Are there obligations for controllers to establish controls with respect to data processors?
Last review date: 2 January 2025
Yes.
Are there any direct regulatory or statutory requirements on processors?
Last review date: 2 January 2025
Yes. Under the PDPD, a processor is responsible for:
- Receiving personal data only after concluding a contract or agreement on data processing with the controller
- Processing personal data in strict accordance with the contract or agreement entered into with the controller
- Applying adequate personal data protection measures set forth in the PDPD and other relevant legal documents
- Being responsible to the data subjects for the damages caused by the processing of personal data
- Deleting and/or returning all personal data to the controller after finishing data processing
- Coordinating with the Ministry of Public Security and competent State authorities in protecting personal data, providing information for investigation and handling of violations of personal data protection regulations