Define, implement and evaluate processes, procedures and technical measures for the transfer and sub-processing of personal data within the service supply chain, according to any applicable laws and regulations.
The CSP should identify subcontractors and sub-processors that participate in the data processing, along with the chain of accountabilities and responsibilities used to ensure that data protection requirements are fulfilled. The CSP should inform the cloud customer of any intended changes concerning the addition or replacement of subcontractors or sub-processors and allow the cloud customer to object to such changes or terminate the contract. The data protection obligations agreed upon between the CSP and the cloud customer should be supported by any subcontractors or sub-processors used by the CSP. The CSP remains liable to the cloud customer for data protection, regardless of whether the CSP uses subcontractors or not.
- Examine the organization's contractual terms, procedures, roles and responsibility documents and technical requirements for the transfer of personal data and sensitive data to sub-processors and how sub-processors are to treat this data.
- Establish whether the organization has documented the roles and responsibilities for this process.
- Select a sample of data transfers to sub-processors to establish that the controls and reporting the sub-processor are in place and ensure that these comply with the organization's data privacy and security policy.
- Examine the organization's contractual requirements for sub-processor compliance, reporting and non-compliance sanctions, and the organization's right to audit. Establish sub-processors' processes, controls and metrics to comply with those of the organization.
[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]
Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.