[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f_MHJG6w6jzxSTlOH5uiTTmwJUSykIkCC5v068rSf5hI":3},{"tableOfContents":4,"markDownContent":5,"htmlContent":6,"metaTitle":7,"metaDescription":8,"wordCount":9,"readTime":10,"title":11,"nbDownloads":12,"excerpt":13,"lang":14,"url":15,"intro":16,"featured":4,"state":17,"author":18,"authorId":19,"datePublication":23,"dateCreation":24,"dateUpdate":25,"mainCategory":26,"categories":42,"metaDatas":48,"imageUrl":49,"imageThumbUrls":50,"id":58},false,"Ensure GDPR compliance of your data processors by following these key steps:\r\n\r\n#### 1. Identify your data processors\r\n\r\n▶️ Any third-party service provider that processes personal data on your behalf qualifies as a **data processor** (Article 4(8), GDPR). Start by creating a complete inventory of your processors and clearly define the nature and scope of the processing they carry out.\r\n\r\n💡 **With Dastra:** Use the Processing Activities Register to document your data processors, link them to specific processing operations, and gain visibility over their roles and data flows.\r\n\r\n#### 2. Review Your Contracts with Data Processors\r\n\r\n▶️ Article 28 of the GDPR mandates that all personal data processing by a processor must be governed by a **written contract**, which should include:\r\n\r\n- The controller’s documented instructions (Article 28(3)(a))\r\n\r\n- Security and confidentiality obligations (Article 28(3)(c))\r\n\r\n- Subcontracting conditions (Article 28(2))\r\n\r\n- Breach notification procedures (Article 33)\r\n\r\n- Terms for data return or deletion after contract termination (Article 28(3)(g))\r\n\r\nEnsure that all these elements are properly covered in your existing contracts.\r\n\r\n💡 **With Dastra:** Centralize contracts and annexes using the **File Manager** module. Automate reminders to regularly review compliance and track contractual updates using custom workflows.\r\n\r\n#### 3. Request Proof of Compliance\r\n\r\n▶️ Before onboarding a data processor, ask for **evidence of GDPR compliance**, such as:\r\n\r\n![](https://static.dastra.eu/richtext/80177036-4dfe-45c8-9fd0-b8a1660a65a1/anglais-3-original.jpg)💡 This proactive approach ensures you’re working with trustworthy, compliant partners.\r\n\r\n#### 4. Conduct Periodic Audits\r\n\r\n▶️ Article 28(3)(h) of the GDPR recommends performing **regular audits** to verify your processors' ongoing compliance. These can be conducted internally or by third-party experts.\r\n\r\n💡 **With Dastra:** Schedule audits through the **Questionnaires** module, store reports securely, and manage corrective actions directly within the platform.\r\n\r\n#### 5. Regulate International Data Transfers\r\n\r\n▶️ If your processor transfers personal data outside the EU, confirm that **appropriate safeguards** are in place, such as:\r\n\r\n- Standard Contractual Clauses (SCCs) (Article 46)\r\n\r\n- Approved codes of conduct or certification mechanisms (Articles 42 & 46)\r\n\r\n- Binding Corporate Rules (BCRs) (Article 47)\r\n\r\n💡 **With Dastra:** Monitor and document all data transfers in the **Record of Processing Activities** and ensure the correct legal clauses are applied.\r\n\r\n#### 6. Implement Ongoing Monitoring\r\n\r\n▶️ GDPR compliance is **not a one-off task**, it requires continuous monitoring. Establish a regular control plan using tools like self-assessment questionnaires, periodic reviews, or automated workflows.\r\n\r\n💡 **With Dastra:** Use built-in workflows to automate checks, trigger reminders, and maintain complete audit trails of processor compliance over time.\r\n\r\n### 🚩**In summary**\r\n\r\nVerifying your data processors’ GDPR compliance is not only a legal requirement—it’s a cornerstone of building trust and minimizing risk. A structured and proactive approach, supported by tools like **Dastra**, allows you to **centralize, automate, and simplify** your compliance efforts.