Danish SA reprimanded Region Syddanmark for not having sufficiently clear processor auditing procedures

The DPA (SA) highlighted that entering into a data processing agreement that contains security obligations is not sufficient, and that the controller must also oversee that the processor actually adheres to the agreement. The fact that the controller had auditing procedures in place was not good enough if these auditing procedures were not being followed in practice.