Skip survey header

DP Assessment Tool – Controller and Processor Obligations

Controller and Processor Obligations

Controllers and Processors have certain contractual obligations that demonstrate compliance with the DIFC DP Law 2020.  This assessment tool covers these obligations under Articles 23 to 25, and helps you to understand what your company may need to do to better comply. 
 
1. Is your organization a Controller of personal data?    

A Controller is an entity that alone or jointly with others, determines the purposes and means of the processing of personal data.
 
2. Is your organization a Processor or Sub-processor of personal data?

Processors are entities that process personal data on behalf of the controller, have obligations to the controllers, to data subjects, and if a sub-processor, to the primary processor, as well.
 
Are the following controls in place, as per Articles 23 or 24 of the DP Law, to ensure that these standards are implemented in your entity’s compliance program?
  • A written, legally binding agreement setting out written instructions for Processors / Sub-processors or defining respective responsibilities for Joint Controllers?
  • Prior authorisation to engage a sub-processor
  • Clear setting out of responsibilities and / or instructions
  • Assurances set out in Article 24(1)
  • At least one part of the written agreement that is accountable for liabilities (even in some cases, third party liabilities)
Please select what is applicable:
  • * This question is required.
Have you incorporated the following details about the processing into your company’s written processing agreements, in accordance with Article 24(5)?
  • The subject matter and duration of the processing
  • The nature and purpose of the processing
  • The type of personal data and categories of data subject
  • The controller’s obligations and rights
Please select what is applicable:
  • * This question is required.
If you’re a processor or sub-processor, does your written agreement include the following, in accordance with Article 25(5)?
  • Clarity on duties of confidentiality
  • Measures to comply with Article 14 are in place
  • Conditions set out in Articles 24(2) and (3)
  • Support and measures in place to respond to a subject access or rights request
  • Provisions to delete or return all Personal Data, or delete existing copies unless storage is required
  • Commitment to demonstrate evidence of compliance with Article 24 available
  • Provision for assistance with audits and inspections
Please select what is applicable:
  • * This question is required.
0%