Page 93 - Cyber Warnings
P. 93
• It shall properly abide by the advice of the supervisory authority regarding the
processing and/or transfer of the personal data
• It shall promptly notify the data exporter as and when
Any legally binding request for disclosing the personal data comes from a law
enforcement authority
Any request is received directly from the data subjects
• It shall promptly and properly respond to all the inquiries from the data exporter
relating to how it processes the personal data
• It evaluates the risks inherent in the data processing and timely implements
measures to mitigate those risks by taking reasonable actions
• Upon request of the data exporter and/or the relevant supervisory authority, subjects
its data processing activities and facilities for auditing the deployed security controls,
standards and measures, as per the contractual clauses;
Note: Such audit can either be carried out by the data exporter or by an inspection body
selected by the data exporter. Such an inspection body
a) Comprises of independent members having the required professional
qualifications and bound by the duty of confidentiality
b) has been established in agreement with the supervisory authority
• It has duly informed and taken the prior written consent of the data exporter, before
engaging any sub-processor/sub-contractor for doing its operations on behalf of the
data exporter
• It promptly sends a copy of the sub-processor/sub-contractor agreement to the data
exporter, ensuring that such agreement imposes the same obligations on the sub-
processor as have been imposed on the data importer
• It promptly informs the data exporter about any legislation - either on itself or on any
of its sub-processors - which prevents the data exported from auditing either the data
importer and/or its sub-processors
The Sub-Processor is obligated to
• Fulfil its data protection obligations as per the written service agreement (contract)
with the data importer
• Abide by the provisions relating to the data protection aspects mentioned in the
service agreement (contract) and as governed by the law of the Member State in
which the data exporter is established
• Be fully liable to the data exporter for delivering its obligations as per the written
service agreement (contract)
Note: Such liability of the sub-processor is limited to its own processing operations under
the service agreement (contract) clauses.
93 Cyber Warnings E-Magazine – April 2017 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
