Some other topics that can be addressed in the appendices are: in the absence of a data processing agreement or other written contract, it is illegal for a processor to use the services of a data processor or for a data processor to process personal data on behalf of a data manager. "Treatment by a subcontractor is subject to a contract or other legal act, within the meaning of EU or Member State legislation, which is mandatory for the subcontractor with regard to the person in charge of the treatment and which defines the purpose and duration of the treatment, the nature and purpose of the treatment, the nature of the data of a personal nature and the categories of persons concerned. , as well as the obligations and rights of the person in charge of the treatment." The RGPD imposes new obligations on data processors. As the European Commission says, data publishers cannot hide behind their data managers. However, the primary duty of security of personal data rests with the person in charge of the processing. 5.1. The data processor will implement and maintain the required and organizational security measures to protect personal data from accidental or unlawful destruction, loss, damage or tampering, as well as from any unauthorized disclosure, abuse or other treatment, in violation of the requirements of the Data Protection Act. CloudMQTT explains here how the processing manager should give instructions and what should be contained in these instructions, as well as the obligation for the processing manager to respect data protection and consent obligations. 18.104.22.168 the transfer of personal data from the company by a contract subcontractor to a subcontractor or between two branches of a commercial subcontractor, at least where such transmission would be prohibited by data protection legislation (or by the conditions of data transfer agreements put in place to impose restrictions on data protection); The data processor takes appropriate action to verify whether, and by whom, personal data has been introduced, modified or deleted from data processing systems.