Loading...
Nature

Subcontractor And
Third Party Issues

faq

Managing Subcontractor and Third Party Issues in Data Protection

“Where the processing is to be carried out on behalf of a data fiduciary, the data fiduciary shall only use processors who can offer adequate assurances of implementing suitable technical and organisational measures. These measures should ensure that the processing aligns with the stipulations of this Regulation and upholds the data principal's rights and protection."

In simpler terms, this means that the data fiduciary is obligated to select processors who adhere to the DPDP Act. If they fail to do so, they could face penalties themselves. As regulatory authorities enforce penalties on data fiduciaries for insufficient or improper vetting, processors might need to obtain independent compliance certifications to instil confidence in their prospective clients.

Furthermore, all data processors under the Digital Personal Data Protection Act are mandated to:

  1. Solely process personal data as per the controller’s instructions and promptly inform the controller if any instruction infringes the DPDP Act. In essence, data processors are prohibited from opportunistically using or mining entrusted personal data for purposes beyond the controller’s specifications.
  2. Obtain written consent from the controller before involving subcontractors and assume full liability for any breaches of the DPDP Act by subcontractors.
  3. Facilitate the deletion or return of all personal data to the Data fiduciary upon request at the end of the service contract.
  4. Support and actively participate in compliance audits conducted by the data fiduciary or their representatives.
  5. Implement reasonable measures to secure data, encompassing encryption, pseudonymisation, system stability, uptime, backup, disaster recovery, and routine security assessments.
  6. Promptly notify the data fiduciary upon discovering data breaches without undue delay.
  7. Limit the transfer of personal data to a third country only if legal safeguards have been secured. A processor must appoint a DPO in select circumstances.