arrow

Audit of the processor and subprocessor

Responsibility for the protection of personal data rests with the Administrator. It is not enough just to sign an entrustment agreement. It is also our responsibility to verify the data processor and to evaluate the security measures applied.

That is why we offer a professional check of your processors and subprocessors. As part of individual orders or framework contracts, we carry out audits of entities processing personal data at your request.

Ensuring compliance in the area of cooperation with processors (processors) has so far resulted in supplementing the missing contracts related to entrusting the processing of personal data. However, it should be remembered that the responsibility for the selection of processors and the supervision of their compliance with the provisions contained in the contracts lies with the Administrator.
Pursuant to Art. 28 GDPR, if the processing is to be carried out on behalf of the Administrator, he uses only the services of such processors that provide sufficient guarantees for the implementation of appropriate technical and organizational measures so that the processing meets the requirements of the GDPR and protects the rights of data subjects.
The regulation indicates that the processor can demonstrate a sufficient guarantee, inter alia, by applying the approved code of conduct (Article 40 RORO) or an approved certification mechanism (Article 42 GDPR). Both these mechanisms are practically non-functional in Poland at present. So the administrators have nothing else to do but to independently obtain information on the quality of their processor’s services.
For this purpose, it is possible to carry out an audit at the premises of the processor, examining the compliance of the service provided with the provisions of the entrustment agreement. The audit of the processor allows you to avoid administrative penalties that are the result of indirect actions of the organization and enables the possible renegotiation of contracts with processors. This audit can of course be carried out by an external entity on behalf of the Administrator.

Ochrona danych osobowych Kary UODO

The scope of tasks performed by the DPO:

We provide a professional and reliable supplier audit service

During the audit, the method of implementation of the concluded contract for entrusting the processing of personal data will be subject to verification.

The Blue Energy team consists of both legal counsels responsible for formal and legal areas, and auditors with many years of experience in information security management. Thanks to this, we are able to provide a reliable assessment of the fulfillment of legal requirements and the actual security of personal data.

We guarantee the quality and objectivity of the research

The guarantee of high-quality service is the performance of works with the use of international standards, including:

  • ISO 19011 in the area of management systems audit,
  • ISO / IEC 27001 in the area of system management – information security,
  • ISO / IEC 29134 in the area of impact assessment for data processing,
  • ISO 22301 in the area of system approach to business continuity management.

and certificates held by our consultants, which you can find here

Conformity assessment and recommendations for improvement

We provide an assessment of the processor, applied security measures and compliance with the entrustment agreement and legal requirements.

After the study, we provide recommendations related to increasing the security of personal data processing.

 

Additional services and support

We offer process support with the BPM GDPR Audit tool, which automates the audit of processors and subprocessors.

If you want to automate the management of personal data protection, risk analysis and DPIA, please refer to BPM GDPR

If you need support in the implementation of requirements or safeguards for the protection of personal data, see our IOD outsourcing service, under which a BlueEnergy consultant performs not only the tasks indicated in Article 39 of the GDPR, but also additional ones resulting from our experience and best practices in the field of security. information.

Do you want to order a processor audit?
Buy now arrow
Do you need support or information?
contact us arrow