Article 9
Processing by processors
- The processing of personal data may be assigned by contract or by the legislation to a processor if:
- a. the data is processed only in the manner in which the controller itself is permitted to do it; and
- b. no statutory or contractual duty of confidentiality prohibits assignment.
- The controller must satisfy itself in particular that the processor is able to guarantee data security.
- The processor may only assign processing to a third party with prior approval from the controller.
- It may claim the same grounds for justification as the controller.