SCHEDULES
SCHEDULE 1The data protection principles
Part IIInterpretation of the principles in Part I
The seventh principle
11
Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller must in order to comply with the seventh principle—
a
choose a data processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out, and
b
take reasonable steps to ensure compliance with those measures.