What are good questions to ask if company A wants to audit how its service provider (which acts as a processor) processes A´s data?

Written By: Gail Maunula Senior Data Protection Specialist at Privaon

The key thing to remember in this area is that the oversight of service providers is a GDPR requirement for data controllers. This requirement is rooted in the accountability principle (Article 5(2) GDPR), which makes the controller ultimately responsible for ensuring compliance.

With this key point in mind, a starting point is to ensure and verify that these service providers align with the obligations under the GDPR or other data protection laws.

In terms of the GDPR, Article 28 lays out excellent (and required) criteria for ensuring that service providers can meet the obligations necessary to maintain compliance. You should ask service providers to demonstrate their ability to uphold these obligations by requesting relevant documentation. You can, for example:

• Ask for evidence of their Records of Processing Activities and the list of subprocessors they use to provide their services. This ensures:
  • The processor understands its obligations under Article 30(2) GDPR to keep a record of categories of processing carried out on behalf of each controller.
  • They have mapped and documented the flow of data, which is critical for transparency and accountability.
  • That they maintain oversight of subprocessors and can show exactly who else has access to your data. This helps the controller assess whether all onward processing is lawful and appropriately managed.
• Inquire about third-party certifications, such as ISO 27001 or SOC 2, to understand if there is:
  • Independent assurance that the processor has implemented appropriate technical and organisational measures (Article 32 GDPR).
  • A maturity level beyond the legal minimum, since certification frameworks require regular audits and continuous improvement.
  • Evidence that security practices are not just policy-based but externally validated, which supports the controller’s due diligence obligations under Article 28(1).
• Check their website’s data protection statement (privacy policy) to see how clearly they communicate, and therefore uphold, their obligations as controllers.
  • While this step is about the processor’s role as a controller in other contexts (for their own employees, marketing, etc.), it can reveal how seriously they approach data protection generally.
  • Clear, transparent, and GDPR-compliant privacy notices show a culture of compliance and accountability (Articles 12–14 GDPR).
  • If their external communication is vague or non-compliant, it may indicate weaknesses in internal compliance practices as well
• Ask for evidence of incident response testing.
  • The processor is prepared to comply with its obligations under Article 33 GDPR (to notify the controller without undue delay in the event of a personal data breach).
  • That they do not simply have an incident response plan on paper, but have tested it to ensure effectiveness.
  • They are actively working to minimise risks to confidentiality, integrity, and availability of Company A’s data, showing practical application of security requirements under Article 32.

In addition to assessing service providers against data protection law obligations, make sure your company has clarified its risk profile, based on your processing activities. For example, you should know which, if any, special categories of data you need to protect, if there are data transfers necessary to achieve your processing purposes and how you need to respond to data breaches. Further, by knowing your risk profile, you can determine the appropriate level of demands you place on a service provider. It is not necessary to have certain data security measures in place. Assessing against the proper criteria supports both parties’ efforts and fosters the proper relationship between processor and controller.

If you have not yet defined your risk profile or are unsure how to assess the documentation provided against it, it is advisable to seek external expertise. Specialists at Privaon, for example, are well-equipped to support you in defining your risk profile and evaluating processor documentation to ensure compliance and mitigate risks effectively.

We support companies worldwide in safeguarding their data and ensuring compliance. Get in touch today and discover how Privaon takes the guesswork out of EU data compliance and evolving data demands.