24.
(1) Subject to section 42(2)(b) of the Act, a data controller shall engage a data processor, through a written contract.
(2) The contract envisaged under sub-regulation (1) shall include the following particulars—
(a) processing details including—
(i) the subject matter of the processing;
(ii) thedurationoftheprocessing;
(iii) the nature and purpose of the processing;
(iv) the type of personal data being processed;
(v) the categories of data subjects; and
(vi) the obligations and rights of the data controller;
(b) instructions of the data controller;
(c) duty on the data processors to obtain a commitment of confidentiality from any person or entity that the data processors allows to process the personal data;
(d) security measures subjecting the data processor to appropriate technical and organizational measures in relation to keeping personal data secure;
(e) provision stipulating that all personal data must be permanently deleted or returned on termination or lapse of the agreement, as decided by the data controller; and
(f) auditing and inspection provisions by the data controller.