Article 26(1)

1. Where processing is to be carried out on behalf of a controller, the controller shall choose a processor providing sufficient guarantees to implement appropriate technical and organisational measures and procedures in such a way that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject, in particular in respect of the technical security measures and organizational measures governing the processing to be carried out and shall ensure compliance with those measures.

Article 26(2)

2. The carrying out of processing by a processor shall be governed by a contract or other legal act binding the processor to the controller. The controller and the processor shall be free to determine respective roles and tasks with respect to the requirements of this Regulation, and shall provide that the processor shall:

• (a) process personal data only on instructions from the controller, unless otherwise required by Union law or Member State law;
• (b) employ only staff who have committed themselves to confidentiality or are under a statutory obligation of confidentiality;
• (c) take all required measures pursuant to Article 30;
• (d) determine the conditions for enlisting another processor only with the prior permission of the controller, unless otherwise determined.
• (e) insofar as this is possible given the nature of the processing, create in agreement with the controller the appropriate and relevant technical and organisational requirements for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III;
• (f) assist the controller in ensuring compliance with the obligations pursuant to Articles 30 to 34, taking into account the nature of processing and the information available to the processor;
• (g) return all results to the controller after the end of the processing, not process the personal data otherwise and delete existing copies unless Union or Member State law requires storage of the data;
• (h) make available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow on-site inspections;

Article 26(3)

3. The controller and the processor shall document in writing the controller's instructions and the processor's obligations referred to in paragraph 2.

Article 26(3a)

3a. The sufficient guarantees referred to in paragraph 1 may be demonstrated by adherence to codes of conduct or certification mechanisms pursuant to Articles 38 or 39 of this Regulation.

Article 26(4)

4. If a processor processes personal data other than as instructed by the controller or becomes the determining party in relation to the purposes and means of data processing, the processor shall be considered to be a controller in respect of that processing and shall be subject to the rules on joint controllers laid down in Article 24.

Article 26(5)

5. (deleted)

[Source: October 2013]

Article 26(1) [Amended: October 2013]

1. Where a processing operation is to be carried out on behalf of a controller, the controller shall choose a processor providing sufficient guarantees to implement appropriate technical and organisational measures and procedures in such a way that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject, in particular in respect of the technical security measures and organizational measures governing the processing to be carried out and shall ensure compliance with those measures.

Article 26(2) [Amended: October 2013]

2. The carrying out of processing by a processor shall be governed by a contract or other legal act binding the processor to the controller and stipulating in particular that the processor shall:

• (a) act only on instructions from the controller, in particular, where the transfer of the personal data used is prohibited;
• (b) employ only staff who have committed themselves to confidentiality or are under a statutory obligation of confidentiality;
• (c) take all required measures pursuant to Article 30;
• (d) enlist another processor only with the prior permission of the controller;
• (e) insofar as this is possible given the nature of the processing, create in agreement with the controller the necessary technical and organisational requirements for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III;
• (f) assist the controller in ensuring compliance with the obligations pursuant to Articles 30 to 34;
• (g) hand over all results to the controller after the end of the processing and not process the personal data otherwise;
• (h) make available to the controller and the supervisory authority all information necessary to control compliance with the obligations laid down in this Article.

Article 26(3)

3. The controller and the processor shall document in writing the controller's instructions and the processor's obligations referred to in paragraph 2.

Article 26(4) [Amended: October 2013]

4. If a processor processes personal data other than as instructed by the controller, the processor shall be considered to be a controller in respect of that processing and shall be subject to the rules on joint controllers laid down in Article 24.

Article 26(5) [Deleted: October 2013]

5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the responsibilities, duties and tasks in relation to a processor in line with paragraph 1, and conditions which allow facilitating the processing of personal data within a group of undertakings, in particular for the purposes of control and reporting.

[Source: January 2012 | Context: Proposal from the European Commission]

Chapter II General rules on the lawfulness of the processing of personal data

Section VIII Confidentiality and security of processing

Article 17 Security of processing

Article 17(2)

2. The Member States shall provide that the controller must, where processing is carried out on his behalf, choose a processor providing sufficient guarantees in respect of the technical security measures and organizational measures governing the processing to be carried out, and must ensure compliance with those measures.

Article 17(3)

3. The carrying out of processing by way of a processor must be governed by a contract or legal act binding the processor to the controller and stipulating in particular that:

• - the processor shall act only on instructions from the controller,
• - the obligations set out in paragraph 1, as defined by the law of the Member State in which the processor is established, shall also be incumbent on the processor.

Article 17(4)

4. For the purposes of keeping proof, the parts of the contract or the legal act relating to data protection and the requirements relating to the measures referred to in paragraph 1 shall be in writing or in another equivalent form.