Guidelines 07/2020 on the concepts of controller and processor in the GDPR

Paragraph 1.3.8  The processor must make available to the controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 and allow for and contribute to audits, including inspections, conducted by the controller or an other auditor mandated by the controller ( Art. 28 (3)(h) GDPR).

140. The contract shall include details on how often and how the flow of information between the processor and the controller should take place so that the controller is  fully informed as to the details of the processing. For instance, the relevant portions of the processor’s records of processing activities may be shared with the controller. The processor should provide all information on how the processing activity will be carried out on behalf of the controller. Such information should include information on the functioning of the systems used, security measures, retention of data, data location, transfers of data, access to data and recipients of data, sub-processors used, etc.

141. Further details shall also be set out in the contract regarding the ability to carry out and the duty to contribute to inspections and audits by the controller or an other auditor mandated by the controller. The parties should cooperate in good faith and assess whether and when there is a need to perform audits on the processor’s premises. Likewise, specific procedures should be established regarding the processor’s and the controller’s inspection of sub-processors (see section 1.6 below).