Whenever you as a controller use a processor to process personal data for you, you need to make sure that the processor will provide appropriate technical and organizational security measures that protect the rights of individuals. In order to do that, you must have a written agreement between you and the processor.
If you are a processor who processes personal data for a controller or if you process personal data for a processor (i.e. a sub-processor), then you must have a written agreement between you and the controller or between you and the sub-processor. An agreement between a processor and a sub-processor must contain the same data protection provisions as the agreement between the controller and the processor. If the sub-processor fails to fulfill its obligations under the agreement with the processor, the processor remains fully liable to the controller for the performance of the sub-processor’s obligations.
A processor cannot engage or replace a sub-processor without the authorization of the contractor. If a processor determines the purposes and means of processing of personal data, then it is no longer a processor and is considered a controller with respect to that processing
This blog is the 23rd in a series of blogs that explains, in bite size pieces, what needs to be done to put the GDPR into practice and how GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool can help SMEs implement the GDPR and demonstrate their implementation. Each of the bite size pieces part of one of the eight topics in GDPRsimple.