Data Security: Third Party Risk Management
Overview
Federal Decree-Law No. 45/2021 On the Protection of Personal Data not only made it obligatory for the controller to abide by the rules of processing laid down by Federal Decree-Law No. 45/2021, but it also makes it mandatory for the controller that it must be vigilant when engaging a processor or sub-processor. Article 7(5) of Federal Decree-Law No. 45/2021 in this aspect highlights the obligation upon the controller which makes it mandatory for the controller to obtain the guarantee from the processor for incorporation of appropriate technical and organisational measures, whereas article 8(1) of Federal Decree-Law No. 45/2021 also introduces the concept of the contracts and agreements regarding the processing of personal data that a processor has to carry out on behalf of a controller.
Definitions
Personal data: Any data relating to an identified natural person, or one who can be identified directly or indirectly by way of linking data, using identifiers such as name, voice, picture, identification number, online identifier, geographic location, or one or more special features that express the physical, psychological, economic, cultural or social identity of such person. It also includes sensitive personal data and biometric data.