(1) A data controller shall ensure that a data processor who processes personal data for the data controller, establishes and complies with the security measures specified under this Act.

(2) The processing of personal data for a data controller by a data processor shall be governed by a written contract.

(3) A contract between a data controller and a data processor shall require the data processor to establish and maintain the confidentiality and security measures necessary to ensure the integrity of the personal data.

(4) Where a data processor is not domiciled in this country, the data controller shall ensure that the data processor complies with the relevant laws of this country.