Terms & conditions

 

ARTICLE 28 EU GDPR ‘PROCESSOR’
I. When processing is carried out on behalf of a controller, the controller will only use processors who offer adequate guarantees regarding the application of appropriate technical and organizational measures. To ensure that the processing complies with the requirements of this Regulation and that the rights of the data subject are protected.

II. The processor shall not employ another processor without the prior, specific or general written consent of the controller. In the case of general written consent, the processor shall inform the controller of any intended changes regarding the addition or replacement of other processors. The controller is given the opportunity to object to these changes.

III. Processing by a processor is governed by a contract or other legal act under Union or Member State law binding the processor to the controller. And in which the subject and duration of the processing, the nature and purpose of the processing, the type of personal data and the categories of data subjects, and the rights and obligations of the controller are described. In particular, that agreement or other legal act provides that the processor: Google Analytics
a. processes the personal data solely on the basis of written instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation. Unless a provision of Union or Member State law applicable to the processor obliges him to process. In that case, the processor shall notify the controller of that legal requirement prior to processing, unless such legislation prohibits such notification for important reasons of public interest;
b. ensures that the persons authorized to process the personal data have committed themselves to confidentiality or are bound by an appropriate legal obligation of confidentiality;
c. takes all measures required in accordance with Article 32 GDPR;
d. meets the conditions for engaging another processor referred to in paragraphs II and IV;
e. taking into account the nature of the processing, assists the controller through appropriate technical and organizational measures, to the extent possible, in fulfilling its duty to respond to requests to exercise the data subject’s rights set out in Chapter III;
f. taking into account the nature of the processing and the information at its disposal, assist the controller in fulfilling its obligations under Articles 32 to 36 GDPR;
g. at the end of the processing services, at the choice of the controller, delete all personal data or return it to him, and delete existing copies. Unless storage of the personal data is required by Union or Member State law;
h. makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and audits. Including enabling and contributing to inspections, by the controller or a controller authorized by the controller.
i. With regard to point (h) of the first subparagraph, the processor shall immediately inform the controller if, in its opinion, an instruction infringes this Regulation or other Union or Member State data protection provisions.

IX. Where a processor engages another processor to perform specific processing activities on behalf of the controller, that other processor shall be subject to the same data protection obligations as those laid down in paragraph 3 by a contract or other legal act under Union or Member State law. the said agreement or other legal act between the controller and the processor. In particular, the obligation to provide adequate guarantees with regard to the application of appropriate technical and organizational measures to ensure that the processing complies with the provisions of this Regulation. Where the other processor fails to comply with its data protection obligations, the primary processor shall remain fully liable to the controller for the performance of that other processor’s obligations.

X. Joining an approved code of conduct as referred to in Article 40 GDPR or an approved een