Datatilsynet Denmark has issued new guidance on the supervision of data processors.

The guide proposes a scoring system that depends on the nature of the data and of the processing. It also includes six alternative supervision systems that could be used depending on your result.

Concept 1: Do not do anything unless you are aware that something is wrong with the data processor

Concept 2: The data processor confirms, preferably in writing – that all requirements in the data processing agreement are complied with.

Concept 3: The data processor provides you annually – either directly or through its website – with a written status of matters covered by the Data Processor Agreement and other relevant areas (eg organizational or product changes).

Concept 4: The data processor has a relevant and updated certification or follows a so called code of conduct that is relevant to your processing activities

Concept 5: An independent third party has conducted documented supervision of the data processor in an area that also covers your processing activities.

Concept 6: You carry out a documented inspection of the data processor yourself – or together with others.

For a deeper dive, you can read my article here.