Transferring personal data to a data processor requires an element of due diligence to have taken place, in particular all processing by a data processor must be governed by a contract, which stipulates a number of specified clauses. These clauses ensure a legal obligation exists to protect the data subject’s data and their rights and should any of these clauses not be present, then the contract with the data processor should be considered none compliant.
It is also a requirement that the data processor provides sufficient guarantees that it has ‘technical and organisational measures’ in place to protect personal data. These guarantees may be included in the contract or where there might be a higher risk to the data subject then it is recommended that these measures may be reviewed separately in a data protection security assessment.
If a data processor needs to engage with another data processor, then they must first obtain the permission of the data controller in writing before doing so.
Additional safeguards will also be required if the transfer of personal data is an international transfer.