Data Processing Obligations (GDPR)

Data Processing Obligations. The Data Processor shall process Personal Data only on documented instructions from the Data Controller, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by Union or Member State law to which the Processor is subject; in such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. The Processor shall: (a) ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; (b) take all measures required pursuant to Article 32 of the General Data Protection Regulation (GDPR), including implementing appropriate technical and organizational measures to ensure a level of security appropriate to the risk; (c) not engage another processor without prior specific or general written authorization of the Controller; (d) assist the Controller in responding to requests for exercising data subjects' rights; (e) assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR; (f) at the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of services; and (g) make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this clause and allow for and contribute to audits and inspections.