Article 28. Processor 1. Where processing is to be carried out on behalf of a controller,

the controller shall use only processors providing sufficient guarantees to implement appropriate

technical and organizational measures in such a manner that processing will meet the

requirements of this regulation

and ensure the protection of the rights of the data subject.

2. The processor shall not engage another processor without prior specific or general written

authorization of the controller. In the case of general written authorization, the processor

shall inform the controller of any intended changes concerning the

addition or replacement of other processors, thereby giving the controller the opportunity

to object to such changes.

3. Processing by a processor shall be governed by a contract or other legal act under union

or member state law, that is binding on the processor with regard to the controller and that sets out the subject matter and duration of the processing,

the nature and purpose of the processing, the type of personal data and categories of

data subjects and the obligations and rights of the controller. That contract or other legal

act shall stipulate, in particular, that the processor.

A. Processes the personal data only on documented instructions from the controller,

including with regard to transfers of personal data to a third country, or an international organization, unless required to do so by union or member state law to which the processor

is subject. In such a case, the processor shall

inform the controller of that legal requirement before processing, unless that law prohibits

such information on important grounds of public interest.

V, ensures that persons authorized to process the personal data have committed themselves to

confidentiality or are under an appropriate statutory obligation

...