Thanks for the questions and interest. The topic is broad, so to paint a big picture: GDPR rules apply to us (Bluesquare) in any cases (we are a EU based company) as data processors.
After there are a lot of different possible cases depending on the controller situation (which is normally our customer) - notably the “lawful basis for data collection” can exist in a lot of cases - so there is not a single flavour of processor/controller agreement
Our general approach is to ask the customer about whether they did their diligence (regarding individual data - aggregated data is generally not a problem there). Some of the GDPR rules may not apply if the customer is for example a non EU government (a ministry of health does not have to ask for consent to collect data about its own population for example, a health program may have the proper agreement from the country, etc) - we’ll raise the concern anyway as we think the conversation is useful.
We actually think the GDPR principles are good regardless whether you have to comply or not (limit personal data collection, anonymize when you can, don’t reuse personal data for a different reasons that it was collected initially, etc).
On our side, we’re “just” the processor which means that our rule is pretty simple - we host the data, we don’t own it, so we obviously don’t do anything with it outside of what our customer requires or what our hosting job requires (example again: I have to have access to the database in order to maintain it, but I won’t look at anything specific except if this is required to provide you support - and in this case I’ll ask).
To answer specifically - we’re using all DHIS2 audits that are available (and with the “metadata audit” feature available since 2.29, you can track both data and metadata audit). Some aspects may still be tricky (example: deleting some specific person data requires for now to go to the database which is inconvenient) but we don’t see anything blocking for the usage in a GDPR context.
I hope this answers part of your questions - we’re quite happy to discuss further and share our learning/understanding about GDPR compliance. I’ll check with my more legal oriented colleagues if there are aspects we can share publicly, but don’t hesitate to contact me back here or via email if you want to pursue the exchange.