I have a question around DPIA’s and our Clients data
As a security Monitoring company providing SOC-as-a-service, we are a ‘processor’ to our clients, and we monitor their networks/systems under contractual obligation.
Would we be required to carry out DPIA’s on our Client Data as a processor as well as our own data as a controller?
From what I understand we would carry out a DPIA on their data if they request that we do so. Is this correct?
If this is not clear or you need more information, feel free to let me know.