The Controller's Supervision of Processors: A Study of Article 28 in GDPR With a Specific Focus on the use of an Auditor

Henrik Tuyen & Martin Lusty Bøgelund Sørensen

Student thesis: Master thesis


General Data Protection Regulation (EU) 2016/679 was adopted with the purpose of increasing the protection of the privacy of the individuals in the European Union. The consequences of not complying with GDPR can be severe, as this can result in fines up to 20 million euros or 4% of a company’s global revenue. In article 28, it is set that a controller has a duty to supervise their processors. A controller can outsource their processing, but they can never outsource the responsibility of the processing. This thesis investigates the relationship between the controllers and the processors with regards to article 28. Using a qualitative approach 6 interviews has been carried out to examine the relationship between a controller and a processor. To assist the two parties in identifying their roles, a list of statements is presented. In order for a controller to supervise a processor, it is necessary to acknowledge the obligations of the processor as laid out in article 28 (3). The thesis furthermore analyses the obligations of a processor when a data processing agreement has been made. A supervision can be done in many ways, but generally there exists 2 approaches, either a written approach or a physical approach, which will depend on the associated risk. For each method the controller has to decide whether to conduct these themselves, or include an external part, e.g. an independent auditor in the circumstances when the controller doesn’t possess the necessary abilities themselves to carry out the actions required, such as tests of controls. To assess the risk of a processing activity, the thesis has laid out criteria to assist the controller. To decide which supervisory methods and actions to be taken, the thesis sets up a matrix, which revolves around the laid-out criteria. In this matrix the controller can map their criteria to determine the supervisory actions based on a low, medium and high risk assessment. A controller must decide whether to include an external part. An external part can be an independent auditor, who can deliver an ISAE 3000 assurance report based on the agreed upon data processing agreement and whether or not the processor has fulfilled their obligations during a specific period. The thesis then continues with examining how a controller should respond to an independent auditor’s ISAE 3000 assurance report. During a financial audit the company’s external auditor must reflect on the possible effect of not complying with relevant regulation and law, where GDPR and the possible impact of a fine can be of material effect. To help the auditor evaluate the company’s GDPR compliance, the thesis has laid out a list of questions that the auditor can ask the auditee. To illustrate all of the thesis’ considerations and conclusions, a case is then presented. As GDPR is a relatively new regulation, the thesis concludes with a discussion and reflection of the usability of the presented results.

EducationsMSc in Auditing, (Graduate Programme) Final Thesis
Publication date2019
Number of pages126