Controllers may only use processors who can provide sufficient guarantees that they will take appropriate technical and organisational measures to ensure that their processing complies with the requirements of the GDPR and protects the rights of data subjects. Controllers should take a number of due diligence measures with respect to the processors they use, which can be summarized as a data protection audit, documentation of data processing activities and, of course, verification. What should my company do to ensure compliance? First, identify every relationship your company has with suppliers, customers, subcontractors, contractors, agents, resellers, distributors, etc., where you share personal information with them or disclose personal information. Depending on the schedule, you may be able to use the „model clauses” published by the European Commission or the UK government. Any contract you enter into that involves a flow of personal data must include an appropriate data clause that complies with the GDPR. This may seem like an overwhelming list at first glance, but many elements look or work with others. Many of the others are obvious or necessary safeguards to ensure full compliance and open communication between parties sharing and processing personal data and their supervisory authorities. Processing by a processor shall be subject to a contract or other legal act under Union or Member State law which is binding on the processor vis-à-vis the controller and which specifies the object and duration of the processing, the nature and purpose of the processing, the nature and purpose of the processing, the nature of the personal data and the categories of data subjects and the obligations and rights of the controller. .