gdpr_guide-for-processors_en.pdf

Here are the key points summarizing the guide for processors under the General Data Protection Regulation (GDPR):

I. Processor's obligations

1. Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
2. Return or destroy all personal data at the end of the service, as agreed with the controller.
3. Assist the controller in carrying out data protection impact assessments and prior consultation with the supervisory authority.

II. Security measures

1. Implement measures for ensuring the ongoing confidentiality, integrity, availability, and resilience of processing systems and services.
2. Restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.

III. Fate of data

1. Destroy all personal data, return it to the controller, or transfer it to another processor designated by the controller.
2. Demonstrate, in writing, that destruction has taken place if chosen option is destruction.

IV. Data Protection Officer (DPO)

1. Communicate the name and contact details of the DPO to the controller, if designated.

V. Record of categories of processing activities

1. Maintain a written record of all categories of processing activities carried out on behalf of the controller.
2. Include information such as the name and contact details of the controller, other processors, data protection officer, and transfers of personal data.

VI. Documentation

1. Provide the controller with necessary documentation for demonstrating compliance with obligations and allowing audits.

VII. Controller's obligations with respect to the processor

1. Provide the processor with the data mentioned in II hereof.
2. Document any instruction bearing on the processing of data by the processor.
3. Ensure compliance with GDPR obligations on the processor's part.
4. Supervise the processing, including conducting audits and inspections with the processor.