Our data processor has included the provision to charge us a fee to cover their expense of providing resources to facilitate an audit or inspection that we, as Controller, might wish to do. I’ve not seen this before, has anyone else accepted this from their Processor?
lara
I have seen similar clauses and have always pushed back as I don’t think either party should pay for the other to comply with its own obligations under the GDPR. I have never had to accept it so far. I agree it is more of a commercial decision but as long as audit rights are limited (e.g. once a year or when there is a data breach rather than unlimited audit right) then it is reasonable to ask that each party bears its own costs.
Dean
I seen a good deal of contracts where data processors use wording like “at Customer cost, Supplier will”.
The GDPR is silent on whether a data processor should be paid for assisting with a data controller’s obligations, and especially in the audit right.
From a data processors perspective, it is a commercial discussion, rather than a data protection question. Will they help with audit, yes, is it going to cost the controller for the processor’s time, yes.
You can always try to push back, but I’ve added words like, “reasonable” into those clauses and you can even reference to a fee model so that costs don’t spiral.