(1) Where personal data are processed by other persons or bodies on behalf of a controller, the controller shall ensure compliance with the provisions of this Act and other data protection provisions. The data subject shall assert his or her rights to access, rectification, erasure, restriction of processing and the right to receive compensation against the controller.
(2) A controller may use only processors providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the law and ensure the protection of the rights of the data subjects.
(3) Processors shall not engage other processors without prior written authorization by the controller. If the controller has given the processor general authorization to engage other processors, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors. In this case, the controller may object to such changes.
(4) Where a processor engages another processor, the former shall impose on the latter the same data protection obligations as set out in the contract between the controller and the processor as referred to in subsection 5 if these obligations are not already binding for the latter processor because of other legislation. Where that other processor fails to fulfil these obligations, the initial processor shall remain fully liable to the controller for the performance of that other processor’s obligations.
(5) Processing by a processor shall be governed by a contract or other legal instrument that is binding on the processor with regard to the controller and that sets out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. That contract or other legal instrument shall stipulate, in particular, that the processor
- acts only on instructions from the controller; if the processor believes that an instruction is unlawful, the processor shall inform the controller without delay;
- ensures that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- assists the controller by any appropriate means to ensure compliance with the provisions on the data subject’s rights;
- at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of data processing services, and deletes existing copies unless law requires storage of the personal data;
- makes available to the controller all information necessary, in particular the logs kept in accordance with Section 76, to demonstrate compliance with these obligations;
- allows for and contributes to audits conducted by the controller or another auditor mandated by the controller;
- complies with the conditions referred to in subsections 3 and 4 for engaging another processor;
- takes all measures required pursuant to Section 64; and
- assists the controller in ensuring compliance with the obligations pursuant to Sections 64 to 67 and 69 taking into account the nature of processing and the information available to the processor.
(6) The contract referred to in subsection 5 shall be in writing or in an electronic form.
(7) A processor that determines, in violation of this provision, the purposes and means of processing, shall be considered a controller in respect of that processing.