Data controllers are obliged to control the entities to which they entrust personal data to be processed (the so-called "data processor"), not only before the conclusion of the contract of entrustment of processing, but also during its execution.
This obligation arises from Article 28 (1) lit. h GDPR, according to which the processor shall make available to the controller all the information necessary to demonstrate compliance with the obligations imposed by Article 28 GDPR per processor and shall allow and contribute to audits, including inspections, by an administrator or an auditor authorised by the administrator.
How often should processors be audited?
The GDPR does not indicate when the controller should control the processors. It seems that a good solution would be for the administrator to adopt a periodic check plan (e.g. after each year of the contract), which would be supplemented by ad hoc checks in particular in the case of data protection violations.
How to control the processor?
The controller should apply control measures that allow him to effectively verify the processor's compliance with its obligations under the GDPR. The conclusion of the entrustment agreement does not remove the controller's responsibility for personal data, so it is in the controller's interest to ensure that the processor processes personal data in a lawful manner and in accordance with the entrustment agreement.
It is often the case that the control is carried out in the form of an evaluation survey or a telephone interview, as these are the least onerous for both parties to the contract. However, if necessary, the controller shall also be entitled to conduct an inspection directly at the processor. Such actions are advisable especially in case of entrusting the processing of high-risk personal data (e.g. in the case of the processing of the so-called "sensitive data”).
Who can carry out control at the processor?
The administrator may independently exercise the right to control or entrust the audit to external entities (e. g. in terms of testing the security of information systems used by the processor). When ordering control activities, remember to grant the relevant authorisation.
Can the contract of entrustment of processing restrict the right of the controller to carry out checks?
In addition to the standard provisions on the possibility for the controller to carry out the control, the contracts of entrustment often contain additional provisions regulating the way of informing about the control, its duration and even accounting for costs incurred in connection with the audit. Depending on which of the parties to the agreement has a stronger negotiating position, the provisions of the agreement may discourage or facilitate control.
While constructing the rules of the inspection by the administrator, it should be remembered that the arrangements introduced (e.g. The obligation to inform about the planned inspection, limitation of its duration to a certain number of days, introduction of a maximum number of inspections in a given year) cannot in practice lead to limiting or preventing the right of inspection by the administrator. According to the recommendations of the DPA, such provisions of the agreement may be considered as contrary to the GDPR.
It is a good idea to indicate more detailed rules for planned audits (e. g. The obligation to inform in advance about the audit so that the processor can properly organise its work), while leaving the administrator the unlimited right to carry out ad hoc inspections - initiated on the basis of suspected infringements.
Who bears the costs of the processor's audit?
The GDPR does not regulate the issue of audit fees, so the parties are free to regulate this issue, bearing in mind, however, that the solutions introduced cannot limit the administrator's right to control. For example, the reservation in the contract to entrust the processing of a fixed high fee to the processor for carrying out an audit may be considered as violating the right of the controller to carry out audits under the GDPR.
If the parties to the contract decide to introduce an audit fee, it is safer to correlate the fee with actual costs incurred.
What if the audit reveals irregularities?
If, as a result of an audit, personal data are found to be processed unlawfully or contrary to the terms of the contract of entrustment, measures to prevent infringements should be taken as soon as possible, including issuing guidelines to the processor.
In the content of the outsourcing agreement, the controller should take care to clarify the way in which the processor has fulfilled the recommendations resulting from the audit and the consequences of not following them, and to indicate the situations that entitle the controller to terminate the agreement with immediate effect (e. g. in case of transfer of entrusted personal data to a third country without applying the required safeguards).
What else to remember?
The administrator, in accordance with the principle of accountability, should be able to demonstrate the fulfilment of the obligations arising from the GDPR, including the obligation of control. The audit, regardless of its form, should be documented, for example by means of an inspection report or at least an official memo.
It is also worth considering introducing in the contract of entrustment of processing a confidentiality clause covering information obtained during the audit.