In principle, every Controller and PNO client has the right to audit technical and organizational measures implemented by respective a (sub) Processor and PNO.
Because PNO advice/management support operates under shared responsibility, the audit by the client is excluded.
For PNO Compliance service the yearly reports on ISO 27001 for ffiqs will replace the actual audit. The ISO certification is also an extra incentive for clients to hire ffiqs.
For SaaS service the right to audit will be evaluated in due time.
When PNO is a Beneficiary EU consortium the right to audit is mostly arranged in an appendix of the consortium agreement; see quote below. When not the right to audit can be covered in a Processing Agreement.
The introducing Beneficiary is entitled to perform an audit of the accessing Beneficiary/Third Party’s Processes for Personal Data both during the term of the Action and for seven (7) years after the completion of the Action] in accordance with the foregoing and the provisions of the Consortium Agreement. For this purpose, the accessing Beneficiary/Third Party will inform the introducing Beneficiary upon request and provide necessary documents and information to the introducing Beneficiary. The accessing Beneficiary/Third Party is obliged to perform internal audits to ensure compliance with its obligations.
Source: European IMI project Appendix 2: Actions involving Personal Data and/or Human Samples
The transfer of Personal Data on a Controller-to-Controller basis does not modify the acknowledgment and/or allocation of intellectual property rights of clauses 6, 7 and 8 of this Consortium Agreement. This transfer shall only be the consequence of honoring the rights (e.g., ownership, licenses or Access Rights) that both the introducing Beneficiary and the accessing Beneficiary/Third Party shall have on the relevant Background and Results according to clauses 6, 7 and 8 of this Consortium Agreement.