Processor
Where processing is carried out on behalf of a controller, the controller shall only use processors providing sufficient guarantees in respect of the application of appropriate technical and organizational measures so that the processing meets the requirements of this Regulation and the protection of the rights of the data subject is ensured.
The processor shall not hire any other processor without the prior specific or general written consent of the controller. In the case of general written consent, the processor shall inform the controller of intended changes regarding the addition or replacement of other processors, giving the controller the opportunity to object to these changes.
The processing by a processor shall be governed by a contract or other legal act under Union or Member State law binding the processor to the controller, and defining the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, and the rights and obligations of the controller. In particular, that agreement or other legal act shall provide that the processor:
processes the personal data only on the basis of written instructions from the controller, including with respect to transfers of personal data to a third country or an international organization, unless a provision of Union or Member State law applicable to the processor obliges it to process, in which case the processor shall notify the controller, prior to processing, of that legal requirement, unless that law prohibits such notification for important public interest reasons;
ensures that the persons authorized to process personal data have undertaken to maintain confidentiality or are bound by an appropriate legal obligation of confidentiality;
takes all measures required in accordance with Article 32;
meets the conditions for employing another processor referred to in paragraphs 2 and 4;
taking into account the nature of the processing, assist the controller by appropriate technical and organizational measures, to the extent possible, in fulfilling its duty to respond to requests for the exercise of the data subject's rights set out in Chapter III;
taking into account the nature of the processing and the information available to him, assists the controller in enforcing the obligations under Articles 32 to 36;
after completion of the processing services, at the controller's option, erases all personal data or returns them to it, and deletes existing copies, unless storage of the personal data is required by Union or Member State law;
makes available to the controller all information necessary to demonstrate compliance with the obligations set forth in this Article and enables and contributes to audits, including inspections, by the controller or an auditor authorized by the controller.
As regards point (h) of the first paragraph, the processor shall immediately notify the controller if, in its opinion, an instruction violates this Regulation or other provisions of Union or Member State law on data protection.
Where a processor engages another processor to carry out specific processing operations on behalf of the controller, the other processor shall be bound by a contract or any other legal act governed by Union or Member State law by the same data protection obligations as those contained in the contract or other legal act between the controller and the processor referred to in paragraph 3, in particular the obligation to provide adequate safeguards in relation to the implementation of appropriate technical and organizational measures for the processing to comply with the provisions of this Regulation. Where the other processor fails to comply with its data protection obligations, the first processor shall remain fully liable to the controller for compliance with the obligations of that other processor.
Adherence to an approved code of conduct referred to in Article 40 or an approved certification mechanism referred to in Article 42 may be used as an element to demonstrate that sufficient guarantees referred to in paragraphs 1 and 4 of this Article are provided.
Without prejudice to any individual agreement between the controller and the processor, the contract or other legal act referred to in paragraphs 3 and 4 of this Article may be based in whole or in part on the standard contractual clauses referred to in paragraphs 7 and 8 of this Article, even if they form part of the certification granted by a controller or processor under Articles 42 and 43.
The Commission may adopt standard contractual clauses for the matters referred to in paragraphs 3 and 4 of this Article and in accordance with the examination procedure referred to in Article 93(2).
A supervisory authority may prepare standard contractual clauses for the matters referred to in paragraphs 3 and 4 of this Article and in accordance with the coherence mechanism referred to in Article 63.
The agreement or other legal act referred to in paragraphs 3 and 4 shall be in written form, including electronic form.
Without prejudice to Articles 82, 83 and 84, if a processor determines the purposes and means of a processing operation in violation of this Regulation, that processor shall be considered the controller in relation to that processing operation.
