Data Processor

58.(1) Where processing is to be carried out on behalf of a data controller, the data controller shall only use a data processor who shall implement the appropriate technical and organisational measures to ensure that processing will

(a) be in accordance with the requirements of this Act; and

(b) ensure the protection of the rights of the data subject.

(2) The data processor shall not engage another data processor without prior specific or general written authorisation of the data controller.

(3) Where there is general written authorisation pursuant to subsection (2), the data processor shall inform the data controller of any intended changes concerning the addition or replacement of other data processors and the data controller shall be given the opportunity to object to such changes.

(4) Processing by a data processor shall be governed by a written contract between the data processor and the data controller which sets out the following:

(a) the subject-matter and duration of the processing;

(b) the nature and purpose of the processing;

(c) the type of personal data and categories of data subjects;

(d) the obligations and rights of the data controller.

(5) The contract prepared pursuant to subsection (4) shall also stipulate that the data processor

(a) processes the personal data only on documented instructions from the data controller, including with regard to transfers of personal data to countries outside of Barbados or an international organisation, unless required to do so by any enactment and in such a case, the data processor shall inform the data controller of that legal requirement before processing, unless the enactment prohibits such information to be shared on important grounds of public interest;

(b) ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

(c) takes all measures required pursuant to section 62.

(d) respects the conditions referred to in subsections (2) and (7) for engaging another data processor;

(e) taking into account the nature of the processing, assists the data controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the data controller's obligation to respond to requests for exercising the data subject's rights under Part III;

(f) assists the data controller in ensuring compliance with the obligations pursuant to sections 62 to 66 taking into account the nature of processing and the information available to the data processor;

(g) on the determination of the data controller, deletes or returns all the personal data to the data controller after the end of the provision of services relating to processing, and deletes existing copies unless the enactment requires storage of the personal data;

(h) makes available to the data controller all information necessary to demonstrate compliance with the obligations set out in this section and allow for and contribute to audits, including inspections, conducted by the data controller or another auditor mandated by the data controller.

(6) Where in relation to subsection (5)(h) an instruction from the data controller to the data processor infringes this Act, the data processor shall immediately inform the data controller.

(7) Where a data processor engages another data processor for carrying out specific processing activities on behalf of the data controller in accordance with subsection (2), the same obligations as set out in the contract between the data controller and the data processor as referred to subsections (5) and (6) shall be imposed on that other data processor, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of this Act.

(8) Where that other data processor mentioned in subsection (7) fails to fulfil its data protection obligations, the initial data processor referred to in subsection

(7) shall remain fully liable to the data controller for the performance of that other data processor's obligations.

(9) The Commissioner with the approval of the Minister may prescribe standard contractual clauses for the matters referred to in subsections (5) and (7).

(10) Where data processor contravenes this Act by determining the purposes and means of processing, the data processor shall be considered to be a data controller in respect of that processing.