Processors are natural and legal person, public authority, agency or other body which process personal data on behalf of the controller; in other words, any natural or legal person who, in order to provide a service to the UAB, needs to access personal data contained in the university's filing systems.
Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.
- Subject-matter and duration of the processing
- The nature and purpose of the processing
- Type of personal data to be processed
- Categories of data subjects
- Obligations and rights of the controller
The contract or agreement must also set out the following obligations for processors.
- To process the personal data only on documented instructions from the controller including with regard to transfers of personal data to a third country or an international organisation.
- To ensure that persons authorized to process the personal data have committed themselves to confidentiality, or are under an appropriate statutory obligation of confidentiality.
- To take the necessary technical and organisational measures to ensure an appropriate level of security with respect to the risks.
- To ensure the confidentiality, integrity, availability and permanent resilience of the processing systems and services.
- To ensure the ability to restore availability and access to the personal data quickly in the event of a physical or technical incident.
- To have in place a process for verifying and assessing the efficacy of the technical and organisational measures to ensure the security of the processing operations.
The GDPR requires the controller to use only processors who provide sufficient guarantees of implementing appropriate technical and organisational measures and who ensure the protection of the rights of the data subject.
UAB have a model of clauses of contract or agreement with processors.