Are there obligations for controllers to establish controls with respect to data processors?
Last review date: January 2025
Yes.
The obligations are as follows:
☒ controllers must only use processors subject to a written agreement that complies with specific requirements
Are there any direct regulatory or statutory requirements on processors?
Last review date: January 2025
Yes.
The processors must:
- Carry out the activities pursuant to the instructions given by the controllers only, unless exceptions apply
- Provide appropriate security measures and notify the data controller in the event of a breach incident, and
- Prepare and maintain records of personal data processing activities in accordance with the rules and methods to be prescribed by the Personal Data Protection Committee.