Professional Documents
Culture Documents
existing c
The relationship between the GDPR Articles and the Microsoft service controls is organized by a set of privacy and security co
techniques -- Enhancement to ISO/IEC 27001 for privacy management – Requirements. (To purchase a copy of the complete d
These control mappings are focused specifically on GDPR obligations. Microsoft Services implement these and other controls
NIST 800-171, UK G-Cloud, and many others. Visit our compliance offering list at https://www.microsoft.com/en-us/trustcent
Those controls marked “Primary” in the mapping also appear in the Compliance Manager under Microsoft Managed Controls
Use of these files is governed by the agreement under which you obtained these services and may not be used to reverse eng
[Revised 5.24.18]
Column Heading
ISO Control Number
ISO Control Title
Microsoft Service Control ID
Microsoft Service Control Title
Primary/Secondary
GDPR Article
GDPR Article Text
will be updated from time to time as Microsoft incorporates new controls and tests existing controls. Please review the date of the downloa
PR Articles and the Microsoft service controls is organized by a set of privacy and security controls, labeled “ISO Control Number” and “ISO
/IEC 27001 for privacy management – Requirements. (To purchase a copy of the complete draft ISO standard, please visit https://shop.bsig
ed specifically on GDPR obligations. Microsoft Services implement these and other controls to support security and data protection, includ
any others. Visit our compliance offering list at https://www.microsoft.com/en-us/trustcenter/compliance/complianceofferings.
in the mapping also appear in the Compliance Manager under Microsoft Managed Controls, allowing you to use them to track, assign, and
he agreement under which you obtained these services and may not be used to reverse engineer or competitively benchmark any Microso
ISO Control Number” and “ISO Control Title.” The numbers and titles are drawn from ISO/IEC CD 27552 Information technology -- Security
rd, please visit https://shop.bsigroup.com/ProductDetail?pid=000000000030372571.)
rity and data protection, including to support certifications to standards including FedRamp, HIPAA/HITECH, ISO 27001, ISO 27002, ISO 270
complianceofferings.
o use them to track, assign, and verify your organization's regulatory compliance activities with respect to Microsoft cloud services.
titively benchmark any Microsoft software, service, or technology.
n technology -- Security
ft cloud services.
Azure includes:
API Management
App Service (API Apps Logic Apps Mobile Apps Web Apps)
Application Gateway
Application Insights
Automation
Azure Active Directory
Azure Container Service
Azure Cosmos DB (formerly DocumentDB)
Azure DevTest Labs
Azure DNS
Azure Information Protection (including Azure Rights Management)
Azure Resource Manager
Backup
Batch
BizTalk Services
Cloud Services
Data Catalog
Data Factory
Data Lake Analytics
Data Lake Store
Event Hubs
Express Route
Functions
HDInsight
Import/Export
IoT Hub
Key Vault
Load Balancer
Log Analytics (formerly Operational Insights)
Azure Machine Learning Studio
Media Services
Microsoft Azure Portal
Multi-Factor Authentication
Notification Hubs
Power BI Embedded
Redis Cache
Scheduler
Security Center
Service Bus
Service Fabric
Site Recovery
SQL Data Warehouse
SQL Database
SQL Server Stretch Database
Storage StorSimple
Stream Analytics
Traffic Manager
Virtual Machines
Virtual Machine Scale Sets
Virtual Network
Visual Studio Team Services
VPN Gateway
Visual Studio Team Services
VPN Gateway
Product ISO Control Nu ISO Control Title Microsoft Servic
1) Privacy program information, including data protection policies and instructions to action on a data subject request;
Microsoft C+E documents and disseminates Sta Secondary (5)(1)(f)
2) Data residency and transfer policy (including abstracted data flow maps, legal safeguards and justification for transfer);
Internal communication between key Azure co Secondary (5)(1)(f)
3) Data protection policy description including security, processor/controller commitment, privacy by design and default, back
4) Incidentdevelops,
Microsoft management process.
documents and dissemina
Secondary (25)(1)
1) Privacy program information, including data protection policies and instructions to action on a data subject request;
Microsoft C+E documents and disseminates Sta Secondary (33)(4)
2) Data residency and transfer policy (including abstracted data flow maps, legal safeguards and justification for transfer);
Microsoft develops, documents and dissemina Secondary (33)(5)
3) Data protection policy description including security, processor/controller commitment, privacy by design and default, back
4) IncidentC+E
Microsoft management
documentsprocess.
and disseminates Sta
Secondary (33)(5)
1) Privacy program information, including data protection policies and instructions to action on a data subject request;
Microsoft develops, documents and dissemina Secondary (5)(1)(f)
2) Data residency and transfer policy (including abstracted data flow maps, legal safeguards and justification for transfer);
Microsoft C+E documents and disseminates Sta Secondary (5)(1)(f)
3) Data protection policy description including security, processor/controller commitment, privacy by design and default, back
4) IncidentC+E
Microsoft management process.
has an incident handling capabiSecondary (5)(1)(f)
1) Privacy program information, including data protection policies and instructions to action on a data subject request;
Microsoft C+E manages a control state monitoSecondary (32)(1)(d)
2) Data residency and transfer policy (including abstracted data flow maps, legal safeguards and justification for transfer);
Microsoft C+E employs independent assessorsMaster (32)(1)(d)
3) Data protection policy description including security, processor/controller commitment, privacy by design and default, back
4) IncidentC+E
Microsoft management
manages aprocess.
control state monitoSecondary (32)(2)
1) Privacy program information, including data protection policies and instructions to action on a data subject request;
Policy including information on Microsoft’s s Secondary (24)(2)
2) Data residency and transfer policy (including abstracted data flow maps, legal safeguards and justification for transfer);
Microsoft maintains a description of data proMaster (37)(1)(a)
3) Data protection policy description including security, processor/controller commitment, privacy by design and default, back
4) Incidentmaintains
Microsoft management process. of data proMaster
a description (39)(1)(b)
1) Privacy program information, including data protection policies and instructions to action on a data subject request;
Microsoft C+E establishes usage restrictions Master (5)(1)(f)
2) Data residency and transfer policy (including abstracted data flow maps, legal safeguards and justification for transfer);
Microsoft C+E encrypts digital media assets via
Master (32)(1)(a)
3) Data protection policy description including security, processor/controller commitment, privacy by design and default, back
4) IncidentC+E
Microsoft management process.
approves the transport of digitaSecondary (32)(1)(a)
1) Privacy program information, including data protection policies and instructions to action on a data subject request;
Microsoft C+E has included a clear desk and cMaster (5)(1)(f)
2) Data residency and transfer policy (including abstracted data flow maps, legal safeguards and justification for transfer);
Microsoft C+E documents and disseminates Sta Secondary (5)(1)(f)
3) Data protection policy description including security, processor/controller commitment, privacy by design and default, back
4) Incident management
Confidential process.
documents are cross-shredded orSecondary (5)(1)(f)
1) Privacy program information, including data protection policies and instructions to action on a data subject request;
Microsoft C+E creates and implements for new Secondary (28)(3)(e)
2) Data residency and transfer policy (including abstracted data flow maps, legal safeguards and justification for transfer);
Prior to engaging in Azure services, Microsof Secondary (28)(3)(e)
3) Data protection policy description including security, processor/controller commitment, privacy by design and default, back
4) IncidentC+E
Microsoft management
maintains aprocess.
mechansim that ena
Secondary (28)(3)(e)
1) Privacy program information, including data protection policies and instructions to action on a data subject request;
Data subject requests received from customerMaster (29)
2) Data residency and transfer policy (including abstracted data flow maps, legal safeguards and justification for transfer);
Microsoft C+E provides a mechanism for author Secondary (29)
3) Data protection policy description including security, processor/controller commitment, privacy by design and default, back
4)
C+EIncident
Securitymanagement process.
