Information for personal data processors
Obligations of the data processor:
- to process personal data only in accordance with the documented instructions of the controller, including in relation to the transfer of personal data to a third country or to an international organisation, unless required to do so by Union or Member State law to which the processor is subject, in which case the processor shall notify the controller of such legal requirement prior to the processing, except where such notification is prohibited by that law for overriding reasons of public interest;
- ensure that the persons authorised to process the personal data are subject to an obligation of confidentiality or to an appropriate statutory obligation of confidentiality;
- implement appropriate technical and organisational measures to ensure a level of security commensurate with the risks, taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of the processing, as well as the risks of varying likelihood and severity to the rights and freedoms of natural persons;
- inform the controller in writing of any planned changes to the use or replacement of other processors, thereby giving the controller the opportunity to object to such changes;
- not to use another processor without the prior specific or general written authorisation of the controller. Where a processor engages another processor to carry out specific processing activities on behalf of the controller, the contract or other legal act under Union or Member State law shall impose on that other processor the same data protection obligations as those laid down in the contract or other legal act between the controller and the processor, in particular the obligation to sufficiently ensure that appropriate and sufficient technical and organisational measures are in place. Where that other processor fails to comply with the data protection obligations, the original processor remains fully responsible to the controller for the fulfilment of the obligations of that other processor;
- assist the controller, taking into account the nature of the processing, by means of appropriate technical and organisational measures, to the extent possible, in order to fulfil the controller’s obligation to respond to requests to exercise the rights of the data subject;
- assist the controller in ensuring compliance with the obligations of security of processing, of notification of a personal data breach to the supervisory authority and of notification of a personal data breach to the data subject, taking into account the nature of the processing and the information available to the processor;
- at the choice of the controller, erase or return to the controller all personal data and erase existing copies of the personal data after the completion of the provision of the services related to the processing, unless the personal data are required by Union or Member State law to be retained;
- provide the controller with all information necessary to demonstrate compliance with the obligations imposed on the processor and to enable and assist the controller or any other auditor authorised by the controller to carry out audits, including inspections.