Audit rights exist in data‑protection laws for one core reason: a controller remains legally responsible for personal data even when a processor handles it. Because the controller cannot entirely “outsource” compliance, the law gives it the tools to verify that processors are meeting required standards.

1. Controllers Retain Legal Accountability
Under laws like the GDPR, the controller is the primary decision‑maker and bears the ultimate responsibility for ensuring lawful processing.
Even if a processor mishandles data, regulators hold the controller accountable.
Audit rights therefore serve as a risk‑management mechanism that allows controllers to:
– Confirm that processors follow the controller’s instructions
– Verify compliance with security, confidentiality, and privacy requirements
– Detect gaps before they become regulatory violations
Without audit rights, the controller would be responsible but powerless.

2. Processors (RM: Sometimes) Handle High‑Risk, Operational Activities
Processors often perform activities that materially affect data protection, such as:
– Hosting and storage
– Identity management
– Customer support
– Analytics
– Infrastructure and security operations
Because processors operate “behind the scenes,” the controller cannot observe their practices directly.
Audit rights create visibility into the processor’s environment, including:
– Technical and organizational security measures
– Sub‑processor management
– Incident response procedures
– Access controls and data segregation
This visibility is essential for assessing whether the processor is a trustworthy extension of the controller’s operations.

3. Legal Frameworks Require Demonstrable Accountability
Modern data‑protection laws are built on the principle of accountability—organizations must not only comply but be able to demonstrate compliance.
Audit rights support this by enabling:
– Evidence gathering for DPIAs
– Vendor risk assessments
– Regulatory inquiries
– Certification and assurance processes
In the GDPR, Article 28(3)(h) explicitly requires processors to “make available to the controller all information necessary to demonstrate compliance” and to “allow for and contribute to audits.”
Other laws follow the same logic (e.g., UK GDPR, LGPD, Quebec Law 25, and many U.S. state privacy laws).

4. Oversight of Sub‑Processors
Processors frequently rely on sub‑processors (cloud providers, ticketing systems, email platforms).
Audit rights allow controllers to:
– Understand the processor’s sub‑processor vetting
– Ensure contractual flow‑down of obligations
– Confirm that data isn’t being transferred or accessed in ways the controller didn’t approve
This is especially important for cross‑border transfers and cloud‑based services.

5. Incident Detection and Response
Audit rights help controllers evaluate whether processors can:
– Detect breaches
– Contain incidents
– Notify the controller promptly
– Maintain logs and evidence
Because breach notification timelines are tight (e.g., 72 hours under GDPR), controllers must ensure processors have the operational maturity to meet them.

6. International Data Transfers and Government Access
In the post‑Schrems II world, controllers must assess:
– Foreign surveillance laws
– Access requests
– Encryption and key‑management practices
Audit rights—combined with Transfer Impact Assessments—give controllers the ability to verify that processors implement supplementary safeguards (technical, contractual, organizational) to protect EU data abroad.

7. Contractual Enforcement and Risk Allocation
Audit rights also serve a commercial purpose:
– They create leverage for the controller
– They allow verification of contractual promises
– They support indemnification and liability frameworks
– They reduce information asymmetry between the parties
In short, they turn compliance obligations into enforceable, monitorable commitments.

In Summary
Data‑protection laws require audit rights because they ensure that controllers can:
– Maintain legal accountability
– Verify processor compliance
– Manage security and privacy risks
– Oversee sub‑processors
– Respond to incidents
– Support international transfer assessments
– Enforce contractual obligations
Audit rights are the operational backbone of the controller–processor relationship: without them, the controller would be responsible for risks it cannot see or control.

Now – back to my analysis. I went through the recommended or contractually required audit clauses for a number of laws.

Business Associate Agreement Audit Rights

HIPAA—the Health Insurance Portability and Accountability Act of 1996—is a U.S. federal law that sets national standards for protecting the privacy and security of individuals’ health information. It governs how healthcare providers, insurers, and their vendors handle protected health information (PHI).

These are the two audit clauses for HIPAA in one of the HHS model business associate agreements:

Availability of Books and Records. Business Associate will make available its internal practices,
books, agreements, records, and policies and procedures relating to the use and disclosure of PHI, upon
request, to the Secretary of HHS for purposes of determining Covered Entity’s and Business Associate’s
compliance with HIPAA, and this BAA

Audit Report. Upon request, Business Associate will provide Covered Entity, or upstream
Business Associate, with a copy of its most recent independent HIPAA compliance report (AT-C 315),
HITRUST certification or other mutually agreed upon independent standards based third party audit
report. Covered entity agrees not to re-disclose Business Associate’s audit report.

This is the sample audit clause in the other business associate agreement template made available by HHS:

Business Associate agrees to make its internal practices, books, and records available to the Secretary for purposes of determining compliance with the HIPAA Rules.

However, I more typically see the agreement contain the following addition to allow the Covered Entity to also have an audit right:

Business Associate agrees to make its internal practices, books, and records available to the Secretary and Covered Entity for purposes of determining compliance with the HIPAA Rules.

CCPA Regulations:

The California Consumer Privacy Act (CCPA) is California’s landmark consumer‑privacy law that gives residents rights over their personal information and imposes broad compliance obligations on businesses. It was the first comprehensive U.S. state privacy statute and remains one of the most influential frameworks nationwide. It took effect on January 1, 2020 and has since been strengthened by the California Privacy Rights Act (CPRA).

