When executing an audit, the controller should be able to confirm that the data are being processed in a compliant way. Essential questions that a processor always should be able to answer could be:
- What data are collected?
- Where are the data stored?
- How is the data being protected and documented?
- How long is the data stored?
- What are the processes for requests from a data subject regarding their rights?