Education and Awareness (CESEA)
Secondary (32)(4)
1) Privacy program information, including data protection policies and instructions to action on a data subject request;
Policy including information on Microsoft’s s Secondary (5)(1)(b)
2) Data residency and transfer policy (including abstracted data flow maps, legal safeguards and justification for transfer);
Microsoft C+E maintains documentation and Master
makes publicly available through
(28)(3)(h)
organizational websites or otherwise:
3) Data protection policy description including security, processor/controller commitment, privacy by design and default, back
1) Privacy program information, including data protection policies and instructions to action on a data subject request;
4) Incident
Policy management
including process.
information on Microsoft’s s Secondary (28)(3)(h)
2) Data residency and transfer policy (including abstracted data flow maps, legal safeguards and justification for transfer);
Microsoft C+E maintains documentation and Master
makes publicly available through
(28)(3)(h)
organizational websites or otherwise:
3) Data protection policy description including security, processor/controller commitment, privacy by design and default, back
1) Privacy program information, including data protection policies and instructions to action on a data subject request;
4) Incident
Prior management
to engaging in Azureprocess.
services, Microsof Secondary (28)(3)(h)
2) Data residency and transfer policy (including abstracted data flow maps, legal safeguards and justification for transfer);
C+E Security Education and Awareness (CESEA) Secondary (28)(3)(h)
3) Data protection policy description including security, processor/controller commitment, privacy by design and default, back
4)
C+EIncident
Securitymanagement process.
Education and Awareness (CESEA)
Secondary (28)(3)(h)
1) Privacy program information, including data protection policies and instructions to action on a data subject request;
Prior to engaging in Azure services, Microsof Secondary (28)(3)(e)
2) Data residency and transfer policy (including abstracted data flow maps, legal safeguards and justification for transfer);
Microsoft C+E maintains a mechansim that ena Master (28)(3)(e)
3) Data protection policy description including security, processor/controller commitment, privacy by design and default, back
4) Incidentdevelops,
Microsoft management process.
documents and dissemina
Secondary (5)(1)(c)
1) Privacy program information, including data protection policies and instructions to action on a data subject request;
Microsoft C+E documents and disseminates Sta Secondary (28)(3)(g)
2) Data residency and transfer policy (including abstracted data flow maps, legal safeguards and justification for transfer);
Microsoft C+E customer data is retained and Master (28)(3)(g)
3) Data protection policy description including security, processor/controller commitment, privacy by design and default, back
4) IncidentC+E
Microsoft management
maintains aprocess.
mechansim that ena
Secondary (28)(3)(g)
Microsoft C+E monitors compliance against da
Secondary (28)(3)(g)
1) Privacy program information, including data protection policies and instructions to action on a data subject request;
Microsoft C+E documents and disseminates Sta Secondary (30)(1)(f)
2) Data residency and transfer policy (including abstracted data flow maps, legal safeguards and justification for transfer);
Microsoft C+E maintains a mechansim that ena Secondary (30)(1)(f)
3) Data protection policy description including security, processor/controller commitment, privacy by design and default, back
4) IncidentC+E
Microsoft management process. against da
monitors compliance Secondary (30)(1)(f)
1) Privacy program information, including data protection policies and instructions to action on a data subject request;
Internal communication between key Azure co Secondary (5)(1)(f)
2) Data residency and transfer policy (including abstracted data flow maps, legal safeguards and justification for transfer);
Microsoft C+E ensures customer data communic Master (5)(1)(f)
3) Data protection policy description including security, processor/controller commitment, privacy by design and default, back
4) IncidentC+E
Microsoft management process.
maintains documentation and Master
makes publicly available through
(44) organizational websites or otherwise:
1) Privacy program information, including data protection policies and instructions to action on a data subject request;
Customer Data is stored in customer-specifiedSecondary (44)
2) Data residency and transfer policy (including abstracted data flow maps, legal safeguards and justification for transfer);
Prior to engaging in Azure services, Microsof Secondary (44)
3) Data protection policy description including security, processor/controller commitment, privacy by design and default, back
4) IncidentC+E
Microsoft management process. data with Secondary
will share personal (44)
The controller and the processor and, where applicable, their representatives, shall cooperate, on request, with the superviso
In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing,
unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing,
unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing,
unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing,
unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing,
unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing,
unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing,
unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processin
freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measu
as appropriate:
In
(b)assessing
the abilitythe
to appropriate level of security
ensure the ongoing accountintegrity,
confidentiality, shall be availability
taken in particular of the risks
and resilience that are presented
of processing by services;
systems and processing,
unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
Personal data shall be:
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
using appropriate technical or organisational measures ('integrity and confidentiality')
Personal data shall be:
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
using appropriate technical or organisational measures ('integrity and confidentiality')
Personal data shall be:
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
using appropriate technical or organisational measures ('integrity and confidentiality')
Personal data shall be:
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
using appropriate technical or organisational measures ('integrity and confidentiality')
Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding
subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and catego
contract or other legal act shall stipulate, in particular, that the processor:
Processing
(b) ensuresby a processor
that shall be governed
persons authorised to processby the
a contract ordata
personal otherhave
legalcommitted
act under themselves
Union or Member State law, that
to confidentiality is binding
or are under a
subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and catego
contract or other legal act shall stipulate, in particular, that the processor:
Personal data
(b) ensures shall
that be: authorised to process the personal data have committed themselves to confidentiality or are under a
persons
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
using appropriate technical or organisational measures ('integrity and confidentiality')
Personal data shall be:
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
using appropriate technical or organisational measures ('integrity and confidentiality')
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processin
freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measu
as appropriate:
Taking
(a) the into account the state
pseudonymisation andof the art, the
encryption of costs of implementation
personal data; and the nature, scope, context and purposes of processin
freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measu
as appropriate:
Taking
(a) the into account the state
pseudonymisation andof the art, the
encryption of costs of implementation
personal data; and the nature, scope, context and purposes of processin
freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measu
as appropriate:
(a) the pseudonymisation and encryption of personal data;
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processin
freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measu
as appropriate:
Personal data shall be: and encryption of personal data;
(a) the pseudonymisation
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
using appropriate technical or organisational measures ('integrity and confidentiality')
Personal data shall be:
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
using appropriate technical or organisational measures ('integrity and confidentiality')
Personal data shall be:
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
using appropriate technical or organisational measures ('integrity and confidentiality')
Personal data shall be:
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
using appropriate technical or organisational measures ('integrity and confidentiality')
Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing
freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means
appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protecti
Taking into
integrate account
the the safeguards
necessary state of theinto
art, the
the processing
cost of implementation and the
in order to meet the requirements
nature, scope,ofcontext and purposes
this Regulation of processing
and protect the ri
freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means
appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protecti
Taking into
integrate account
the the safeguards
necessary state of theinto
art, the
the processing
cost of implementation and the
in order to meet the requirements
nature, scope,ofcontext and purposes
this Regulation of processing
and protect the ri
freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means
appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protecti
Where processing
integrate is to be
the necessary carried out
safeguards onthe
into behalf of a controller,
processing in order the controller
to meet shall use onlyofprocessors
the requirements providing
this Regulation sufficient
and protect thegua
ri
in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the d
Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient gua
in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the d
Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient gua
in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the d
Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient gua
in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the d
Each processor and, where applicable, the processor's representative shall maintain a record of all categories of processing ac
(d) where possible, a general description of the technical and organisational security measures referred to in Article 32(1).
