Processor Obligations

In this section we give you an overview of the contractual duties we have when we act in the capacity of processor. In the capacity of processor, we shall:

  1. Process personal data as instructed by the controller and on the controller’s behalf.

  2. Ensure that all our personnel that process personal data on behalf of the controller have committed themselves to confidentiality or are under an appropriate obligation of confidentiality, received specific authorization, instructions, and training and that such persons that have access to the personal data process such data in compliance with the controller’s instructions.

  3. Maintain technical and organizational security measures which meet the requirements of the applicable data protection law and ensure to provide sufficient guarantees to the controller on such technical and organizational security measures.

  4. Assist the controller by appropriate technical and organizational measures, insofar as this is feasible, for the fulfillment of the controller’s obligation to respond to requests for exercising data subjects rights.

  5. Make available to the controller all information necessary to demonstrate compliance with the obligations laid down in the GDPR, and to perform a data protection impact assessment.

  6. Allow for and contribute to audits, including inspections conducted by the controller or another auditor mandated by the controller.

  7. Notify the controller without undue delay:
    a. in case we become aware that one of controller’s instructions violate any relevant data protection legislation;
    b. about any legally binding request for disclosure of personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;
    c. about any data subject’s right request received without responding to that request, unless we’ve been otherwise authorized to do so;
    d. if we intend to outsource part or all processing activities, providing all necessary information to prove the security of the processing. In this case, we will impose the same requirements (or even stricter) to which we’re subject ourselves under the agreement with the controller on the sub-processor; and
    e. after we become aware of an incident concerning personal data (“personal data breach”) processed on behalf of the controller. In case of such a personal data breach, we will provide the controller with all necessary information and feasible support, to allow the controller to fulfill its notification duties to the supervisory authority and to data subjects.

  8. Process personal data for the retention period agreed with the controller.