Section 40

The Personal Data Processor shall have the following duties:

(1)carry out the activities related to the collection, use, or disclosure of

Personal Data only pursuant to the instruction given by the Data Controller,
except where such instruction is contrary to the law or any provisions regarding
Personal Data protection under this Act;

(2)provide appropriate security measures for preventing unauthorized or unlawful loss,

access to, use, alteration, correction or disclosure, of Personal Data, and notify
the Data Controller of the Personal Data breach that occurred;

(3)prepare and maintain records of personal data processing activities in accordance

with the rules and methods set forth by the Committee.

The Data Processor, who fails to comply with (1) for the collection, use, or disclosure

of the Personal Data, shall be regarded as the Data Controller for the collection,
use, or disclosure of such Personal Data.

In carrying out the activities in accordance with the Data Processor obligations

as assigned by the Data Controller under paragraph one, the Data Controller shall
prepare an agreement between the parties to control the activities carried out
by the Data Processor to be in accordance with the Data Processors obligations
for compliance with this Act.

The provisions in (3) may not apply to the Data Processor who is a small

organization pursuant to the rules as prescribed by the Committee, unless
the collection, use, or disclosure of such Personal Data is likely to result
in a risk to the rights and freedoms of data subjects, or not a business where
the collection, use, or disclosure of the Personal Data is occasional,
or involving in the collection, use, or disclosure of the Personal
Data pursuant to section 26 .