Do we know EXACTLY what and where all ‘Processing’ is / is taking place?

Even if we [the controller] controls the Processor, we probably need to ask: Article 28

  • Do we have a ‘written contract’ with the processing organization?
  • Does the Contract precisely state what the processing consists of?
  • Do we completely understand the Processors’ data storage arrangements?
  • Do we have a copy of the Processor’s approved code of conduct?
  • Do we permit the Processor to make any decisions at all in managing the data?