“Accredited affiliate” refers to all of your related companies that (i) are authorized to use subscription services in accordance with the agreement, but who have not signed a separate agreement with us and who are not a “customer” within the meaning of the agreement, (ii) are responsible for the personal data we process and (iii) are subject to EU data protection legislation. A subcontractor cannot support the services of a subprocessor without the express or written prior written permission of the processor. When authorization is granted, the subcontractor must enter into a contract with the subcontractor. The contractual terms of Article 28, paragraph 3, must provide a level of protection for personal data equivalent to that of the contract between the processing manager and the subcontractor. Transformers are responsible for processing compliance with the subprocessings they use. Our DATA AGENCY provides a number of guarantees to companies that entrust us with personal data. For example, ProtonMail`s data processing agreement promises the use of technical security measures, such as encryption, in accordance with Article 32 of the RGPD. In addition, it provides appropriate support to those responsible for processing in the implementation of a data protection impact assessment. (h) make available to the persons concerned, upon request, a copy of the clauses, with the exception of Appendix 2, as well as a summary description of the security measures, as well as a copy of a contract for sub-treatment services to be made in accordance with the clauses, unless the clauses or contract contain commercial information, in which case they may withdraw this commercial information; 2. The data importer and subcontractor guarantee, at the request of the data exporter and/or the supervisory authority, that they submit their computer facilities to review the measures covered in paragraph 1. The processing manager must ensure that the scope of the subcontractor`s CCA does not exceed the original legal basis for data processing. In other words, the outsourcing company should be able to use the data for purposes defined in the agreement. It is the controller`s responsibility to check how the processor uses the data it transmits to them.