The Personal Data Processor shall have the following duties:
(1) carry out the activities related to the collection, use, or disclosure of Personal Data only pursuant to the instruction given by the Data Controller, except where such instruction is contrary to the law or any provisions regarding Personal Data protection under this Act;
(2) provide appropriate security measures for preventing unauthorized or unlawful loss, access to, use, alteration, correction or disclosure, of Personal Data, and notify the Data Controller of the Personal Data breach that occurred;
(3) prepare and maintain records of personal data processing activities in accordance with the rules and methods set forth by the Committee.
The Data Processor, who fails to comply with (1) for the collection, use, or disclosure of the Personal Data, shall be regarded as the Data Controller for the collection, use, or disclosure of such Personal Data.
In carrying out the activities in accordance with the Data Processor's obligations as assigned by the Data Controller under paragraph one, the Data Controller shall prepare an agreement between the parties to control the activities carried out by the Data Processor to be in accordance with the Data Processor's obligations for compliance with this Act.
The provisions in (3) may not apply to the Data Processor who is a small organization pursuant to the rules as prescribed by the Committee, unless the collection, use, or disclosure of such Personal Data is likely to result in a risk to the rights and freedoms of data subjects, or not a business where the collection, use, or disclosure of the Personal Data is occasional, or involving in the collection, use, or disclosure of the Personal Data pursuant to section 26.