You need to have a contract or other legally binding agreement with your processors to ensure they are obliged to protect the personal data you are disclosing to them.
Article 28 (3) of GDPR covers the basic legal requirements for such a contract, including requirements that the processor:
– Only process the data based on documented instructions from you.
– Ensures their staff are obliged to keep the data confidential
– Puts appropriate measures in place to keep the data secure
– Assists you when an individual exercises one of their data protection rights
– Seeks your prior authorisation for all sub-processors who are, or will be engaged, by them
– Helps you demonstrate compliance with GDPR, including allowing you to audit them