Skip to main content

Article 23 — Processor Obligations

  1. Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Code and ensure the protection of the rights of the data subject.
  2. The processor shall not engage another processor without prior specific or general written authorisation of the controller. In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes. Where the controller objects, the processor shall not proceed with the engagement of the sub-processor in question.
  3. Processing by a processor shall be governed by a contract or other legal act under the law of the Principality that is binding on the processor with regard to the controller and that sets out:
    1. the subject-matter and duration of the processing;
    2. the nature and purpose of the processing;
    3. the type of personal data and the categories of data subjects;
    4. the obligations and rights of the controller;
    5. the obligations of the processor as set out in paragraph 4 of this Article.
  4. The processor shall:
    1. process the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a foreign jurisdiction, unless required to do so by the laws of the Principality; in such a case, the processor shall inform the controller of that legal requirement before processing, unless the law prohibits such information on important grounds of public interest;
    2. ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
    3. implement the security measures required by Article 18 of this Code;
    4. respect the conditions referred to in paragraphs 2 and 3 for engaging another processor;
    5. taking into account the nature of the processing, assist the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights laid down in Title II of this Code;
    6. assist the controller in ensuring compliance with the obligations pursuant to Article 18, Article 19, Article 20, and Article 21, taking into account the nature of processing and the information available to the processor;
    7. at the choice of the controller, delete or return all the personal data to the controller after the end of the provision of services relating to the processing, and delete existing copies unless the law of the Principality requires storage of the personal data;
    8. make available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.
  5. Where a processor engages another processor for carrying out specific processing activities on behalf of the controller, the same data protection obligations as set out in the contract or other legal act between the controller and the processor as referred to in paragraph 3 shall be imposed on that other processor by way of a contract or other legal act, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of this Code. Where that other processor fails to fulfil its data protection obligations, the initial processor shall remain fully liable to the controller for the performance of that other processor's obligations.
  6. Adherence by a processor to an approved code of conduct or an approved certification mechanism may be used as an element by which to demonstrate sufficient guarantees as referred to in paragraphs 1 and 5 of this Article.
  7. The contract or other legal act referred to in paragraph 3 shall be in writing, including in electronic form. Given the digital-first character of the Principality, execution of such contracts by secure electronic means, including by qualified electronic signature, shall be fully equivalent to execution in any other form.