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processin
freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measu
as appropriate:
The processor
(b) the shall
ability to notify
ensure thethe controller
ongoing without undue
confidentiality, delay availability
integrity, after becoming aware of aofpersonal
and resilience datasystems
processing breach.and services;
The processor shall notify the controller without undue delay after becoming aware of a personal data breach.
The processor shall notify the controller without undue delay after becoming aware of a personal data breach.
In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours aft
supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to
supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours aft
supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to
supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours aft
supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to
supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
The notification referred to in paragraph 1 shall at least:
(a) describe the nature of the personal data breach including where possible, the categories and approximate number of data
personal data records concerned;
The notification referred to in paragraph 1 shall at least:
(a) describe the nature of the personal data breach including where possible, the categories and approximate number of data
personal data records concerned;
The notification referred to in paragraph 1 shall at least:
(a) describe the nature of the personal data breach including where possible, the categories and approximate number of data
personal data records concerned;
The notification referred to in paragraph 1 shall at least:
(a) describe the nature of the personal data breach including where possible, the categories and approximate number of data
personal data records concerned;
The notification referred to in paragraph 1 shall at least:
(a) describe the nature of the personal data breach including where possible, the categories and approximate number of data
personal data records concerned;
The notification referred to in paragraph 1 shall at least:
(a) describe the nature of the personal data breach including where possible, the categories and approximate number of data
personal data records concerned;
The notification referred to in paragraph 1 shall at least:
(a) describe the nature of the personal data breach including where possible, the categories and approximate number of data
personal data records concerned;
The notification referred to in paragraph 1 shall at least:
(b) communicate the name and contact details of the data protection officer or other contact point where more information c
The notification referred to in paragraph 1 shall at least:
(b) communicate the name and contact details of the data protection officer or other contact point where more information c
The notification referred to in paragraph 1 shall at least:
(b) communicate the name and contact details of the data protection officer or other contact point where more information c
The notification referred to in paragraph 1 shall at least:
(b) communicate the name and contact details of the data protection officer or other contact point where more information c
The notification referred to in paragraph 1 shall at least:
(b) communicate the name and contact details of the data protection officer or other contact point where more information c
The notification referred to in paragraph 1 shall at least:
(b) communicate the name and contact details of the data protection officer or other contact point where more information c
The notification referred to in paragraph 1 shall at least:
(b) communicate the name and contact details of the data protection officer or other contact point where more information c
The notification referred to in paragraph 1 shall at least:
(c) describe the likely consequences of the personal data breach;
The notification referred to in paragraph 1 shall at least:
(c) describe the likely consequences of the personal data breach;
The notification referred to in paragraph 1 shall at least:
(c) describe the likely consequences of the personal data breach;
The notification referred to in paragraph 1 shall at least:
(c) describe the likely consequences of the personal data breach;
The notification referred to in paragraph 1 shall at least:
(c) describe the likely consequences of the personal data breach;
The notification referred to in paragraph 1 shall at least:
(c) describe the likely consequences of the personal data breach;
The notification referred to in paragraph 1 shall at least:
(c) describe the likely consequences of the personal data breach;
The notification referred to in paragraph 1 shall at least:
(d) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, whe
The notification referred to in paragraph 1 shall at least:
(d) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, whe
The notification referred to in paragraph 1 shall at least:
(d) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, whe
The notification referred to in paragraph 1 shall at least:
(d) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, whe
The notification referred to in paragraph 1 shall at least:
(d) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, whe
The notification referred to in paragraph 1 shall at least:
(d) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, whe
The notification referred to in paragraph 1 shall at least:
(d) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, whe
Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in pha
Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in pha
Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in pha
The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effect
supervisory authority to verify compliance with this Article.
The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effect
supervisory authority to verify compliance with this Article.
The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effect
supervisory authority to verify compliance with this Article.
When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller sha
undue delay.
Personal data shall be:
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
using appropriate technical or organisational measures ('integrity and confidentiality')
Personal data shall be:
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
using appropriate technical or organisational measures ('integrity and confidentiality')
Personal data shall be:
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
using appropriate technical or organisational measures ('integrity and confidentiality')
The processor shall notify the controller without undue delay after becoming aware of a personal data breach.
The processor shall notify the controller without undue delay after becoming aware of a personal data breach.
The processor shall notify the controller without undue delay after becoming aware of a personal data breach.
Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementa
The controller and the processor shall designate a data protection officer in any case where:
(a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
The data protection officer shall have at least the following tasks:
(b) to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the po
personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing opera
In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing,
unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processin
freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measu
as appropriate:
(a) the pseudonymisation and encryption of personal data;
Personal data shall be:
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
using appropriate technical or organisational measures ('integrity and confidentiality')
Personal data shall be:
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
using appropriate technical or organisational measures ('integrity and confidentiality')
Personal data shall be:
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
using appropriate technical or organisational measures ('integrity and confidentiality')
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processin
freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measu
as appropriate:
Taking
(a) the into account the state
pseudonymisation andof the art, the
encryption of costs of implementation
personal data; and the nature, scope, context and purposes of processin
freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measu
as appropriate:
Personal data shall be: and encryption of personal data;
(a) the pseudonymisation
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
using appropriate technical or organisational measures ('integrity and confidentiality')
Personal data shall be:
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
using appropriate technical or organisational measures ('integrity and confidentiality')
Personal data shall be:
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
using appropriate technical or organisational measures ('integrity and confidentiality')
Personal data shall be:
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
using appropriate technical or organisational measures ('integrity and confidentiality')
Personal data shall be:
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
using appropriate technical or organisational measures ('integrity and confidentiality')
Personal data shall be:
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
using appropriate technical or organisational measures ('integrity and confidentiality')
Personal data shall be:
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
using appropriate technical or organisational measures ('integrity and confidentiality')
Personal data shall be:
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
using appropriate technical or organisational measures ('integrity and confidentiality')
Personal data shall be:
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
using appropriate technical or organisational measures ('integrity and confidentiality')
Personal data shall be:
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
using appropriate technical or organisational measures ('integrity and confidentiality')
Personal data shall be:
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
using appropriate technical or organisational measures ('integrity and confidentiality')
Personal data shall be:
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
using appropriate technical or organisational measures ('integrity and confidentiality')
Personal data shall be:
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
using appropriate technical or organisational measures ('integrity and confidentiality')
Personal data shall be:
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
using appropriate technical or organisational measures ('integrity and confidentiality')
Personal data shall be:
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
using appropriate technical or organisational measures ('integrity and confidentiality')
Personal data shall be:
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
using appropriate technical or organisational measures ('integrity and confidentiality')
Personal data shall be:
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
using appropriate technical or organisational measures ('integrity and confidentiality')
Personal data shall be:
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
using appropriate technical or organisational measures ('integrity and confidentiality')
Personal data shall be:
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
using appropriate technical or organisational measures ('integrity and confidentiality')
Personal data shall be:
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
using appropriate technical or organisational measures ('integrity and confidentiality')
Personal data shall be:
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
using appropriate technical or organisational measures ('integrity and confidentiality')
Personal data shall be:
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
using appropriate technical or organisational measures ('integrity and confidentiality')
Personal data shall be:
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
using appropriate technical or organisational measures ('integrity and confidentiality')
Personal data shall be:
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
using appropriate technical or organisational measures ('integrity and confidentiality')
Personal data shall be:
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
using appropriate technical or organisational measures ('integrity and confidentiality')
Personal data shall be:
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
using appropriate technical or organisational measures ('integrity and confidentiality')
Personal data shall be:
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
using appropriate technical or organisational measures ('integrity and confidentiality')
Personal data shall be:
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
using appropriate technical or organisational measures ('integrity and confidentiality')
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processin
freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measu
as appropriate:
Taking
(a) the into account the state
pseudonymisation andof the art, the
encryption of costs of implementation
personal data; and the nature, scope, context and purposes of processin
freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measu
as appropriate:
Taking
(a) the into account the state
pseudonymisation andof the art, the
encryption of costs of implementation
personal data; and the nature, scope, context and purposes of processin
freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measu
as appropriate:
Taking
(a) the into account the state
pseudonymisation andof the art, the
encryption of costs of implementation
personal data; and the nature, scope, context and purposes of processin
freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measu
as appropriate:
Personal data shall be: and encryption of personal data;
(a) the pseudonymisation
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
using appropriate technical or organisational measures ('integrity and confidentiality')
Personal data shall be:
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
using appropriate technical or organisational measures ('integrity and confidentiality')
Personal data shall be:
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
using appropriate technical or organisational measures ('integrity and confidentiality')
Personal data shall be:
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
using appropriate technical or organisational measures ('integrity and confidentiality')
Personal data shall be:
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
using appropriate technical or organisational measures ('integrity and confidentiality')
Personal data shall be:
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
using appropriate technical or organisational measures ('integrity and confidentiality')
Personal data shall be:
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
using appropriate technical or organisational measures ('integrity and confidentiality')
Personal data shall be:
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
using appropriate technical or organisational measures ('integrity and confidentiality')
Personal data shall be:
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
using appropriate technical or organisational measures ('integrity and confidentiality')
Personal data shall be:
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
using appropriate technical or organisational measures ('integrity and confidentiality')
Personal data shall be:
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
using appropriate technical or organisational measures ('integrity and confidentiality')
Personal data shall be:
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
using appropriate technical or organisational measures ('integrity and confidentiality')
Personal data shall be:
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
using appropriate technical or organisational measures ('integrity and confidentiality')
Personal data shall be:
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
using appropriate technical or organisational measures ('integrity and confidentiality')
Personal data shall be:
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
using appropriate technical or organisational measures ('integrity and confidentiality')
Personal data shall be:
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
using appropriate technical or organisational measures ('integrity and confidentiality')
Personal data shall be:
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
using appropriate technical or organisational measures ('integrity and confidentiality')
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processin
freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measu
as appropriate:
Taking into account
(c) the ability the state
to restore of the art,and
the availability the access
costs oftoimplementation
personal data inand the nature,
a timely manner scope,
in thecontext and
event of purposes
a physical orof processin
technical in
freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measu
as appropriate:
Taking into account
(c) the ability the state
to restore of the art,and
the availability the access
costs oftoimplementation
personal data inand the nature,
a timely manner scope,
in thecontext and
event of purposes
a physical orof processin
technical in
freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measu
as appropriate:
Taking into account
(c) the ability the state
to restore of the art,and
the availability the access
costs oftoimplementation
personal data inand the nature,
a timely manner scope,
in thecontext and
event of purposes
a physical orof processin
technical in
freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measu
as appropriate:
Taking into account
(c) the ability the state
to restore of the art,and
the availability the access
costs oftoimplementation
personal data inand the nature,
a timely manner scope,
in thecontext and
event of purposes
a physical orof processin
technical in
freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measu
as appropriate:
Taking into account
(c) the ability the state
to restore of the art,and
the availability the access
costs oftoimplementation
personal data inand the nature,
a timely manner scope,
in thecontext and
event of purposes
a physical orof processin
technical in
freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measu
as appropriate:
Taking into account
(c) the ability the state
to restore of the art,and
the availability the access
costs oftoimplementation
personal data inand the nature,
a timely manner scope,
in thecontext and
event of purposes
a physical orof processin
technical in
freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measu
as appropriate:
Taking into account
(c) the ability the state
to restore of the art,and
the availability the access
costs oftoimplementation
personal data inand the nature,
a timely manner scope,
in thecontext and
event of purposes
a physical orof processin
technical in
freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measu
as appropriate:
Personal datato
(c) the ability shall be: the availability and access to personal data in a timely manner in the event of a physical or technical in
restore
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
using appropriate technical or organisational measures ('integrity and confidentiality')
Personal data shall be:
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
using appropriate technical or organisational measures ('integrity and confidentiality')
Personal data shall be:
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
using appropriate technical or organisational measures ('integrity and confidentiality')
Personal data shall be:
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
using appropriate technical or organisational measures ('integrity and confidentiality')
Personal data shall be:
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
using appropriate technical or organisational measures ('integrity and confidentiality')
Personal data shall be:
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
using appropriate technical or organisational measures ('integrity and confidentiality')
Personal data shall be:
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
using appropriate technical or organisational measures ('integrity and confidentiality')
Personal data shall be:
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
using appropriate technical or organisational measures ('integrity and confidentiality')
Personal data shall be:
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
using appropriate technical or organisational measures ('integrity and confidentiality')
Personal data shall be:
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
using appropriate technical or organisational measures ('integrity and confidentiality')
Personal data shall be:
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
using appropriate technical or organisational measures ('integrity and confidentiality')
Personal data shall be:
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
using appropriate technical or organisational measures ('integrity and confidentiality')
Personal data shall be:
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
using appropriate technical or organisational measures ('integrity and confidentiality')
Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding
subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and catego
contract or other legal act shall stipulate, in particular, that the processor:
Processing by aaccount
(e) taking into processor
theshall be of
nature governed by a contract
the processing, assistsorthe
other legal act
controller byunder Union or
appropriate Member
technical andState law, that is measure
organisational binding
subject-matter and duration of the processing, the nature and purpose of the processing,
to respond to requests for exercising the data subject's rights laid down in Chapter III; the type of personal data and catego
contract or other legal act shall stipulate, in particular, that the processor:
Processing by aaccount
(e) taking into processor
theshall be of
nature governed by a contract
the processing, assistsorthe
other legal act
controller byunder Union or
appropriate Member
technical andState law, that is measure
organisational binding
subject-matter and duration
to respond to requests of the processing,
for exercising the nature
the data subject's andlaid
rights purpose
downof inthe processing,
Chapter III; the type of personal data and catego
contract or other legal act shall stipulate, in particular, that the processor:
Processing by aaccount
(e) taking into processor
theshall be of
nature governed by a contract
the processing, assistsorthe
other legal act
controller byunder Union or
appropriate Member
technical andState law, that is measure
organisational binding
subject-matter and duration of the processing, the nature and purpose of the processing,
to respond to requests for exercising the data subject's rights laid down in Chapter III; the type of personal data and catego
contract or other legal act shall stipulate, in particular, that the processor:
Processing by aaccount
(e) taking into processor
theshall be of
nature governed by a contract
the processing, assistsorthe
other legal act
controller byunder Union or
appropriate Member
technical andState law, that is measure
organisational binding
subject-matter and duration
to respond to requests of the processing,
for exercising the nature
the data subject's andlaid
rights purpose
downof inthe processing,
Chapter III; the type of personal data and catego
contract or other legal act shall stipulate, in particular, that the processor:
Processing by aaccount
(e) taking into processor
theshall be of
nature governed by a contract
the processing, assistsorthe
other legal act
controller byunder Union or
appropriate Member
technical andState law, that is measure
organisational binding
subject-matter and duration of the processing, the nature and purpose of the processing,
to respond to requests for exercising the data subject's rights laid down in Chapter III; the type of personal data and catego
contract or other legal act shall stipulate, in particular, that the processor:
The contract
(f) assists the or the other
controller inlegal act referred
ensuring to inwith
compliance paragraphs 3 and 4 pursuant
the obligations shall be intowriting,
Articlesincluding
32 to 36 in electronic
taking form. the natur
into account
Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purpo
freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisag
assessment may address a set of similar processing operations that present similar high risks.
Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding
subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and catego
contract or other legal act shall stipulate, in particular, that the processor:
Processing bythe
(a) processes a processor
personalshall
data be governed
only by a contract
on documented or otherfrom
instructions legalthe
actcontroller,
under Union or Member
including State law,
with regard that is binding
to transfers of per
subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal
required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall data and catego
inform th
contract
prohibitsor other
such legal act
information shall
on stipulate,
important in particular,
grounds of that
public the processor:
interest;
Processing bythe
(a) processes a processor
personalshall
data be governed
only by a contract
on documented or otherfrom
instructions legalthe
actcontroller,
under Union or Member
including State law,
with regard that is binding
to transfers of per
subject-matter and
required to do so byduration
Union orofMember
the processing,
State lawthe
tonature
which and purpose ofisthe
the processor processing,
subject; in suchthe typethe
a case, of personal
processordata and
shall catego
inform th
contract
prohibitsor other
such legal act shall
information on stipulate,grounds
important in particular,
of thatinterest;
public the processor:
Processing bythe
(a) processes a processor
personalshall
data be governed
only by a contract
on documented or otherfrom
instructions legalthe
actcontroller,
under Union or Member
including State law,
with regard that is binding
to transfers of per
subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal
required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall data and catego
inform th
contract
prohibitsor other
such legal act
information shall
on stipulate,
important in particular,
grounds of that
public the processor:
interest;
Processing bythe
(a) processes a processor
personalshall
data be governed
only by a contract
on documented or otherfrom
instructions legalthe
actcontroller,
under Union or Member
including State law,
with regard that is binding
to transfers of per
subject-matter and
required to do so byduration
Union orofMember
the processing,
State lawthe
tonature
which and purpose ofisthe
the processor processing,
subject; in suchthe typethe
a case, of personal
processordata and
shall catego
inform th
contract
prohibitsor other
such legal act shall
information stipulate,grounds
on important in particular, thatinterest;
of public the processor:
(a) processes the personal data only on documented instructions from the controller, including with regard to transfers of per
required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall inform th
prohibits such information on important grounds of public interest;
The processor and any person acting under the authority of the controller or of the processor, who has access to personal dat
unless required to do so by Union or Member State law.
The processor and any person acting under the authority of the controller or of the processor, who has access to personal dat
unless required to do so by Union or Member State law.
The processor and any person acting under the authority of the controller or of the processor, who has access to personal dat
unless required to do so by Union or Member State law.
The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or
except on instructions from the controller, unless he or she is required to do so by Union or Member State law.
The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or
except on instructions from the controller, unless he or she is required to do so by Union or Member State law.
Personal data shall be:
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with th
interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be consider
Personal data shall be:
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with th
interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be consider
Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding
subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and catego
contract or other legal act shall stipulate, in particular, that the processor:
Processing by a processor
(h) makes available to the shall be governed
controller by a contract
all information or other
necessary legal act under
to demonstrate Union orwith
compliance Member State law, laid
the obligations thatdown
is binding
in th
subject-matter and duration of the processing, the nature and purpose
conducted by the controller or another auditor mandated by the controller. of the processing, the type of personal data and catego
contract or other legal act shall stipulate, in particular, that the processor:
Processing
(h) makes by a processor
available to(h)
the shall be governed by a contract or other legal act under Union orwith
Member State law, laidthatdown
is binding
With regard
subject-matterto point ofcontroller
andcontroller
duration the
offirst
all information
subparagraph,
the processing, thethenecessary
nature and
to shall
processor demonstrate
purpose
compliance
immediately inform the
of the processing,
the obligations
the type
controller if, in itsdata
of personal opinion, in th
an
and catego in
conducted
protection by the
provisions. or another auditor mandated by the controller.
contract or other legal act shall stipulate, in particular, that the processor:
Processing
(h) makes by a processor
available to(h)
the shall be governed by a contract or other legal act under Union orwith
Member State law, laidthatdown
is binding
With regard
subject-matterto point
and ofcontroller
duration the
of first
the
all information
subparagraph,
processing, thethenecessary
nature and
to shall
processor demonstrate
purpose of the
compliance
immediately inform the
processing,
the obligations
the type
controller
of if, in itsdata
personal opinion,
and
in th
an
categoin
conducted
protection by the controller
provisions. or another auditor mandated by the controller.
contract or other legal act shall stipulate, in particular, that the processor:
Processing
(h) makes by a processor
available to(h)
the shall be governed by a contract or other legal act under Union orwith
Member State law, laidthatdown
is binding
With regard
subject-matterto point ofcontroller
andcontroller
duration the
offirst
all information
subparagraph,
the processing, thethenecessary
nature and
to shall
processor demonstrate
purpose
compliance
immediately inform the
of the processing,
the obligations
the type
controller if, in itsdata
of personal opinion, in th
an
and catego in
conducted
protection by the
provisions. or another auditor mandated by the controller.