\r\n\r\n🔍To request a personalized [Demo of Dastra, click here!](https://www.dastra.eu/fr/contacts/demo)","\u003Cp>Ensure GDPR compliance of your data processors by following these key steps:\u003C/p>\r\n\u003Ch4 id=\"identify-your-data-processors\">1. Identify your data processors\u003C/h4>\r\n\u003Cp>▶️ Any third-party service provider that processes personal data on your behalf qualifies as a \u003Cstrong>data processor\u003C/strong> (Article 4(8), GDPR). Start by creating a complete inventory of your processors and clearly define the nature and scope of the processing they carry out.\u003C/p>\r\n\u003Cp>💡 \u003Cstrong>With Dastra:\u003C/strong> Use the Processing Activities Register to document your data processors, link them to specific processing operations, and gain visibility over their roles and data flows.\u003C/p>\r\n\u003Ch4 id=\"review-your-contracts-with-data-processors\">2. Review Your Contracts with Data Processors\u003C/h4>\r\n\u003Cp>▶️ Article 28 of the GDPR mandates that all personal data processing by a processor must be governed by a \u003Cstrong>written contract\u003C/strong>, which should include:\u003C/p>\r\n\u003Cul>\r\n\u003Cli>\u003Cp>The controller’s documented instructions (Article 28(3)(a))\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>Security and confidentiality obligations (Article 28(3)(c))\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>Subcontracting conditions (Article 28(2))\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>Breach notification procedures (Article 33)\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>Terms for data return or deletion after contract termination (Article 28(3)(g))\u003C/p>\r\n\u003C/li>\r\n\u003C/ul>\r\n\u003Cp>Ensure that all these elements are properly covered in your existing contracts.\u003C/p>\r\n\u003Cp>💡 \u003Cstrong>With Dastra:\u003C/strong> Centralize contracts and annexes using the \u003Cstrong>File Manager\u003C/strong> module. Automate reminders to regularly review compliance and track contractual updates using custom workflows.\u003C/p>\r\n\u003Ch4 id=\"request-proof-of-compliance\">3. Request Proof of Compliance\u003C/h4>\r\n\u003Cp>▶️ Before onboarding a data processor, ask for \u003Cstrong>evidence of GDPR compliance\u003C/strong>, such as:\u003C/p>\r\n\u003Cp>\u003Cimg loading=\"lazy\"  src=\"https://static.dastra.eu/richtext/80177036-4dfe-45c8-9fd0-b8a1660a65a1/anglais-3-original.jpg\" alt=\"\" />💡 This proactive approach ensures you’re working with trustworthy, compliant partners.\u003C/p>\r\n\u003Ch4 id=\"conduct-periodic-audits\">4. Conduct Periodic Audits\u003C/h4>\r\n\u003Cp>▶️ Article 28(3)(h) of the GDPR recommends performing \u003Cstrong>regular audits\u003C/strong> to verify your processors' ongoing compliance. These can be conducted internally or by third-party experts.\u003C/p>\r\n\u003Cp>💡 \u003Cstrong>With Dastra:\u003C/strong> Schedule audits through the \u003Cstrong>Questionnaires\u003C/strong> module, store reports securely, and manage corrective actions directly within the platform.\u003C/p>\r\n\u003Ch4 id=\"regulate-international-data-transfers\">5. Regulate International Data Transfers\u003C/h4>\r\n\u003Cp>▶️ If your processor transfers personal data outside the EU, confirm that \u003Cstrong>appropriate safeguards\u003C/strong> are in place, such as:\u003C/p>\r\n\u003Cul>\r\n\u003Cli>\u003Cp>Standard Contractual Clauses (SCCs) (Article 46)\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>Approved codes of conduct or certification mechanisms (Articles 42 &amp; 46)\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>Binding Corporate Rules (BCRs) (Article 47)\u003C/p>\r\n\u003C/li>\r\n\u003C/ul>\r\n\u003Cp>💡 \u003Cstrong>With Dastra:\u003C/strong> Monitor and document all data transfers in the \u003Cstrong>Record of Processing Activities\u003C/strong> and ensure the correct legal clauses are applied.