Datatilsynet Denmark has issued new guidance on the supervision of data processors.
The guide proposes a scoring system that depends on the nature of the data and of the processing. It also includes six alternative supervision systems that could be used depending on your result.
Concept 1: Do not do anything unless you are aware that something is wrong with the data processor
Concept 2: The data processor confirms, preferably in writing – that all requirements in the data processing agreement are complied with.
Concept 3: The data processor provides you annually – either directly or through its website – with a written status of matters covered by the Data Processor Agreement and other relevant areas (eg organizational or product changes).
Concept 4: The data processor has a relevant and updated certification or follows a so called code of conduct that is relevant to your processing activities
Concept 5: An independent third party has conducted documented supervision of the data processor in an area that also covers your processing activities.
Concept 6: You carry out a documented inspection of the data processor yourself – or together with others.
For a deeper dive, you can read my article here.