Who is responsible for sending the security questionnaire to the processor?

ANSWER

Who sends the questionnaires depends on the organisation. For example, in some organisations process owners (e.g. the HR director, sales director, etc.) are responsible for sending verification questionnaires to contractors to whom data processed in a given activity would be entrusted (employee data, client data, etc.) — after obtaining a completed questionnaire, process owners forward the results to the DPO. On the other hand, it often works so that the DPO oversees matters related to concluding data processing agreements, including verification of the processor before the agreement is concluded.

"(…) it is necessary to examine what specific activities the data protection officer would undertake in connection with concluding data processing agreements. It must be established whether, for example, the data protection officer has been tasked with drafting the agreement and whether it therefore fell to them to determine how the relationship between the controller and the processor will be structured and the rights and obligations of the parties to that agreement. Such a situation would cause a conflict of interests, because the DPO would then be obliged, within the scope of their statutory duties, to assess the correctness and compliance with the law of decisions taken in this respect."