☐, the processor must undergo audits and inspections. The processor must also provide the controller with all the information it needs to ensure that both parties comply with their obligations under Article 28. In addition to its contractual obligations to the controller, a processor has certain direct responsibilities under the GDPR. If a subcontractor fails to comply with its obligations or acts outside or against the instructions of the controller, it may pay damages in connection with legal proceedings or be sanctioned by fines or other penalties or corrective measures. While small businesses may not need such a large number or in-depth processing agreements, they should nevertheless have them when using third-party or data processing services with which they share their users` personal data. These contracts shall ensure that all parties concerned process personal data correctly and shall first set out requirements that data processors must comply with before making themselves known to the data provided by the data controller. These include the data controller who informs the competent authority, as well as the processor who informs its data controller, as described in the GDPR guidelines on appropriate processing agreements….