This is why the processor must describe the certified framework it uses for the transfer of consumer data from the EU to other countries. The processor must ensure «that the persons authorised to process the personal data have undertaken to respect confidentiality». Note that this is not the same as a confidentiality agreement. It is primarily intended to protect the interests of the data subjects, and not of the processor or data controller. The subcontractor is a software development company that has been commissioned by the data controller to provide the data controller with software as a support service for the production of business documents. The content of this DPA reflects the limited amount of personal data processed by the processor for the data controller. 7.2 The processor shall provide the data controller with appropriate cooperation so that the data controller can carry out any data protection impact assessment that it is required to carry out under current data protection legislation. 6.1. The processor will ensure that all members of the processor`s staff who are necessary to access the personal data are required to comply with the obligation of confidentiality provided for in the agreement or to be subject to a legal obligation of confidentiality. This is how the Sendmate agreement addresses this obligation: while the notification of breaches to the manager and supervisory bodies is non-negotiable, you may not have to report them to the persons concerned.