Under the General Data Protection Regulation (GDPR), what must be included in a written agreement between the controller and processor in relation to processing conducted on the controller's behalf?
Under the General Data Protection Regulation (GDPR), what must be included in a written agreement between the controller and processor in relation to processing conducted on the controller's behalf?
Under the GDPR, a written agreement between the controller and processor must include an obligation on the processor to assist the controller in complying with the controller's obligations to notify the supervisory authority about personal data breaches. This is stipulated in Article 28, which outlines the requirements for contracts between controllers and processors, including assistance necessary for the controller to comply with its legal obligations.
It is D
Controller need to notified regulator and data subject wihin 72 hours. So the data processor need to inform controller a lot faster and assist the controller obligations.
Should be D
Article 28 of the GDPR specifies the details that should be included in the contract between the controller and the processor. One of these is the obligation on the processor to notify the controller without undue delay upon becoming aware of a personal data breach. The exact timeframe (like the 72 hours) is not specified in this context in Article 28, but the principle of notifying the controller without undue delay is there.
Art 28 3 (f)assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to the processor; that includes data breach notification
should be D
An obligation on the processor to report any personal data breach to the controller within 72 hours.
Not A, this is to be agreed between the contracting parties. 72 hours reporting relates to notifying the SA.