How do you, as a controller, comply with your obligation to monitor your data processors?

Synch’s Christine Jans, who is specialized in data protection law, provides guidance on how you, as data controller, in practice, monitor your data processors

A company acting as data controller has many obligations under the GDPR. One of these obligations is the obligation to enter into data processor agreements with your data processors and monitor their security of processing. This obligation entail that the data controller must monitor that the data processor complies with the agreement, including implementation of the agreed technical and organizational security measures. The Danish Data Protection Agency (Datatilsynet) has made a guide on this which, inter alia, assess the following:

Who can monitor the security of processing?

A data controller can either choose to monitor the security of processing of its data processors itself or delegate the monitoring to an external, independent third party. The right choice of option depends on the data processor construction and on whether the data controller has employed IT professionals who will be able to monitor if the data processor has implemented the agreed security measures.

How can the security of processing be monitored?

The data controller and the data processor shall implement appropriate technical and organizational measures to ensure an adequate level of security appropriate to the risk associated with the processing, a so-called risk assessment, which considers the risks that the processing of personal data will have for the data subjects. The measures must be implemented before the processing starts and must be disclosed in the data processor agreement. The monitoring can therefore be based on the security measures agreed between the parties.  The monitoring can both be carried out as a physical visit and by written collection of information, et cetera, depending on the identified risk.

How often should the security of processing be monitored?

The frequency depends on the identified risk. If the risk is high, it calls for a more frequent monitoring of the security of processing than if the risk is low.

How is the sub-processors’ security of processing monitored?

The original data processor is, as a starting point, responsible for the sub-processor complying with its data protection obligations. However, the data controller must ensure that the data processor monitors the sub-processors as agreed and this can, e.g., be done by having the data processor document the monitoring of the sub-processors.

The guide is available here (Danish).