\u003C/p>\r\n\u003Ch4 id=\"implement-ongoing-monitoring\">6. Implement Ongoing Monitoring\u003C/h4>\r\n\u003Cp>▶️ GDPR compliance is \u003Cstrong>not a one-off task\u003C/strong>, it requires continuous monitoring. Establish a regular control plan using tools like self-assessment questionnaires, periodic reviews, or automated workflows.\u003C/p>\r\n\u003Cp>💡 \u003Cstrong>With Dastra:\u003C/strong> Use built-in workflows to automate checks, trigger reminders, and maintain complete audit trails of processor compliance over time.\u003C/p>\r\n\u003Ch3 id=\"in-summary\">🚩\u003Cstrong>In summary\u003C/strong>\u003C/h3>\r\n\u003Cp>Verifying your data processors’ GDPR compliance is not only a legal requirement—it’s a cornerstone of building trust and minimizing risk. A structured and proactive approach, supported by tools like \u003Cstrong>Dastra\u003C/strong>, allows you to \u003Cstrong>centralize, automate, and simplify\u003C/strong> your compliance efforts.\u003C/p>\r\n\u003Cp>🔍To request a personalized \u003Ca href=\"https://www.dastra.eu/fr/contacts/demo\">Demo of Dastra, click here!\u003C/a>\u003C/p>\r\n","How to verify compliance with the GDPR by subprocessors?","Ensure your subcontractors' GDPR compliance by reviewing contracts, security measures, certifications, and data handling practices—backed by regular oversight.",470,3,"How to verify subcontractors compliance with the GDPR?",0,null,"en","how-to-verify-subcontractors-compliance-with-the-gdpr","Under the General Data Protection Regulation (GDPR), data controllers are responsible for ensuring that their processors uphold all relevant data protection obligations. If a processor fails to comply, the controller may be held liable. That’s why it’s essential to implement a thorough and structured verification process to manage this risk effectively.","Published",{"id":19,"displayName":20,"avatarUrl":21,"bio":13,"blogUrl":13,"color":13,"userId":19,"creationDate":22},18224,"Camille Noworyta","https://static.dastra.eu/tenant-3182/avatar/18224/QBkwUNU84JuSQm/le-c-3-150.jpeg","2024-10-22T09:02:30","2025-04-14T10:20:00","2025-04-14T10:20:10.6535751","2026-03-10T10:14:28.8174222",{"id":27,"name":28,"description":29,"url":30,"color":31,"parentId":13,"count":13,"imageUrl":13,"parent":13,"order":12,"translations":32},2,"Blog","A list of curated articles provided by the community","blog","#28449a",[33,36,39],{"lang":34,"name":28,"description":35},"fr","Une liste d'articles rédigés par la communauté",{"lang":37,"name":28,"description":38},"es","Una lista de artículos escritos por la comunidad",{"lang":40,"name":28,"description":41},"de","Eine Liste von Artikeln, die von der Community verfasst wurden",[43],{"id":27,"name":28,"description":29,"url":30,"color":31,"parentId":13,"count":13,"imageUrl":13,"parent":13,"order":12,"translations":44},[45,46,47],{"lang":34,"name":28,"description":35},{"lang":37,"name":28,"description":38},{"lang":40,"name":28,"description":41},[],"https://static.dastra.eu/content/5201ab89-0822-4338-aa91-9983cc098cc7/visuel-article-6-original.jpg",[51,52,53,54,55,56,57],"https://static.dastra.eu/content/5201ab89-0822-4338-aa91-9983cc098cc7/visuel-article-6-1000.webp","https://static.dastra.eu/content/5201ab89-0822-4338-aa91-9983cc098cc7/visuel-article-6.webp","https://static.dastra.eu/content/5201ab89-0822-4338-aa91-9983cc098cc7/visuel-article-6-1500.webp","https://static.dastra.eu/content/5201ab89-0822-4338-aa91-9983cc098cc7/visuel-article-6-800.webp","https://static.dastra.eu/content/5201ab89-0822-4338-aa91-9983cc098cc7/visuel-article-6-600.webp","https://static.dastra.eu/content/5201ab89-0822-4338-aa91-9983cc098cc7/visuel-article-6-300.webp","https://static.dastra.eu/content/5201ab89-0822-4338-aa91-9983cc098cc7/visuel-article-6-100.webp",59081]