Page 91 - Cyber Warnings
P. 91
• It has suitably instructed the data importer to process the personal data only on
behalf of the data exporter and in accordance with the applicable data protection
laws and contractual clauses
• It has taken guarantees from the data importer about providing at least the following
(contractually agreed) technical and organizational standards and measures -
Acceptable Use
Access Management
Anti-Malware
Data Management and Data Protection
End User Computing
Application Security
Licensing
IT Performance, Risk and Compliance
Logging and Monitoring
Mobile Devices Security
Cloud computing and Storage
Patching
Remote Access Security
Third party Management
Vulnerability Management and Penetration Testing
Web Application Security Testing
to be able to ensure reasonable compliance which is –
Appropriate to the risks posed by such data processing and
Is commensurate with the sensitivity of the personal data being protected and
Keeps in mind the overall cost of implementation
• (In the event of sub-processing) The data processing activities are done while
maintaining the same level of protection for the personal data and safeguarding the
rights of data subjects
• It securely maintains a list of sub-processing agreements as notified by the data
importer, reviews/updates this list at least once a year and makes this list available to
the data exporter’s data protection supervisory authority
• It conducts an impact assessment when a new processing activity poses high degree
of risk for the data subjects’ information
• It provides the requested information to the data subjects within max. one month of
receiving such service access request from the data subjects; Along with providing a
summary description of the security measures and the contractual clauses which
govern the processing services (commercial details can be removed)
91 Cyber Warnings E-Magazine – April 2017 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
