Part 3A: Joint Controllers
23. Joint Controllers
(1) Where two (2) or more persons jointly determine the purposes and means of Processing Personal Data, they shall be Joint Controllers.
(2) Joint Controllers shall, by way of legally binding written agreement, define their respective responsibilities for ensuring compliance with the obligations under this Law. Such agreement shall clarify the process for ensuring that a Data Subject can exercise his rights under this Law and for providing a Data Subject with the information referred to in Articles 29 and 30.
(3) The written agreement referred to in Article 23(2) or an appropriate summary shall be made available to an affected Data Subject.
(4) Notwithstanding the terms of any written agreement between the Joint Controllers, they shall remain responsible for all Controller obligations under this Law and the Data Subject’s rights may be exercised under this Law in respect of and against each of the Joint Controllers.Part 3B: Processors
24. Processors and Sub-processors
(1) Where Processing is to be carried out on behalf of a Controller by a Processor, the Processing shall be governed by a legally binding written agreement between the Controller and the Processor. A Controller shall only enter into agreements with Processors that provide sufficient assurances to implement appropriate technical and organisational measures that ensure the Processing meets the requirements of this Law and protects a Data Subject’s rights.
(2) A Processor may not engage another Processor to act as a Sub-processor without the prior written authorisation of a Controller. A Controller may only give a general written authorisation where it has ensured that conditions are in place to enable appointed Sub-processors (present or future) to provide the assurances under Article 24(1). If a general written authorisation has been given, a Processor shall inform a Controller of any intended changes concerning the addition or replacement of a Sub-processor. A Processor shall take into account any good faith objection raised by a Controller to such intended changes.
(3) Subject to Article 24(2), a Processor may not engage a Sub-processor for carrying out specific Processing activities on behalf of the Controller, unless a legally binding written agreement containing the requirements set out in Article 24(5) is in place with such Sub-processor that ensures a full delegation of the obligations that the Processor owes to the Controller under the agreement with the Controller in respect of such specific Processing activities.
(4) Where a Sub-processor fails to fulfil its data protection obligations under an agreement or Applicable Law, the Processor that engaged it shall remain fully liable to a relevant Controller for the performance of the Sub-processor's obligations.
(5) Each agreement referred to in Articles 24(1) and 24(3): (a) shall set out the:(i) subject-matter and duration of the Processing;
(ii) nature and purpose of the Processing;
(iii) type of Personal Data and categories of Data Subjects; and
(iv) obligations and rights of the Controller; and(b) must include commitments that each Processor and Sub-processor (if any) shall:
(i) Process Personal Data based on documented instructions from a Controller, including sharing of Personal Data in response to a request made by a Requesting Authority (as described in Article 28), or transfers of Personal Data to a Third Country or an International Organisation, unless required to do so by Applicable Law to which the Processor is subject;
(ii) where Applicable Law, as referred to in Article 24(5)(b)(i), applies: (A) inform any relevant counterparty; or
(B) where there is a chain of Processors and Sub-processors, ensure that the Controller is notified, unless the Applicable Law in question prohibits such information being provided on grounds of Substantial Public Interest;
(iii) ensure that persons authorised to Process relevant Personal Data are under legally binding written agreements or duties of confidentiality;
(iv) take all measures required pursuant to Article 14;
(v) comply with the conditions referred to in Articles 24(2) and (3) for engaging any Sub-processor;
(vi) assist a relevant counterparty by providing appropriate technical and organisational measures for the fulfilment of the Controller's obligation to respond to requests for exercising the Data Subject's rights, having taken into account the nature of the Processing;
(vii) assist a relevant counterparty in ensuring the Controller's compliance with the obligations pursuant to Articles 14, 20, 21, 41 and 42, taking into account the nature of Processing and the information available to the Processor;
(viii) delete or return all Personal Data to the Controller, at the Controller’s option, or make the same available for return to a relevant counterparty after the end of the provision of services relating to Processing, and delete existing copies unless Applicable Law requires storage of the Personal Data;
(ix) make available to the Controller, relevant counterparty or the Commissioner (upon request) all necessary information to demonstrate compliance with the obligations in this Article 24; and
(x) permit and provide reasonable assistance with audits, including inspections, conducted by:(A) a relevant counterparty;
(B) another auditor mandated by a relevant counterparty; or
(C) the Commissioner.(6) A Processor or Sub-processor shall immediately inform the Controller or Processor (as applicable)
whether, in its opinion, the Processing activity infringes this Law.
(7) Adherence by a Processor or Sub-processor to an approved code of conduct referred to in Article 48, or an approved certification mechanism referred to in Article 50, may demonstrate the sufficiency of the measures referred to in Articles 24(1) and 24(2).
(8) The Commissioner may publish standard contractual clauses for the matters referred to in Articles 24(1) and (3). The incorporation of such clauses in an applicable written agreement shall be sufficient to discharge the obligations in Articles 24(5)(b)(i) to 24(5)(b)(x) inclusive.
(9) If a Processor infringes this Law by determining the purposes and means of Processing, the Processor shall be considered to be a Controller in respect of that Processing and will assume all the responsibilities and obligations of a Controller.
(10) Both a Controller and Processor are in breach of this Law if they commence mutually agreed
Processing activity without a written agreement referred to in Articles 24(1) and 24(3).25. Confidentiality
A Controller or Processor, and where applicable, a Joint Controller or a Sub-processor, shall take steps to ensure that any person acting under its respective authority that has access to Personal Data shall not Process it except on the instructions of the Controller, unless it is required to do so under Applicable Law.