Scribd Logo
Upload

Welcome to Scribd!

  • Processing Contracts Procedure

    Uploaded by

    Bay
    20 views3 pages
    This document outlines G42's procedure for processing contracts with third parties regarding personally identifiable information. It assigns responsibilities for reviewing contracts to ensure privacy controls are adequate. The procedure stipulates that contracts with external processors and joint controllers must implement controls and address topics such as roles and responsibilities, data retention, security policies, auditing, liability and intellectual property. Contracts are required to define reporting structures, change management processes, service levels and conditions for termination.

    Original Description:

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document outlines G42's procedure for processing contracts with third parties regarding personally identifiable information. It assigns responsibilities for reviewing contracts to ensure privacy controls are adequate. The procedure stipulates that contracts with external processors and joint controllers must implement controls and address topics such as roles and responsibilities, data retention, security policies, auditing, liability and intellectual property. Contracts are required to define reporting structures, change management processes, service levels and conditions for termination.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    20 views3 pages

    Processing Contracts Procedure

    Uploaded by

    Bay
    This document outlines G42's procedure for processing contracts with third parties regarding personally identifiable information. It assigns responsibilities for reviewing contracts to ensure privacy controls are adequate. The procedure stipulates that contracts with external processors and joint controllers must implement controls and address topics such as roles and responsibilities, data retention, security policies, auditing, liability and intellectual property. Contracts are required to define reporting structures, change management processes, service levels and conditions for termination.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 3

    Processing Contracts Procedure

    DocumentKits Issue No: 1.0 Organisation Issue No:

    DocumentKits Issue Date: 26/06/2020 Organisation Issue Date:

    1. Scope

    All contracts with third parties regarding the processing of personally identifiable information (PII) are
    within the scope of this procedure. This procedure supplements Managing Third Party Service Contracts and
    External Parties: Information Security and Privacy Procedure.

    2. Responsibilities

    2.1 is responsible for drawing up and/or reviewing all processing contracts where G42 is acting as a
    controller, processor or joint controller.

    2.2 Data Protection Officer is responsible for ensuring that any privacy controls mandated in contracts are
    adequate to protect PII while under control of the third party.

    2.3 The of third-party relationships are responsible for ensuring that all external data processing is
    contracted out in line with this procedure.

    3. Procedure

    3.1 Where there is a business need for working with external parties, G42 ensures that the privacy of any PII
    is not reduced

    3.2 Contracts with PII processors and joint controllers are governed by contracts drawn up by using as a
    basis.

    3.3 Contracts require PII processors and joint controllers to implement controls

    3.4 PII processing agreements between G42 and external parties set out the following:

    3.4.1 G42’s Information Security Policy and the Data Protection and Privacy Policy.

    G42
    Classification_1,Classification_2,Classification_3,Classification_4
    This document contains material that is distributed under licence from IT Governance Publishing Ltd.
    3.4.2 The controls identified as required in accordance with 3.3 above, and the responsibilities for
    implementing them.

    3.4.3 A clear definition and/or description of the processing to be provided, and a description of PII to be
    made available.

    3.4.4 The roles and responsibilities of each party in relation to the PII (i.e. PII controller, PII processor, joint
    controller).

    3.4.5 Terms for PII retention and disposal.

    3.4.6 Requirements for user and administrator education, training and awareness.

    3.4.7 Provisions for personnel transfer, where relevant.

    3.4.8 Description of responsibilities regarding software and hardware installation, maintenance and
    decommissioning as it relates to the PII processing.

    3.4.9 Clearly defined reporting process, reporting structure, reporting formats, escalation procedures and
    the requirement for the external party to adequately resource the compliance, monitoring and reporting
    activities.

    3.4.10 A specified change management process.

    3.4.11 The target level for service and security, unacceptable service and security levels, definition of
    verifiable performance and security criteria, monitoring and reporting.

    3.4.12 The right to monitor and audit performance (including of the third party’s processes for change
    management, vulnerability identification and information security incident management), to revoke
    activities, and to use external auditors.

    3.4.13 Service continuity requirements.

    3.4.14 Liabilities on both sides, legal responsibilities and how legal responsibilities (including data
    protection and privacy) are to be met.

    3.4.15 The protection of intellectual property rights, including copyright.

    G42
    Classification_1,Classification_2,Classification_3,Classification_4
    This document contains material that is distributed under licence from IT Governance Publishing Ltd.
    3.4.16 Controls over any allowed sub-contractors.

    3.4.17 Conditions for termination/renegotiation of agreements, including contingency plans.

    3.4.18 How PII principals will be informed of the arrangement between controller and processor, or between
    joint controllers.

    3.4.19 How PII principals can obtain other information relating to the processing activity and responsibilities
    for providing that information.

    3.4.20 For joint controllers, the contact point for PII principals.

    Document owner and approval

    The Management System Owner (MSO) is the owner of this document and is responsible for ensuring that it
    is reviewed in line with the requirements of the management system.

    The current version of this document is available to and is published

    Its approval status can be viewed in the Master List of Document Approval.

    G42
    Classification_1,Classification_2,Classification_3,Classification_4
    This document contains material that is distributed under licence from IT Governance Publishing Ltd.

    You might also like