59Processors
(1)This section applies to the use by a controller of a processor to carry out processing of personal data on behalf of the controller.
(2)The controller may use only a processor who provides guarantees to implement appropriate technical and organisational measures that are sufficient to secure that the processing will—
(a)meet the requirements of this Part, and
(b)ensure the protection of the rights of the data subject.
(3)The processor used by the controller may not engage another processor (“a sub-processor”) without the prior written authorisation of the controller, which may be specific or general.
(4)Where the controller gives a general written authorisation to a processor, the processor must inform the controller if the processor proposes to add to the number of sub-processors engaged by it or to replace any of them (so that the controller has the opportunity to object to the proposal).
(5)The processing by the processor must be governed by a contract in writing between the controller and the processor setting out the following—
(a)the subject-matter and duration of the processing;
(b)the nature and purpose of the processing;
(c)the type of personal data and categories of data subjects involved;
(d)the obligations and rights of the controller and processor.
(6)The contract must, in particular, provide that the processor must—
(a)act only on instructions from the controller,
(b)ensure that the persons authorised to process personal data are subject to an appropriate duty of confidentiality,
(c)assist the controller by any appropriate means to ensure compliance with the rights of the data subject under this Part,
(d)at the end of the provision of services by the processor to the controller—
(i)either delete or return to the controller (at the choice of the controller) the personal data to which the services relate, and
(ii)delete copies of the personal data unless subject to a legal obligation to store the copies,
(e)make available to the controller all information necessary to demonstrate compliance with this section, and
(f)comply with the requirements of this section for engaging sub-processors.
(7)The terms included in the contract in accordance with subsection (6)(a) must provide that the processor may transfer personal data to a third country or international organisation only if instructed by the controller to make the particular transfer.
(8)If a processor determines, in breach of this Part, the purposes and means of processing, the processor is to be treated for the purposes of this Part as a controller in respect of that processing.