25—Obligations of a data processor

25.

(1) A data processor shall not engage the services of a third party without the prior authorisation of the data controller.

(2) Where authorisation is given, the data processor shall enter into a contract with the third party.

(3) The contract contemplated under sub-regulation (1) shall include such particulars as provided for under sub-regulation 24(2).

(4) A data processor shall remain liable to the data controller for the compliance of any third party that they engage.

67  PART IV—OBLIGATIONS OF DATA CONTROLLERS AND DATA PROCESSORS