Information Security

Dansk

 Information Security Data protection (GDPR) Data protection (GDPR): Personal data and research When data protection meets research: practical scenarios Data processor audit

Data processor audit

The site is under construction. The content was last updated in February 2026. Please note that we update the page regularly.

Do you use a data processor? Here you can get more information on:

  • What an audit is 
  • Why you should audit a data processor
  • How to audit a data processor

Introduction to audits

What does audit mean, why is it necessary, and who is responsible?

When you allow an external party (a data processor) to process personal data on behalf of Aarhus University (AU), AU has a duty to ensure that the processing takes place legally and securely. In order to ensure this, AU must audit the data processor.

In short, the audit is about checking that the data processor follows the rules and what is stated in the data processing agreement. The person or unit at AU that owns the system or has purchased the service is responsible for audit. In many cases, it will therefore not be you as a researcher who is responsible for the task. However, if you have purchased a system or service specifically for your project, it is you who must ensure that the data processor is audited.

Audit starts even before the agreement is entered into

The work of auditing actually begins before you even sign an agreement.

The following steps need to be in place because they form the basis for how and how often the audit should be carried out.

1. Clarify the need

Find out what the purpose of the data processing is.

2. Make a risk assessment

Assess the level of security that is necessary and document the assessment.

3. Choose a data processor

Check whether the data processor can meet the requirements you have identified. Document the assessment.

4. Determine the method and frequency of an audit

Use AU's model to find out how and how often you should audit.

5. Enter into the data processing agreement

Remember that your assessment of the method and frequency of audit is part of the data processing agreement. Contact TTO ([email protected]) for help in getting the agreement in place

Audit models

Aarhus University (AU) uses four different models to audit data processors in research projects. The choice of model depends on how the personal data is processed, the scope of the processing and the risks that may be associated with it.

The models are based on the principles in the Danish Data Protection Agency's guidance on audits of data processors. Below you can read more about the individual models and find templates that you can use when you need to carry out an audit.

Model 1: Ad hoc audit

What does ad hoc audit mean? 

This means that, as a general rule, AU does not need to carry out regular audits.

Audit will only be necessary, if AU becomes aware of conditions at the data processor that give rise to concern — e.g.:

  • Security breach

  • Complaints

  • Critical coverage in the media

  • Information from the data processor itself

In short: We only audit if there are signs that something may be wrong

How can an ad hoc audit be carried out? 

Examples of tools:

  • Random checks – e.g. checking whether employees have received safety training

  • Request for information (Download template)

  • Elaborated status (see model 3)

  • Physical inspection (see model 4)

Model 2: Written confirmation

Here, AU asks the data processor for a short, written statement in which they confirm:

  • that they comply with the data processing agreement,
  • that there have been no changes that require stricter auditing  

Download template

Model 3: Detailed status

At fixed intervals, the data processor must send a more detailed written status to AU. It must cover at least:

  • Compliance with instructions
  • Employee confidentiality
  • Technical and organisational security measures 
  • Sub-processors (if applicable)
  • Trasnfers (if applicable)
  • Assistance with AU's obligations (if applicable)
  • Handling of data upon termination of collaboration 

If the data processor does not provide a status on its own initiative, AU can use:

  • Template for inquiry (a template is on the way)
  • Request for information (Download template)

Model 4: Third party statement or extended audit carried out by AU

This model has two options:

  1. use of a third-party statement, or
  2. an extended audit carried out by AU.

1. Third party statement

A third-party statement is an independent assessment of the data processor's security and compliance — typically made by an auditor.

The most common in Denmark is ISAE 3000, which assesses the data processor's handling of personal data according to Article 28 of the General Data Protection Regulation.

AU accepts: 
  • ISAE 3000 (both general and specific, both type 1 and type 2)
  • ISAE 3402
  • Other statements like SOC, Hitrust, etc., if they are relevant and cover the required area
What does AU need to check in a third-party statement? 
  • Who made it?
  • What type of statement is it and is it representative?
  • Is it made specifically for AU or in general?
  • Which method is used?
  • Does it cover the processing carried out by the data processor for AU?
  • Does it show deficiencies that require follow-up?

Download template for assessment of third party statement

2. Extended audit by AU

An extended audit can be:

  1. A written audit
  2. A written audit and an inspection (physical)
  3. An inspection (physical) only
Written audit

Building on questions from the ISAE 3000 framework. 

Download template

Physical inspection

Relevant when the data processor's work depends on physical security, e.g.:

  1. Storage of biological material
  2. Storage of equipment containing personal data

What can AU inspect?

Examples (inspired by ISO 27001 Annex A.11):

  • Doors, windows, alarms, video surveillance
  • Access control (who can enter where?)
  • Anti-theft
  • Protection against fire, flood, power outages
  • Disposal of equipment and information
  • Location of equipment

AU's own policy on physical security can be found here: https://medarbejdere.au.dk/en/informationsecurity/policies/physical-security

How to determine the audit method

You can use these tools if you need help assessing which audit method is appropriate for your situation.

1. Score calculator

Information about the processing activity

1. Number of data subjects involved

2. Special categories of personal data and/or data relating to criminal offences
3. Other sensitive or confidential data
4. Special processing activities

2. Audit models (options)

Total number of points

Possible audit models

1-2 point

You can choose between models 1-4 

3-4 point

You can choose between models 2-4

5-6 point

You can choose between models 3-4

7-10 point

You need model 4

3. Choose between several models

If you have several possible models to choose from, your choice of model should reflect the risks of processing and the supplier. At the same time, it is important that a model is chosen that is practicable.

How to assess how often you need to carry out an audit

When you choose an audit model, you must also decide how often the audit should be carried out. As a general rule, an annual audit may be appropriate, but both shorter and longer intervals may be relevant depending on the situation.

Important factors you should take into account

Below you will find the most important factors you should take into account.

🔎 Risks of the processing

The higher the risk, the more frequent audits. If the processing involves sensitive data or is of great importance to the data subjects, the audit should be carried out more often.

⏳ Duration of the service
  • Short-term processing, where data is deleted quickly, may speak in favour of less frequent or no audits.
  • Long-term treatments may require more frequent monitoring, for example because the risk increases over time.

⚠️ Specific incidents

Certain incidents may trigger the need for extra or stricter audit scheme, e.g.:

  • Security breach
  • Personal data breaches
  • Problems with the handling of data subjects' rights
  • If, for example, the data processor cannot support access, deletion or objections, the audit scheme should be intensified.

🤝 Knowledge and trust in the data processor

Consider:

  • Is it a known and stable business partner?
  • Is it a public authority or a private company?
  • Does the data processor have certifications or follow recognized standards?
  • High trust and documented security may speak in favour of longer intervals between audits.

🔗 Use of sub-processors

 If the data processor uses sub-processors, it can increase complexity and risk — and thus the need for more frequent supervision.

Do you need help?

Contact your local data protection champion, if you need help.
Revised 24.03.2026
-
Sofie Maul Andersen