Contracts with PII processors

The organization should have a written contract with any PII processor that it uses, and should ensure that their contracts with PII processors address the implementation... ... - Licensed content not shown -

GDPR (EU)

5.2: Article(5)(2): The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 ('accountability')

28.3.e: Article(28)(3)(e): Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. That contract or other legal act shall stipulate, in particular, that the processor: (e) taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III;

28.9: Article(28)(9): The contract or the other legal act referred to in paragraphs 3 and 4 shall be in writing, including in electronic form.

LGPD (BRA)

Art.39: The processor must carry out the processing of the data in accordance with the instructions provided by the controller, which will verify the observance of these instructions and rules on the matter.

Art.49: The systems used to process the personal data must be structured in order to meet security requirements, best practice and governance standards and the general principles outlined in this Law and other regulatory rules.

CCPA (US, CA)

S.1798.145.h: (h) A business that discloses personal information to a service provider shall not be liable under this title if the service provider receiving the personal information uses it in violation of the restrictions set forth in the title, provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the service provider intends to commit such a violation. A service provider shall likewise not be liable under this title for the obligations of a business for which it provides services as set forth in this title.

APP (Australian Privacy Principles)

APP.8.1: Before disclosing personal information to an overseas recipient, must take reasonable steps to ensure the overseas recipient does not breach the APPs (APP 8.1)

APP.11.1: Must take reasonable steps to protect personal information held from misuse, interference and loss, unauthorised access, modification or disclosure (APP 11.1)

PIPEDA (Personal Information Protection and Electronic Documents Act) - Canada

4.1.3: Responsible for personal information that has been transferred to third parties for processing (4.1.3)

DPP (Data Protection Principles) - Hong Kong

DPP.2: The data user must adopt contractual or other means to prevent data from being kept by data processors longer than necessary Must take all practical steps to ensure personal data is not kept longer than necessary to fulfil the purpose for which it was collected Must take all practical steps to ensure personal data is accurate having regard to the purposes for which it is or is to be used Data user must adopt contractual provisions to prevent personal data being kept longer by data processor than necessary to fulfil the processing (DPP 2)

DPP.4.1: All practicable steps shall be taken to ensure that any personal data (including data in a form in which access to or processing of the data is not practicable) held by a data user is protected against unauthorized or accidental access, processing, erasure, loss or use having particular regard to— (Amended 18 of 2012 s. 40; 17 of 2018 s. 129) (a) the kind of data and the harm that could result if any of those things should occur; (b) the physical location where the data is stored; (Amended 18 of 2012 s. 40) (c) any security measures incorporated (whether by automated means or otherwise) into any equipment in which the data is stored; (Amended 18 of 2012 s. 40) (d) any measures taken for ensuring the integrity, prudence and competence of persons having access to the data; and (e) any measures taken for ensuring the secure transmission of the data.

Personal Data Protection Act - Singapore

S.4.3: Organisations have the same obligations in respect of personal data processed for them by a 'data intermediary' as if it was processed by them (S.4(3))

S.24: Must make reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks for personal data held or under their control

Personal Information Protection Act - South Korea

A.26: On outsourcing the processing of personal information to a third party, must satisfy certain formalities in writing and prevent processing for purposes other than the purposes for which the processing was outsourced and ensure technical and managerial safeguards

Turkish Data Protection Law numbered 6698

A.9: Personal data may only be transferred abroad without explicit consent if (i) sufficient protection is provided in the foreign country where the data is to be transferred, or (ii) the data controller in Turkey and in the related foreign country must guarantee a sufficient protection in writing and the Data Protection Board has authorized such transfer, where sufficient protection is not provided

A.12.1: Must take all necessary technical and administrative measures to provide a sufficient level of security in order to (i) prevent unlawful processing of personal data, (ii) prevent unlawful access to personal data, and (iii) ensure the retention of personal data

A.12.2: Jointly responsible with processor to take all necessary technical and administrative measures to provide a sufficient level of security in order to (i) prevent unlawful...