Controllers may share your personal data with a Processor or sub-processor only under specific conditions, as mandated by Article 19 and the Implementing Regulations. This includes: 

• A formal Data Processing Agreement (DPA) must be in place. 

• The Processor and any sub-processor must provide sufficient guarantees to comply with PDPL requirements for personal data protection. 

• A Processor must obtain prior written approval from the Controller before engaging any sub-processor. 

• The Controller remains legally responsible for all data processing, even when conducted by third parties.

The Data Processing Agreement between Controller and Processor must clearly define: 

• The purpose and scope of the data processing 

• Categories of personal data subject to processing 

• Duration of the processing engagement 

• Technical and organizational security measures to be implemented 

• Obligation for breach notification, including timelines and reporting procedures 

• A clause requiring Controller approval before engaging any sub-processor, who must also adhere to the same DPA terms

If the Processor or sub-processor mishandles your data, violating the PDPL or DPA then: 

• The Controller remains fully responsible and accountable for any breach or misuse. 

• The Controller must take corrective action, such as terminating the Processor’s contract or seeking legal remedies. 

• The Controller may face regulatory penalties from SDAIA for failing to effectively supervise or enforce compliance by its Processors.