Are there obligations for controllers to establish controls with respect to data processors?
Last review date: 20 December 2024
Yes
The obligations are as follows:
☒ controllers must only use processors subject to a written agreement that complies with specific requirements
☒ other
Under the DPDP Act, data fiduciaries may engage data processors to process personal data on their behalf only under a valid contract. While the responsibility to comply with the provisions of the DPDP Act lies with data fiduciaries, there are a few indirect compliance requirements for data processors that may be included in the contract between the data fiduciary and data processor. These include:
- Protecting the personal data in its possession by taking reasonable security safeguards to prevent personal data breaches
- Notifying the DPBI and the affected data principal(s) upon the occurrence of any personal data breach
- Restricting the transfer of personal data to blacklisted countries, and
- Erasing personal data after the specified purpose of processing is fulfilled and retention is not necessary under any other laws