An audit of one or more processors is based on the criteria of the Federal and State Data Protection Conference (DSK) for certification under Article 42 and on the assurance objectives of the DSK’s standard data protection model.
Audited are:
- the offer of the processor
- the contract for commissioned processing, if any, including the documentation of the technical-organizational data protection measures of the processor
- any other legally binding agreements that may exist
- any joint responsibility of the Processor and the Responsible Party, if any
compliance with the performance targets
- Data minimization
- Confidentiality
- availability
- Integrity
- Transparency
- Non-interlinking
- Intervenability
The Processor is obligated to provide the Controller with all information and documents relevant to the decision, if applicable a certification according to Art. 42 GDPR or binding rules according to Art. 40 GDPR.