contract or other legal act shall stipulate, in particular, that the processor:
Processing
(h) makes by a processor
available to(h)
the shall be governed by a contract or other legal act under Union orwith
Member State law, laidthatdown
is binding
With regard
subject-matterto point
and ofcontroller
duration the
of first
the
all information
subparagraph,
processing, thethenecessary
nature and
to shall
processor demonstrate
purpose of the
compliance
immediately inform the
processing,
the obligations
the type
controller
of if, in itsdata
personal opinion,
and
in th
an
categoin
conducted
protection by the controller
provisions. or another auditor mandated by the controller.
contract or other legal act shall stipulate, in particular, that the processor:
Processing
(h) makes by a processor
available to(h)
the shall be governed by a contract or other legal act under Union orwith
Member State law, laidthatdown
is binding
With regard
subject-matterto point ofcontroller
andcontroller
duration the
offirst
all information
subparagraph,
the processing, thethenecessary
nature and
to shall
processor demonstrate
purpose
compliance
immediately inform the
of the processing,
the obligations
the type
controller if, in itsdata
of personal opinion, in th
an
and catego in
conducted
protection by the
provisions. or another auditor mandated by the controller.
contract or other legal act shall stipulate, in particular, that the processor:
Processing
(h) makes by a processor
available to(h)
the shall be governed by a contract or other legal act under Union orwith
Member State law, laidthatdown
is binding
With regard
subject-matterto point
and ofcontroller
duration the
of first
the
all information
subparagraph,
processing, thethenecessary
nature and
to shall
processor demonstrate
purpose of the
compliance
immediately inform the
processing,
the obligations
the type
controller
of if, in itsdata
personal opinion,
and
in th
an
categoin
conducted
protection by the controller
provisions. or another auditor mandated by the controller.
contract or other legal act shall stipulate, in particular, that the processor:
Processing
(h) makes by a processor
available to(h)
the shall be governed by a contract or other legal act under Union orwith
Member State law, laidthatdown
is binding
With regard
subject-matterto point ofcontroller
andcontroller
duration the
offirst
all information
subparagraph,
the processing, thethenecessary
nature and
to shall
processor demonstrate
purpose
compliance
immediately inform the
of the processing,
the obligations
the type
controller if, in itsdata
of personal opinion, in th
an
and catego in
conducted
protection by the
provisions. or another auditor mandated by the controller.
contract or other legal act shall stipulate, in particular, that the processor:
Each
(h) processor
makes and,to
available where
the applicable,
controller allthe processor's
information representative
necessary to shall shall maintain
demonstrate a record
compliance of the
with all categories
obligations oflaid
processing
downan in ac
th
With
(a) theregard
name to point
and (h)
contact ofdetails
the first
of subparagraph,
the processor the
or processor
processors and of immediately
each inform
controller on the controller
behalf of which if,the
in its opinion,
processor is in
acti
conducted
protection by the controller
provisions. or another auditor mandated by the controller.
representative, and the data protection officer;
Each processor and, where applicable, the processor's representative shall maintain a record of all categories of processing ac
With
(a) theregard
nameto point
and (h) ofdetails
contact the first
of subparagraph,
the processor orthe processorand
processors shallofimmediately inform
each controller the controller
on behalf of whichif,thein its opinion,isan
processor in
acti
protection provisions.
representative, and the data protection officer;
Each processor and, where applicable, the processor's representative shall maintain a record of all categories of processing ac
(a) the name and contact details of the processor or processors and of each controller on behalf of which the processor is acti
representative, and the data protection officer;
Each processor and, where applicable, the processor's representative shall maintain a record of all categories of processing ac
(a) the name and contact details of the processor or processors and of each controller on behalf of which the processor is acti
representative, and the data protection officer;
Each processor and, where applicable, the processor's representative shall maintain a record of all categories of processing ac
(a) the name and contact details of the processor or processors and of each controller on behalf of which the processor is acti
representative, and the data protection officer;
Each processor and, where applicable, the processor's representative shall maintain a record of all categories of processing ac
(a) the name and contact details of the processor or processors and of each controller on behalf of which the processor is acti
representative, and the data protection officer;
Each processor and, where applicable, the processor's representative shall maintain a record of all categories of processing ac
(b) the categories of processing carried out on behalf of each controller;
Each processor and, where applicable, the processor's representative shall maintain a record of all categories of processing ac
(b) the categories of processing carried out on behalf of each controller;
Each processor and, where applicable, the processor's representative shall maintain a record of all categories of processing ac
(b) the categories of processing carried out on behalf of each controller;
Each processor and, where applicable, the processor's representative shall maintain a record of all categories of processing ac
(b) the categories of processing carried out on behalf of each controller;
Each processor and, where applicable, the processor's representative shall maintain a record of all categories of processing ac
(b) the categories of processing carried out on behalf of each controller;
The records referred to in paragraphs 1 and 2 shall be in writing, including in electronic form.
The records referred to in paragraphs 1 and 2 shall be in writing, including in electronic form.
The records referred to in paragraphs 1 and 2 shall be in writing, including in electronic form.
The records referred to in paragraphs 1 and 2 shall be in writing, including in electronic form.
The records referred to in paragraphs 1 and 2 shall be in writing, including in electronic form.
Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding
subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and catego
contract or other legal act shall stipulate, in particular, that the processor:
Processing by aaccount
(e) taking into processor
theshall be of
nature governed by a contract
the processing, assistsorthe
other legal act
controller byunder Union or
appropriate Member
technical andState law, that is measure
organisational binding
subject-matter and duration
to respond to requests of the processing,
for exercising the nature
the data subject's andlaid
rights purpose
downof inthe processing,
Chapter III; the type of personal data and catego
contract or other legal act shall stipulate, in particular, that the processor:
Processing by aaccount
(e) taking into processor
theshall be of
nature governed by a contract
the processing, assistsorthe
other legal act
controller byunder Union or
appropriate Member
technical andState law, that is measure
organisational binding
subject-matter and duration of the processing, the nature and purpose of the processing,
to respond to requests for exercising the data subject's rights laid down in Chapter III; the type of personal data and catego
contract or other legal act shall stipulate, in particular, that the processor:
Personal
(e) takingdata
into shall be: the nature of the processing, assists the controller by appropriate technical and organisational measure
account
(c) adequate,
to respond to relevant
requestsand limited to what
for exercising is necessary
the data subject's in relation
rights to thein
laid down purposes
Chapterfor
III; which they are processed ('data minimis
Personal data shall be:
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ('data minimis
Personal data shall be:
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ('data minimis
Personal data shall be:
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ('data minimis
Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding
subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and catego
contract or other legal act shall stipulate, in particular, that the processor:
Processing by a processor
(g) at the choice shall be deletes
of the controller, governed or by a contract
returns all theorpersonal
other legal
dataact
tounder Union orafter
the controller Member State
the end of law, that is binding
the provision of ser
subject-matter and duration of the processing, the
Member State law requires storage of the personal data; nature and purpose of the processing, the type of personal data and catego
contract or other legal act shall stipulate, in particular, that the processor:
Processing by a processor
(g) at the choice shall be deletes
of the controller, governed or by a contract
returns all theorpersonal
other legal
dataact
tounder Union orafter
the controller Member State
the end of law, that is binding
the provision of ser
subject-matter
Member State lawandrequires
durationstorage
of the processing, the nature
of the personal data; and purpose of the processing, the type of personal data and catego
contract or other legal act shall stipulate, in particular, that the processor:
Processing by a processor
(g) at the choice shall be deletes
of the controller, governed or by a contract
returns all theorpersonal
other legal
dataact
tounder Union orafter
the controller Member State
the end of law, that is binding
the provision of ser
subject-matter and duration of the processing, the
