The contract between the data controller and the data processor must stipulate that the data processor:
- processes the personal data only on the instructions of the data controller, including with regard to transfers of personal data to a country outside the EEA;
- ensures that the persons authorised to process the data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- ensures security of processing;
- shall not engage another data processor without prior specific or general written authorisation of the data controller;
- assists the data controller for the fulfilment of the data controller’s obligations to respond to individual’s requests for exercising their rights;
- assists the data controller in securing the processing, notifying data breaches, and performing DPIAs;
- at the choice of the data controller, deletes or returns all personal data to the data controller after the end of the provision of services;
- makes available to the data controller all necessary information to demonstrate compliance with the obligations under the GDPR;
- allows for and contributes to audits, including inspections conducted by the data controller or another auditor mandated by the data controller.
In addition, the data processor shall immediately inform the data controller if, in its opinion, instructions infringe the GDPR or other EU or national data protection provisions.
More information: