ODO24 Logo
ODO24 Logo
ODO24 Logo
GDPR questions and answers

GDPR: QUESTIONS AND ANSWERS

Category:
Data Processing

Is effective verification of a processor (within the EEA) possible without its active participation (e.g. solely on the basis of documentation attached to the agreement or made available by the processor on a website)? If so, how? When entering into a data processing agreement with an entity outside the EEA, is the controller released from the obligation to verify the processor?

ANSWER

The most desirable solution for verifying a processor is conducting a physical audit at its premises, which however in business reality is often problematic or even impossible. The data controller may then either decide to choose another entity as processor, one that will allow such an audit, or may verify it by other means (e.g. questionnaires), accepting certain risk associated with the real lack of possibility of physically auditing the contractor.

If it is not possible to obtain from such a processor a completed security questionnaire provided by the controller, other actions should be taken to verify it. A good solution is to verify data protection documentation made available on a website, including information on technical and organisational measures applied, which are made available on a website or otherwise, e.g. as an attachment to the agreement.

It is important to retain such information and records for accountability purposes and to remember to repeat such verification from time to time.

It should also be borne in mind that case law has taken a position (judgment of the Provincial Administrative Court of 19 April 2022, case no. II SA/Wa 2259/21, concerning Microsoft Teams, which it seems can also be applied to other similar entities), according to which it may be presumed that reputable, widely known entities, such as Microsoft Corporation, have implemented measures meeting GDPR requirements, including ensuring processing security.



Transfer of data outside the EEA, whether on the basis of an adequacy decision, standard contractual clauses or other mechanisms — does not release from the obligation to conclude a data processing agreement and to verify the processor.

Show all
PreviousNext

Read also:

07 June 2026

TikTok a RODO w sektorze publicznym – czego urzędy mogą dowiedzieć się z niemieckich zaleceń dla instytucji

29 May 2026

Kontrola służbowej poczty e-mail pracownika a tajemnica przedsiębiorstwa - kiedy pracodawca może legalnie przejrzeć skrzynkę?

14 May 2026

Czy pracodawca może opublikować zdjęcie pracownika? Wykorzystanie wizerunku pracownika na gruncie RODO i prawa autorskiego

Ranking aplikacji dla sygnalistów

Ochrona sygnalistów - ranking aplikacji

Receive a free package of 4 tutorials and 4 e-learning trainings
The controller of your data is ODO 24 sp. z o. o.
How to verify processors with automated contracts? | ODO 24 | ODO 24