Drafting looks OK to me.
Point (h) is about the information processor must make available to controller.
the addendum is simply saying if the processor has information suggesting an instruction is in breach this must be communicated.
Kept seperate, I think, so that the obligation arises even if the processor agreement does not say so. The obligation is not one which must be "stipulated"
No need to reference point (a) as the reference to "an instruction" clearly refers to instructions within (a) - but also any other instructions. That is to say the obligation arises even if the processor contract is defective and doesn't stiplulate as 3(a) requires.
... and yes I know there may be an argument that in such case the processor is actually a controller as not acting on instructions. In the real world I come across many contracts which fail some of the requirements of Art28 but we still proceed on the basis that it is a controller - processor relationship. Most common is a failure to address 28(3)(d) when (initially at least) there are no sub-processors.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
An archive of messages is stored permanently at http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send an email to [log in to unmask] with no subject
and leave data-protection as the message body. This is an automated service.
Additional subscriber help is available at https://www.jiscmail.ac.uk/help/subscribers.html
Any other list queries can be emailed to [log in to unmask]
For general JISCMail queries please email [log in to unmask]
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|