(1) In cases where personal data is transferred abroad by the processor, the processor shall act within the purpose and scope established by the controller, on behalf of the controller, and in accordance with the controller’s instructions. The processor shall implement all necessary technical and organisational measures to ensure an appropriate level of security, corresponding to the nature of personal data, in order to prevent unlawful processing of personal data, unlawful access to personal data, and to ensure protection of personal data.
(2) The transfer of personal data abroad by the processor shall not relieve the controller of its responsibility to comply with the procedures and principles, and to ensure the necessary safeguards stipulated in the Law and this By-Law. The controller shall be obliged to ensure that the technical and organisational measures specified in the first paragraph are implemented by the processor.
(3) If the processor is obliged to notify the standard contract pursuant to the Article 14(5), the processor shall fulfil this notification obligation independently of any instructions from the controller.