What needs to be in a processor contract in regards to audits and inspections?

Under Article 28(3)(h) the contract must require:

  • the processor to provide the controller with all the information that is needed to show that the obligations of Article 28 have been met; and
  • the processor to allow for, and contribute to, audits and inspections carried out by the controller, or by an auditor appointed by the controller.

This provision obliges the processor to be able to demonstrate compliance with the whole of Article 28 to the controller. For instance, the processor could do this by giving the controller the necessary information or by submitting to an audit or inspection.

The GDPR does not require that the contract includes a provision requiring a processor to keep records of the processing it carries out for the controller – although such records would be useful for the processor to demonstrate compliance with Article 28. However, requirements for processors to maintain records of their processing activities are set out in Article 30(2).