25.
(1) A data processor shall not engage the services of a third party without the prior authorisation of the data controller.
(2) Where authorisation is given, the data processor shall enter into a contract with the third party.
(3) The contract contemplated under sub-regulation (1) shall include such particulars as provided for under sub-regulation 24(2).
(4) A data processor shall remain liable to the data controller for the compliance of any third party that they engage.