Last review date: 31 December 2024

Yes. The controller is obliged to appoint a processor that provides sufficient guarantees regarding the security measures in place in a manner that ensures the processing satisfies the requirements of the PDPL. This concept is in line with the GDPR.

The obligations are as follows:

☒         controllers must conduct due conduct diligence on the processor to ensure it will provide appropriate security and processing of the personal data

☒         controllers must only use processors subject to a written agreement that complies with specific requirements

Last review date: 31 December 2024

The PDPL is almost entirely silent on the obligations of processors — the focus of the PDPL is almost exclusively on controllers. In this respect, the PDPL is similar to the predecessor to the GDPR, Directive 95/46 EC. The Implementing Regulations confirmed that the obligations under the PDPL will flow down to processors through contractual terms rather than statutory requirements applying directly to the processor. However, the PDPL also states that when the processor violates any instructions received from a controller or breaches the relevant data processing agreement, it will be considered a controller. As such, the processor would be held directly accountable for violating any provisions of the PDPL in those circumstances.