Contracts with PII processors

The organization should have a written contract with any PII processor that it uses, and should ensure that their contracts with PII processors address the implementation... ... - Licensed content not shown -


28.3.e: Article(28)(3)(e): Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. That contract or other legal act shall stipulate, in particular, that the processor: (e) taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III;

PIPEDA (Personal Information Protection and Electronic Documents Act) - Canada

DPP (Data Protection Principles) - Hong Kong

DPP.4.1: All practicable steps shall be taken to ensure that any personal data (including data in a form in which access to or processing of the data is not practicable) held by a data user is protected against unauthorized or accidental access, processing, erasure, loss or use having particular regard to— (Amended 18 of 2012 s. 40; 17 of 2018 s. 129) (a) the kind of data and the harm that could result if any of those things should occur; (b) the physical location where the data is stored; (Amended 18 of 2012 s. 40) (c) any security measures incorporated (whether by automated means or otherwise) into any equipment in which the data is stored; (Amended 18 of 2012 s. 40) (d) any measures taken for ensuring the integrity, prudence and competence of persons having access to the data; and (e) any measures taken for ensuring the secure transmission of the data.

Turkish Data Protection Law numbered 6698