Member State law requires storage of the personal data; nature and purpose of the processing, the type of personal data and catego
contract or other legal act shall stipulate, in particular, that the processor:
Processing by a processor
(g) at the choice shall be deletes
of the controller, governed or by a contract
returns all theorpersonal
other legal
dataact
tounder Union orafter
the controller Member State
the end of law, that is binding
the provision of ser
subject-matter
Member State lawandrequires
durationstorage
of the processing, the nature
of the personal data; and purpose of the processing, the type of personal data and catego
contract or other legal act shall stipulate, in particular, that the processor:
(g) at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of ser
Member State law requires storage of the personal data;
Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding
subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and catego
contract or other legal act shall stipulate, in particular, that the processor:
Each
(g) at controller
the choiceand, where
of the applicable,
controller, theor
deletes controller's
returns allrepresentative, shall
the personal data tomaintain a record
the controller ofthe
after processing activities
end of the under
provision its
of ser
(f) whereState
Member possible,
law the envisaged
requires time
storage limits
of the for erasure
personal data;of the different categories of data;
Each controller and, where applicable, the controller's representative, shall maintain a record of processing activities under its
(f) where possible, the envisaged time limits for erasure of the different categories of data;
Each controller and, where applicable, the controller's representative, shall maintain a record of processing activities under its
(f) where possible, the envisaged time limits for erasure of the different categories of data;
Each controller and, where applicable, the controller's representative, shall maintain a record of processing activities under its
(f) where possible, the envisaged time limits for erasure of the different categories of data;
Each controller and, where applicable, the controller's representative, shall maintain a record of processing activities under its
(f) where possible, the envisaged time limits for erasure of the different categories of data;
Personal data shall be:
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
using appropriate technical or organisational measures ('integrity and confidentiality')
Personal data shall be:
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
using appropriate technical or organisational measures ('integrity and confidentiality')
Personal data shall be:
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
using appropriate technical or organisational measures ('integrity and confidentiality')
Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country
other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor
an international organisation to another third country or to another international organisation. All provisions in this Chapter sh
Any transfer
persons of personal
guaranteed data
by this which areisundergoing
Regulation processing or are intended for processing after transfer to a third country
not undermined.
other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor
an international organisation to another third country or to another international organisation. All provisions in this Chapter sh
Any transfer
persons of personal
guaranteed data
by this which areisundergoing
Regulation processing or are intended for processing after transfer to a third country
not undermined.
other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor
an international organisation to another third country or to another international organisation. All provisions in this Chapter sh
Any transfer
persons of personal
guaranteed data
by this which areisundergoing
Regulation processing or are intended for processing after transfer to a third country
not undermined.
other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor
an international organisation to another third country or to another international organisation. All provisions in this Chapter sh
In the absence
persons of a decision
guaranteed pursuant toisArticle
by this Regulation 45(3), a controller or processor may transfer personal data to a third country o
not undermined.
provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data s
The appropriate safeguards referred to in paragraph 1 may be provided for, without requiring any specific authorisation from
(a) a legally binding and enforceable instrument between public authorities or bodies;
The appropriate safeguards referred to in paragraph 1 may be provided for, without requiring any specific authorisation from
(b) binding corporate rules in accordance with Article 47;
The appropriate safeguards referred to in paragraph 1 may be provided for, without requiring any specific authorisation from
(c) standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in
The appropriate safeguards referred to in paragraph 1 may be provided for, without requiring any specific authorisation from
(d) standard data protection clauses adopted by a supervisory authority and approved by the Commission pursuant to the exa
The appropriate safeguards referred to in paragraph 1 may be provided for, without requiring any specific authorisation from
(e) an approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the controller
including as regards data subjects' rights; or
The appropriate safeguards referred to in paragraph 1 may be provided for, without requiring any specific authorisation from
(f) an approved certification mechanism pursuant to Article 42 together with binding and enforceable commitments of the con
safeguards, including as regards data subjects' rights.
Subject to the authorisation from the competent supervisory authority, the appropriate safeguards referred to in paragraph 1
(a) contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data
Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or
enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between
prejudice to other grounds for transfer pursuant to this Chapter.
Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or
enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between
prejudice to other grounds for transfer pursuant to this Chapter.
Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or
enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between
prejudice to other grounds for transfer pursuant to this Chapter.
In the absence of an adequacy decision pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46, includin
to a third country or an international organisation shall take place only on one of the following conditions:
(a) the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such
In
andthe absence ofsafeguards;
appropriate an adequacy decision pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46, includin
to a third country or an international organisation shall take place only on one of the following conditions:
(b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementa
In the absence of an adequacy decision pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46, includin
to a third country or an international organisation shall take place only on one of the following conditions:
(c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject betw
In the absence of an adequacy decision pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46, includin
to a third country or an international organisation shall take place only on one of the following conditions:
(d) the transfer is necessary for important reasons of public interest;
In the absence of an adequacy decision pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46, includin
to a third country or an international organisation shall take place only on one of the following conditions:
(e) the transfer is necessary for the establishment, exercise or defence of legal claims;
In the absence of an adequacy decision pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46, includin
to a third country or an international organisation shall take place only on one of the following conditions:
(f) the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subje
In the absence of an adequacy decision pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46, includin
to a third country or an international organisation shall take place only on one of the following conditions:
(g) the transfer is made from a register which according to Union or Member State law is intended to provide information to t
A
ortransfer pursuant
by any person whotocan
point (g) of paragraph
demonstrate 1 shall not
a legitimate involve
interest, butthe entirety
only to the of the personal
extent that the data or entire
conditions laidcategories of theorpeM
down in Union
consultation by persons having a legitimate interest, the transfer shall be made only at the request of those persons or if they
Where a transfer
In the absence of could not be based
an adequacy on aUnion
decision, provision in Articles
or Member 45law
State or 46, including
may, the provisions
for important reasonsonof binding corporate
public interest, rules, an
expressly s
(g) of this paragraph is applicable, a transfer to a third country or an international organisation
country or an international organisation. Member States shall notify such provisions to the Commission. may take place only if the trans
necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the intere
assessed
The all theorcircumstances
controller processor shall surrounding data transferasand
document the assessment wellhas
as on
thethe basis of
suitable that assessment
safeguards referredprovided
to in the suitable safegu
second subpar
inform
30. the supervisory authority of the transfer. The controller shall, in addition to providing the information referred to in Ar
compelling legitimate interests pursued.
Each processor and, where applicable, the processor's representative shall maintain a record of all categories of processing ac
(c) where applicable, transfers of personal data to a third country or an international organisation, including the identification
transfers referred to in the second subparagraph of Article 49(1), the documentation of appropriate safeguards;
Each processor and, where applicable, the processor's representative shall maintain a record of all categories of processing ac
(c) where applicable, transfers of personal data to a third country or an international organisation, including the identification
transfers referred to in the second subparagraph of Article 49(1), the documentation of appropriate safeguards;
Each processor and, where applicable, the processor's representative shall maintain a record of all categories of processing ac
(c) where applicable, transfers of personal data to a third country or an international organisation, including the identification
transfers referred to in the second subparagraph of Article 49(1), the documentation of appropriate safeguards;
Each processor and, where applicable, the processor's representative shall maintain a record of all categories of processing ac
(c) where applicable, transfers of personal data to a third country or an international organisation, including the identification
transfers referred to in the second subparagraph of Article 49(1), the documentation of appropriate safeguards;
Each processor and, where applicable, the processor's representative shall maintain a record of all categories of processing ac
(c) where applicable, transfers of personal data to a third country or an international organisation, including the identification
transfers referred to in the second subparagraph of Article 49(1), the documentation of appropriate safeguards;
Each controller and, where applicable, the controller's representative, shall maintain a record of processing activities under its
(d) the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countrie
Each controller and, where applicable, the controller's representative, shall maintain a record of processing activities under its
(d) the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countrie
Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding
subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and catego
contract or other legal act shall stipulate, in particular, that the processor:
Processing bythe
(a) processes a processor
personalshall
data be governed
only by a contract
on documented or otherfrom
instructions legalthe
actcontroller,
under Union or Member
including State law,
with regard that is binding
to transfers of per
subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal
required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall data and catego
inform th
contract
prohibitsor other
such legal act
information shall
on stipulate,
important in particular,
grounds of that
public the processor:
interest;
Processing bythe
(a) processes a processor
personalshall
data be governed
only by a contract
on documented or otherfrom
instructions legalthe
actcontroller,
under Union or Member
including State law,
with regard that is binding
to transfers of per
subject-matter and
required to do so byduration
Union orofMember
the processing,
State lawthe
tonature
which and purpose ofisthe
the processor processing,
subject; in suchthe typethe
a case, of personal
processordata and
shall catego
inform th
contract
prohibitsor other
such legal act shall
information stipulate,grounds
on important in particular, thatinterest;
of public the processor:
(a) processes the personal data only on documented instructions from the controller, including with regard to transfers of per
required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall inform th
prohibits such information on important grounds of public interest;
Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding
subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and catego
contract or other legal act shall stipulate, in particular, that the processor:
Any judgmentthe
(a) processes of apersonal
court ordata
tribunal
onlyand any decision instructions
on documented of an administrative
from theauthority ofincluding
controller, a third country requiring
with regard a controller
to transfers or
of per
enforceable in any
required to do so bymanner if based
Union or on an
Member international
State law to which agreement, such is
the processor assubject;
a mutual
inlegal
such assistance
a case, thetreaty, in force
processor shallbetween
inform th
prejudice
prohibits to other
such grounds on
information for transfer pursuant
groundsto this Chapter.
The processor shall not engageimportant
another processor ofwithout
public interest;
prior specific or general written authorisation of the controller. In t
controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller t
The processor shall not engage another processor without prior specific or general written authorisation of the controller. In t
controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller t
The processor shall not engage another processor without prior specific or general written authorisation of the controller. In t
controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller t
The processor shall not engage another processor without prior specific or general written authorisation of the controller. In t
controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller t
The processor shall not engage another processor without prior specific or general written authorisation of the controller. In t
controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller t
The processor shall not engage another processor without prior specific or general written authorisation of the controller. In t
controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller t
The processor shall not engage another processor without prior specific or general written authorisation of the controller. In t
controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller t
The processor shall not engage another processor without prior specific or general written authorisation of the controller. In t
controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller t
Where a processor engages another processor for carrying out specific processing activities on behalf of the controller, the sam
between the controller and the processor as referred to in paragraph 3 shall be imposed on that other processor by way of a c
providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the pro
Where a processor
processor engages
fails to fulfil another
its data processor
protection for carrying
obligations, out specific
the initial processing
processor activities
shall remain on behalf
fully liable of controller
to the the controller, theperf
for the sam
between the controller and the processor as referred to in paragraph 3 shall be imposed on that other processor by way of a c
providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the pro
The processor
processor fails shall notits
to fulfil engage another processor
data protection without
obligations, priorprocessor
the initial specific orshall
general written
remain fullyauthorisation of the controller.
liable to the controller In t
for the perf
controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller t
The processor shall not engage another processor without prior specific or general written authorisation of the controller. In t
controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller t
The processor shall not engage another processor without prior specific or general written authorisation of the controller. In t
controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller t
The processor shall not engage another processor without prior specific or general written authorisation of the controller. In t
controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller t
The processor shall not engage another processor without prior specific or general written authorisation of the controller. In t
controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller t
The processor shall not engage another processor without prior specific or general written authorisation of the controller. In t
controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller t
Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding
subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and catego
contract or other legal act shall stipulate, in particular, that the processor:
Processing
(d) respectsby a processor
the conditionsshall be governed
referred by a contract
to in paragraphs 2 andor4 other legal act
for engaging under Union
another or Member State law, that is binding
processor;
subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and catego
contract or other legal act shall stipulate, in particular, that the processor:
Processing
(d) respectsby a processor
the conditionsshall be governed
referred by a contract
to in paragraphs 2 andor4 other legal act
for engaging under Union
another or Member State law, that is binding
processor;
subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and catego
contract or other legal act shall stipulate, in particular, that the processor:
Processing
(d) respectsby a processor
the conditionsshall be governed
referred by a contract
to in paragraphs 2 andor4 other legal act
for engaging under Union
another or Member State law, that is binding
processor;
subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and catego
contract or other legal act shall stipulate, in particular, that the processor:
(d) respects the conditions referred to in paragraphs 2 and 4 for engaging another processor;
Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding
subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and catego
contract or other legal act shall stipulate, in particular, that the processor:
Processing
(d) respectsby a processor
the conditionsshall be governed
referred by a contract
to in paragraphs 2 andor4 other legal act
for engaging under Union
another or Member State law, that is binding
processor;
subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and catego
contract or other legal act shall stipulate, in particular, that the processor:
Processing
(d) respectsby a processor
the conditionsshall be governed
referred by a contract
to in paragraphs 2 andor4 other legal act
for engaging under Union
another or Member State law, that is binding
processor;
subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and catego
contract or other legal act shall stipulate, in particular, that the processor:
The processor
(d) respects theshall not engage
conditions another
referred to inprocessor
paragraphswithout
2 and prior
4 for specific
engagingoranother
generalprocessor;
written authorisation of the controller. In t
controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller t
The processor shall not engage another processor without prior specific or general written authorisation of the controller. In t
controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller t
The processor shall not engage another processor without prior specific or general written authorisation of the controller. In t
controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller t
The processor shall not engage another processor without prior specific or general written authorisation of the controller. In t
controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller t
The processor shall not engage another processor without prior specific or general written authorisation of the controller. In t
controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller t
The processor shall not engage another processor without prior specific or general written authorisation of the controller. In t
controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller t
The processor shall not engage another processor without prior specific or general written authorisation of the controller. In t
controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller t
xyz abc
Updated