34
15039/15
VH/np
115
ANNEX
DGD 2C
LIMITE
EN
2.
The carrying out of processing by a processor shall be governed by a contract or other legal
act under Union or Member State law, binding the processor to the controller, setting out the
subject-matter and duration of the processing, the nature and purpose of the processing, the
type of personal data andcategories of data subjects, the obligations and rights of the
controller and stipulating in particular that the processor shall:
(a) process the personal data only on documented instructions from the controller,
including with regard to transfers of personal data to a third country or an international
organisation, unless required to do so by Union or Member State law to which the
processor is subject; in such a case, the processor shall inform the controller of that
legal requirement before processing the data, unless that law prohibits such information
on important grounds of public interest;
(b) ensure that persons authorised to process the personal data have committed themselves
to confidentiality or are under an appropriate statutory obligation of confidentiality;
(c) take all measures required pursuant to Article 30;
(d) respect the conditions referred to in paragraphs 1a and 2a for enlisting another
processor;
(e) taking into account the nature of the processing, assist the controller by appropriate
technical and organisational measures, insofar as this is possible, for the fulfilment of
the controller’s obligation to respond to requests for exercising the data subject’s rights
laid down in Chapter III;
(f) assist the controller in ensuring compliancewith the obligations pursuant to Articles 30
to 34 taking into account the nature of processing and the information available to the
processor;
(g) at the choice of the controller, delete or return all the personal data to the controller after
the end of the provision of data processing services, and delete existing copies unless
Union or Member State law requires storage of the data;
33
15039/15
VH/np
116
ANNEX
DGD 2C
LIMITE
EN
(h) make available to the controller all information necessary to demonstrate compliance
with the obligations laid down inthis Article and allow for and contribute to audits,
including inspections, conducted by the controller or another auditor mandated by the
controller. The processor shall immediately inform the controller if, in his opinion, an
instruction breaches this Regulation or Union or Member State data protection
provisions.
2a. Where a processor enlists another processor for carrying out specific processing activities on
behalf of the controller, the same data protection obligations as set out in the contract or other
legal act between the controller and the processor as referred to in paragraph 2 shall be
imposed on that other processor by way of a contract or other legal act under Union or
Member State law, in particular providing sufficient guarantees to implement appropriate
technical and organisational measures in such a way that the processing will meet the
requirements of this Regulation. Where that other processor fails to fulfil its data protection
obligations, the initial processor shall remain fully liable to the controller for the performance
of that other processor's obligations.
2aa. Adherence of the processor to an approved code of conduct pursuant to Article 38 or an
approved certification mechanism pursuant to Article 39 may be used as an element to
demonstrate sufficient guarantees referred to in paragraphs 1 and 2a.
2ab. Without prejudice to an individual contract between the controller and the processor, the
contract or the other legal act referred to in paragraphs 2 and 2a may be based, in whole or in
part, on standard contractual clauses referred to in paragraphs 2b and 2c, including when they
are part of acertification granted to the controller or processor pursuant to Articles 39 and
39a.
2b. The Commission may lay down standard contractualclauses for the matters referred to in
paragraph 2 and 2a and in accordance with the examination procedure referred to in Article
87(2).
34
15039/15
VH/np
117
ANNEX
DGD 2C
LIMITE
EN
2c. Asupervisory authority may adopt standard contractual clauses for the matters referred to in
paragraph 2 and 2a and in accordance with the consistency mechanism referred to in
Article57.
3.
The contract or the other legal act referred to in paragraphs 2 and 2a shall be in writing,
including in an electronic form.
4.
Without prejudice to Articles 77, 79 and 79b, if a processor in breach of this Regulation
determines the purposes and means of data processing, the processor shall be considered to be
a controller in respect of that processing.
5.
(…).
Article 27
Processing under the authority of the controller and processor
The processor and any person acting under the authority of the controller or of the processor who
has access to personal data shall not process them except on instructions from the controller, unless
required to do so by Union or Member State law.
Article 28
Records of processing activities
1.
Each controller and, if any, the controller's representative, shall maintain a record of
processing activities under its responsibility. This record shall contain the following
information:
(a) the name and contact details of the controller and any joint controller, the controller's
representative and the data protection officer, if any;
(b) (…)
(c) the purposes of the processing;
31
15039/15
VH/np
118
ANNEX
DGD 2C
LIMITE
EN
(d) a description of categories of data subjects and of the categories of personal data;
(e) the categories of recipients to whom the personal data have been or will be disclosed
including recipients in third countries;
(f) where applicable, transfers of data to a third country or an international organisation,
including the identification of that third country or international organisation and, in
case of transfers referred to in point (h) of Article 44(1), the documentation of
appropriate safeguards;
(g) where possible, the envisaged time limits for erasure of the different categories of data;
(h) where possible, a general description of the technical and organisational security
measures referred to in Article 30(1).
2a. Each processor and, if any, the processor’s representative shall maintain a record of all
categories of personal data processing activities carried out on behalf of a controller,
containing:
(a) the name and contact details of the processor or processors and of each controller on
behalf of which the processor is acting, and of the controller's or the processor’s
representative, and the data protection officer, if any;
(b) (…)
(c) the categories of processing carried out on behalf of each controller;
(d) where applicable, transfers of data to a third country or an international organisation,
including the identification of that third country or international organisation and, in
case of transfers referred to in point (h) of Article 44(1), the documentation of
appropriate safeguards;
(e) where possible, a general description of the technical and organisational security
measures referred to in Article 30(1).
30
15039/15
VH/np
119
ANNEX
DGD 2C
LIMITE
EN
3a. Therecords referred to in paragraphs 1 and 2a shall be in writing, including in an electronic
form.
3.
Upon request, the controller and the processor and, if any, the controller's or the processor’s
representative, shall make the recordavailable to the supervisory authority.
4.
The obligations referred to in paragraphs 1 and 2a shall not apply to an enterprise or an
organisation employing fewer than 250 persons unless the processing it carries out is likely to
result in a risk for the rights and freedoms of data subject, the processing is not occasional, or
the processing includes special categories of data as referred to in Article 9(1) or processing
of data relating to criminal convictions and offences referred to in Article 9a.
5.
(…)
6.
(…).
Article 29
Co-operation with the supervisory authority
1.
The controller and the processor and, if any, the representative of the controller or the
processor, shall co-operate, on request, with the supervisory authority in the performance of
its tasks.
2.
(…).
33
15039/15
VH/np
120
ANNEX
DGD 2C
LIMITE
EN
SECTION 2
DATA SECURITY
Article 30
Security of processing
1.
Having regard to the state of the art and the costs of implementation and taking into account
the nature, scope, context and purposes of the processing as well as the risk of varying
likelihood and severity for the rights and freedoms of individuals, the controller and the
processor shall implement appropriate technical and organisational measures, to ensure a level
of security appropriate to the risk, including inter alia, as appropriate:
(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of
systems and services processing personal data;
(c) the ability to restore the availability and access to data in a timely manner in the event
of a physical or technical incident;
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical
and organisational measures for ensuring the security of the processing.
1a. In assessing the appropriate level of security account shall be taken in particular of the risks
that are presented by data processing, in particular from accidental or unlawful destruction,
loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or
otherwise processed.
2.
(…)
2a. Adherence to an approved code of conduct pursuant to Article 38 or an approved certification
mechanism pursuant to Article 39 may be used as an element to demonstrate compliance with
the requirements set out in paragraph 1.
Documents you may be interested
Documents you may be interested