May a processor insert into the data processing agreement a provision on the hourly rate for the work of its DPO when supporting the controller's audit?

ANSWER

In my assessment this will depend on the nature of the cooperation between the controller and the processor. It is difficult to expect full and unlimited individual support for the controller in every respect, at no additional cost, if the scope of cooperation is very limited and amounts to a few hours of service per month for, for example, a total fee of PLN 600.

There are therefore voices that it may be permissible to agree that the costs incurred by the processor in connection with the inspection/audit should be reimbursed by the controller conducting the audit, provided that these should be actual costs and at a reasonable level. It appears justified to cover the labour costs of the processor's employees who will be involved in audit activities (e.g., the labour costs of the processor's employee accompanying the person conducting the inspection on the processor's premises).

There are also opposing voices arguing that such arrangements restrict the controller's right to audit. The recommended approach would be to find a middle ground, for example by establishing fees for the DPO's involvement in audits other than the initial/annual/breach-related audit, i.e., additional fees would relate to those "additional" audits.