Last review date: 13 January 2025

Yes

A controller should reach an agreement with the processor concerning the purpose, terms and methods of processing, the types of personal information being processed, the protection measures, and the parties' respective rights and obligations. The controller should also monitor the processing activities of the processor.

The Network Data Security Regulations further require that unless exempted by applicable law, the controller of important data must conduct a security assessment before sharing any important data with the processor.

Last review date: 13 January 2025

Yes

A processor should process personal information strictly in accordance with the agreement with the controller, take the requisite security protection measures, and assist the controller in fulfilling the requirements stipulated under the PIPL.