24—Contract between data controller and data processor

24.

(1) Subject to section 42(2)(b) of the Act, a data controller shall engage a data processor, through a written contract.

(2) The contract envisaged under sub-regulation (1) shall include the following particulars—

(a) processing details including—

(i)  the subject matter of the processing;

(ii)  thedurationoftheprocessing;

(iii)  the nature and purpose of the processing;

(iv)  the type of personal data being processed;

(v)  the categories of data subjects; and

(vi)  the obligations and rights of the data controller;

(b)  instructions of the data controller;

(c)  duty on the data processors to obtain a commitment of confidentiality from any person or entity that the data processors allows to process the personal data;

(d)  security measures subjecting the data processor to appropriate technical and organizational measures in relation to keeping personal data secure;

(e)  provision stipulating that all personal data must be permanently deleted or returned on termination or lapse of the agreement, as decided by the data controller; and

(f)  auditing and inspection provisions by the data controller.

179  PART IV—OBLIGATIONS OF DATA CONTROLLERS AND DATA PROCESSORS