Supervision by the controller in the processing of personal data by the processor regarding security measures

Depending on the complexity of the processing procedures and whether the controller has the necessary knowledge of information technology, it is possible for the controller to carry out follow-up on his own or to have an external and independent third party ensure that the processor follows instructions and implements appropriate security measures.

The sponsor may also carry out certain aspects of this follow-up but may also be advised by a third party or be involved in other aspects.

The way the controls are carried out depends on the risk assessment that was made at the beginning.

• The monitoring may be carried out by field trips to the processor or by collecting written information. Both methods can also be combined.

• If the risks of processing personal data are low, it may be sufficient to obtain written confirmation from the processor that security is maintained.

• The more risks are assessed, the more detailed monitoring is needed, for example with on-site observations.

• For example, the controller may choose to attend the processing plant regularly and perform spot checks.

If an independent third party is hired to supervise the security of personal data at the processor, it is important that the controller ensures that that person does so in the light of instructions to the processor on technical and organisational security measures.