Last review date: 18 December 2024

☒ Yes

The controller is obliged to appoint a processor who provides sufficient guarantees regarding security measures (i.e, those measures applied to protect personal data) in a manner that ensures that the processing satisfies the requirements of the PDPL. However, the PDPL does not set out any specific criteria that must be considered when selecting a processor or require that the appointment of the processor must be documented by the controller in writing (although this may be implied by other provisions of the PDPL).

The obligations are as follows:

☒    controllers must conduct due conduct diligence on the processor to ensure it will provide appropriate security and processing of the personal data

Last review date: 18 December 2024

☒ Yes

The processor must:

1. carry out processing in accordance with the instructions of the controller, and the agreements concluded between them that specify in particular the scope, subject, purpose, nature of the processing, the type of personal data and the categories of the data subjects;
2. adopt the appropriate technical and organizational measures and procedures to protect the personal data at the design stage, whether during the identification of the means of processing or during the processing itself, taking into account the cost of implementing these measures and procedures and the nature, scope and purposes of the processing;
3. carry out the processing in compliance with the purpose and for the specified period, and in the event that the processing exceeds the specified period, notify the controller of the same to allow the controller to authorize them to extend this period or to give the appropriate directions;
4. delete the data after the expiry of the processing period or hand it back to the controller;
5. not take any action that would disclose the personal data or the results of processing, except in cases authorized by law;
6. protect and secure the processing and secure the electronic media and devices used in the processing, as well as the personal data on them;
7. maintain a special record of the personal data processed on behalf of the controller, to include the data of the controller, processor and data protection officer, a description of the categories of the personal data it has, the data of the persons authorized to access the personal data, the processing periods, limitations and scope of processing, the mechanism for deleting, modifying or processing personal data, the purpose of processing, any data relating to the cross-border movement and processing of such data, and the technical and organizational measures for information security;
8. in the event of a data breach, immediately inform the controller and file a report with the Data Office; and
9. at the request of the controller or Data Office, provide all means to prove compliance with the provisions of the PDPL;

If more than one processor participates in the processing, such processing shall be carried out in accordance with a written contract or agreement that clearly defines their obligations, responsibilities and roles in respect of the processing, otherwise they will be jointly held liable for the obligations and responsibilities contained in the PDPL and its implementing regulations.

The implementing regulations may detail further requirements and technical standards related to compliance with these obligations.