Processing by a processor must be governed by an agreement that sets out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of individuals and obligations and rights of the controller. That agreement must provide, in particular, that the processor:
- Processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country;
- Ensures that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- Implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as varying likelihood and severity for the rights and freedoms of individuals;
- Does not engage a sub-processor without prior specific or general written authorization of the controller, and in the case of a general written authorization does not add or replace a sub-processor without informing the controller so the controller has the opportunity to object to the addition or replacement;
- Applies the same data protection obligations as set out in the agreement between the controller and the processor to the relationship between the processor and the sub-processor with respect to processing on behalf of the controller;
- Remains fully liable to the controller for the performance of the sub-processor’s obligations;
- Taking into account the nature of the processing, assists the controller by appropriate technical and organizational measures, insofar as possible, for the fulfilment of the controller’s obligation to respond to requests for exercising individual rights;
- Taking into account the nature of the processing
and the information available to the processor, assists the controller in
ensuring compliance with the obligations to:
- Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk;
- In the case of a personal data breach, notify the supervisory authority not later than 72 hours after having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of individuals;
- Where a personal data breach is likely to result in a high risk to the rights and freedoms of individuals, communicate the personal data breach to the individuals without undue delay;
- Where a type of processing uses new technologies and taking into account the nature, scope, context and purposes of the processing is likely to result in high risk to the rights and freedoms of individuals, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (DPIA); and
- Consult the supervisory authority prior to processing where a DPIA indicates that the processing would result in a high risk in the absence of measures taken to mitigate the risk.
- At the choice of the controller, delete or return all personal data to the controller after the end of providing services relating to processing; and
- Make available to the controller all information necessary to demonstrate compliance with the foregoing obligations and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.
If the processor engages a sub-processor with respect to processing on behalf of the controller, the exact same provisions in the agreement between the controller and the processor must be in the agreement between the processor and the sub-processor.
This blog is the 24th in a series of blogs that explains, in bite size pieces, what needs to be done to put the GDPR into practice and how GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool can help SMEs implement the GDPR and demonstrate their implementation. Each of the bite size pieces is part of one of the eight topics in GDPRsimple.
Next blog: What is a data breach under the GDPR and what do you do when one happens?