Do we know EXACTLY what and where all ‘Processing’ is / is taking place?Alan
Do we have a ‘written contract’ with the processing organization?
Does the Contract precisely state what the processing consists of?
Do we completely understand the Processors’ data storage arrangements?
Do we have a copy of the Processor’s approved code of conduct?
Do we permit the Processor to make any decisions at all in managing the data?
Even if we [the controller] controls the Processor, we probably need to ask: Article 28