For a controller to use a processor, it must ensure that the processor can meet the requirements stated in Art. 28 GDPR. This means that the controller, for example, only could choose a processor that can guarantee to implement appropriate technical and organisational measures in such manners that the processing still meets the requirements of GDPR.
The controller must also ensure that a data processing agreement between them and the processor are being signed. The agreement needs to comply with the requirements stated in Art. 28 (3).