INTRODUCTION REGULATION

30

principles of data protection by design and by default should also be

taken into consideration in the context of public tenders.

(79) The protection of the rights and freedoms of data subjects as well as

the responsibility and liability of controllers and processors, also in

relation to the monitoring by and measures of supervisory authorities,

requires a clear allocation of the responsibilities under this Regulation,

including where a controller determines the purposes and means of

the processing jointly with other controllers or where a processing

operation is carried out on behalf of a controller.

(80) Where a controller or a processor not established in the Union is

processing personal data of data subjects who are in the Union whose

processing activities are related to the offering of goods or services,

irrespective of whether a payment of the data subject is required, to

such data subjects in the Union, or to the monitoring of their behaviour

as far as their behaviour takes place within the Union, the controller or

the processor should designate a representative, unless the processing

is occasional, does not include processing, on a large scale, of special

categories of personal data or theprocessingof personal data relating to

criminal convictions and offences, and is unlikely to result in a risk to the

rights and freedoms of natural persons, taking into account the nature,

context, scope and purposes of the processing or if the controller is a

public authority or body. The representative should act on behalf of the

controller or the processor and may be addressed by any supervisory

authority. The representative should be explicitly designated by a

writtenmandate of the controller or of the processor to act on its behalf

with regard to its obligations under this Regulation. The designation

of such a representative does not affect the responsibility or liability

of the controller or of the processor under this Regulation. Such a

representative should perform its tasks according to the mandate

received from the controller or processor, including cooperating with

the competent supervisory authorities with regard to any action

taken to ensure compliance with this Regulation. The designated

representative should be subject to enforcement proceedings in the

event of non-compliance by the controller or processor.

(81) Toensurecompliancewiththerequirementsof thisRegulation inrespect

of the processing to be carried out by the processor on behalf of the

controller, when entrusting a processor with processing activities, the

controller should use only processors providing sufficient guarantees,

in particular in terms of expert knowledge, reliability and resources, to

implement technical and organisational measures which will meet the

requirements of this Regulation, including for the security of processing.

The adherence of the processor to an approved code of conduct or

an approved certification mechanism may be used as an element to

demonstrate compliance with the obligations of the controller. The

carrying-out of processing by a processor should be governed by a

contract or other legal act under Union or Member State law, binding

the processor to the controller, setting out the subject-matter and

duration of the processing, the nature and purposes of the processing,

the type of personal data and categories of data subjects, taking into

account the specific tasks and responsibilities of the processor in the

context of the processing to be carried out and the risk to the rights and