questionnaire

NIS 2Pre-assessment questionnaire used in the due diligence of new suppliers, with criteria aligned with the GDPR and NIS 2.

Business continuity

Business Continuity Requirements for Critical Suppliers

NIS 2Business continuity requirements applicable to suppliers classified as critical.

Digital security

Digital Security Technical Requirements for Suppliers

NIS 2Technical digital security requirements for suppliers, namely as regards access control, encryption, segregation of duties and monitoring.

Note. The national transposition of Directive (EU) 2022/2555 (NIS 2) is set out in [national act to be confirmed and referenced on this page after verification in the official journal]; the applicable documents will be reviewed to integrate the specific reference once confirmed.

3. Relationship with the Data Protection Platform

The documentation on this page is directly connected to the following elements of the Platform:

the Data Processing Policy in Relations with Suppliers, which sets out the applicable principles and general rules;
the Special Data Processing Information Sheet — Suppliers' Representatives or Employees, which details the processing activities;
the Incident Reporting Form, within the Unified Notification Procedure;
the Information Security Page, as regards the cybersecurity dimensions of the supply chain.

4. Contacts and channels

For any matter relating to data protection and to the processing of personal data of suppliers' representatives or employees, the Data Protection Officer may be contacted at dataprotection@borgstena.com. For matters relating to information security and cybersecurity in the context of the relationship with suppliers, the Permanent Security Contact Point is accessible through the channels indicated on the Information Security Page.

5. Term and review

This page, as well as the documentation to which it provides access, is subject to periodic review, under the responsibility of the Data Protection Officer and the Security Officer, whenever developments in the regulatory framework, the entry into force of the national transposition of Directive (EU) 2022/2555 or developments in the Group's practices so warrant.