Should a Processor Disclose Its Personal Data Protection Policy to the Entity with Which It Has a Data Processing Agreement?

ANSWER

A provision requiring the processor to make available its data protection documentation, including its personal data protection policy, is inappropriate. The data controller (ADO) should of course be entitled to audit the processor; however, such an audit should not extend to the disclosure of the entire documentation, including the personal data protection policy, which governs the processor's position as a controller in its own right — independently of its role as a processor within the entrustment relationship. Instead, provision may be made for the controller to have access to an extract from the data protection policy covering the section on data processing agreements, to an extract from the register of categories of processing activities relevant to the controller, and to the possibility of verifying the authorisations granted and the confidentiality undertakings signed by the employees processing such data under the concluded agreement. All other information constitutes the entity's internal documentation and should not be disclosed.