The ICP is also responsible for personal data under its control or retention, as well as personal data that is relocated or transferred to third parties to a PIP or a third party. Personal data is generally considered to be under the control or retention of a PIC, even if personal data is outsourced or transferred to a PIP or third parties, either domestic or internationally. As a result, it uses contractual or other appropriate means to protect personal data that is comparable to the law while personal data is processed by a PIP or a third party. The ICP also identifies one or more persons responsible for respecting the above people. The law applies to both the public and private sectors, as the law recognizes that personal data and information communication systems should enjoy the same security and protection in the public sector as the private sector. PICs and PIPs record their computer systems, defined as structures and procedures where that personal data is collected and processed later in an information and communication system or in a relevant archiving system, in the following cases at the NPC: any individual or legal person or other employment organization involved in the processing of personal data and which is not complied with by law. , the NCP`s ERRORS or other emissions, which are found to have committed a violation of the law, and its administrative, civil and criminal debts, are subject to administrative, civil and criminal obligations. In order to ensure compliance with data protection legislation and to strengthen surveillance of threats and vulnerabilities that may affect the protection of personal data, the NCP requires PICs and PIPs to submit an annual report containing all security incidents and personal data breaches. The annual report is expected to include all security incidents and data breaches of a PIC and PIP from January 1 to December 31 of the previous year. In addition, it must contain a summary of all injury incidents and the total number of injury-free incidents.

In summary, any data exchange agreement, pursuant to the confidentiality statement, must comply with the conditions set out in Section 20, Point b), the RT, as well as the conditions set out in Circular NPC 16-02 in which the sharing agreement participates. On the other hand, outsourcing agreements must be in compliance with Section 44 of the ACCORD. On the other hand, a subcontractor is anyone who processes personal data on behalf of the processor. The definition of „processing“ suggests that the activities of a data processor should be limited to the „technical“ aspects of an operation, such as. B storage, modification, consultation and erasure. A good example is that a bank hires an IT company to store archived data on its behalf. In reality, the IT company will use its own technical knowledge to decide how best to store data in a safe and accessible way. Despite this freedom of choice, the IT company is still not considered a controller. This is because the bank retains exclusive control over the purpose for which the data is processed and the content of the data. Here, too, it is a question of who controls the content of personal data.

This distinction is important for compliance and accountability. According to the data protection authority, anyone responsible for processing is responsible for personal data under its control or retention, including information that has been disclosed to third parties for processing.