The contract required by the CCPA for service providers and contractors shall:
Grant the business the right to take reasonable and appropriate steps to ensure that the service provider or contractor uses the personal information that it collected pursuant to the written contract with the business in a manner consistent with the business’s obligations under the CCPA and these regulations. Reasonable and appropriate steps may include ongoing manual reviews and automated scans of the service provider’s system and regular internal or third-party assessments, audits, or other technical and operational testing at least once every 12 months.

GDPR Audit Rights – The General Data Protection Regulation (GDPR) is the European Union’s comprehensive data protection framework. Article 28 of the GDPR governs the relationship between a controller (decides the purposes and means of processing) and a processor (processes data on the controller’s behalf) under the European Union and United Kingdom data protection regimes. It is one of the most frequently invoked GDPR articles in commercial contracts and it requires audit rights.

That contract or other legal act shall stipulate, in particular, that the processor: (h) makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.

Standard Contractual Clauses (Controller to Processor) – Standard Contractual Clauses (SCCs) are the European Commission’s pre‑approved contract terms that US organizations must use when transferring personal data from the EU/EEA when lacking an “adequacy decision” such as the Data Privacy Framework They are one of the primary GDPR mechanisms for lawful international data transfers and were modernized in 2021 to align with the GDPR and the Schrems II requirements. Here are the audit clauses in them:

(c) The data importer shall make available to the data exporter all information necessary to demonstrate compliance with the obligations set out in these Clauses and at the data exporter’s request, allow for and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or audit, the data exporter may take into account relevant certifications held by the data importer.

(d) The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.

(e) The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.

DORA – The EU Digital Operational Resilience Act (DORA) is a regulation effective as of January 17, 2025, that mandates strict ICT security and risk management standards for the financial sector.

The contractual arrangements on the use of ICT services supporting critical or important functions shall include, in addition to the elements referred to in paragraph 2, at least the following:

(e) the right to monitor, on an ongoing basis, the ICT third-party service provider’s performance, which entails the following:

(i) unrestricted rights of access, inspection and audit by the financial entity, or an appointed third party, and by the competent authority, and the right to take copies of relevant documentation on-site if they are critical to the operations of the ICT third-party service provider, the effective exercise of which is not impeded or limited by other contractual arrangements or implementation policies;

(ii) the right to agree on alternative assurance levels if other clients’ rights are affected;

(iii) the obligation of the ICT third-party service provider to fully cooperate during the onsite inspections and audits performed by the competent authorities, the Lead Overseer, financial entity or an appointed third party; and

(iv) the obligation to provide details on the scope, procedures to be followed and frequency of such inspections and audits;

Model Controller‑Friendly Audit Clause

I asked Microsoft CoPilot to draft a controller-friendly contractual provision for audit rights between a controller and a processor; here is what it produced (with one removal).

– Access and Information. Processor shall make available to Controller all information, records, systems, personnel, and facilities necessary to demonstrate compliance with this Agreement, the GDPR, and any other applicable data‑protection laws. Processor shall respond promptly and accurately to any reasonable inquiries from Controller relating to the Processing of Personal Data.
– Audit by Controller. Controller (or its independent auditor, bound by confidentiality obligations) may, upon at least 10 business days’ notice, conduct audits or inspections of Processor’s data‑processing activities, security measures, and compliance with this Agreement. Controller may conduct such audits no more than once per year, unless (a) required by a regulator, (b) a security incident or material non‑compliance is suspected, or (c) Controller reasonably determines that additional audits are necessary to meet its legal obligations. In such cases, additional audits may be conducted without limitation.
– On‑Site Inspections. Controller may conduct on‑site inspections at Processor’s premises where Personal Data is Processed. Processor shall provide full cooperation, including access to relevant systems, equipment, and knowledgeable personnel. Processor shall ensure that its Sub‑processors agree to equivalent audit rights.
– Third‑Party Reports. Processor may satisfy routine audit obligations by providing Controller with up‑to‑date third‑party audit reports (e.g., SOC 2 Type II, ISO 27001 certification) and written responses to Controller’s security questionnaires. However, such reports do not limit Controller’s right to conduct its own audit where reasonably required.
– Costs. Each party shall bear its own costs associated with an audit, except that Processor shall reimburse Controller for reasonable audit costs where the audit reveals (a) a material breach of this Agreement, (b) non‑compliance with applicable data‑protection laws, or (c) deficiencies requiring remediation.
– Remediation. Processor shall promptly address and remediate any deficiencies, non‑compliance, or risks identified during an audit within a timeframe reasonably specified by Controller. Processor shall provide written confirmation of remediation upon completion.

Why This Clause Is Controller‑Friendly (according to Microsoft CoPilot)
– Broad access rights (records, systems, personnel, facilities)
– Low notice period (10 days)
– Unlimited audits in high‑risk situations
– On‑site inspection rights
– Sub‑processor flow‑down
– Cost‑shifting when non‑compliance is found
– Mandatory remediation with deadlines

Here are my practical concerns about it.

Who decides what is necessary to demonstrate compliance with the Agreement? Let’s assume for the sake of argument that a vendor sits in between a large enterprise controller and a large enterprise subprocessor. If the practices of the data controller and subprocessor do not align around what is necessary for full audit cooperation then the vendor could theoretically be in breach of this clause.

On Site Inspection & Full Cooperation: Cloud software is typically hosted in a data center provider like AWS so Processor does not have access to conduct an in-person audit there. Access to relevant systems is complicated for vendors holding data from multiple customers. Information about security practices and vulnerabilities could create security concerns for other customers.

Cost-shifting: I feel like this puts the controller’s incentives in the wrong place. They become monetarily incentivized to find and report minor or de minimis non-compliance in order to get reimbursed for their audit costs. This is particularly true if the Controller hires a third-party to conduct the data protection audit.