Under Article 28(3)(f) the contract must say that, taking into account the nature of the processing and the information available, the processor must assist the controller in meeting its obligations to:
- keep personal data secure;
- notify personal data breaches to the supervisory authority;
- notify personal data breaches to data subjects;
- carry out data protection impact assessments (DPIAs) when required; and
- consult the supervisory authority where a DPIA indicates there is a high risk that cannot be mitigated.
We recommend that the contract is as clear as possible about how the processor will help the controller meet its obligations.
