R2 Guidance & Knowledge Base
Qualifying downstream vendors for processing data devices
Q. What are the requirements for qualifying a downstream vendor (DSV) for processing data devices?
When data sanitization is not performed by the R2 Facility, any items that may contain data must be securely transferred to a DSV qualified in accordance with Appendix A – Downstream Recycling Chain.
Qualifying the DSV for data sanitization must include one of the following:
-
- In accordance with A (7), confirm that the DSV has an active R2 Certification that includes Appendix B – Data Sanitization for the devices requiring sanitization; or
- In accordance with A (8)(d)(1), annually verify that the DSV smelts or incinerates the data devices for final destruction; or
- In accordance with A (8)(d)(2), have the DSV annually audited by an independent auditor and confirm conformance with the requirements of Core Requirement 7 and Appendix B – Data Sanitization.
ADDED 10/5/2022 Q. Can an R2 facility ship data storage devices to a downstream vendor that sends those same devices to another downstream vendor for sanitization?
The short answer is no. Core Requirement 7 provides three options for sanitizing data-containing items. The first two options are found in Core 7(c)(2) A & B and pertain to in-house sanitization. The third option is found in Core 7(c)(2)(C):
Ship/transfer data storage devices under written contract to a downstream vendor that has been verified in accordance with Appendix A – Downstream Recycling Chain, with the capabilities to sanitize data from the type of equipment shipped in accordance with the planned method disclosed to the supplier.
This requirement specifies that the DSV chosen to receive the data storage devices must have the capability to sanitize them. Further transfer of that data device to another DSV for sanitization is not listed as an option. The intent of this requirement is to ensure that devices containing data are tracked and handled with the highest level of care, and for R2 facilities to keep tight control on those data containing devices by limiting the number of parties that have access to those devices.
