Considerations when Selecting a Litigation Support Vendor
Regardless of which transfer method a company relies upon, the amount of data transferred should be the minimum necessary to achieve the purpose for which the data is being transferred, and appropriate technical and organizational processes must still be put in place to protect the relevant data. Responses to a discovery request or subpoena must be narrowed to focus on only the information and custodians directly relevant to the issue under consideration.
The GDPR imposes legal compliance obligations directly on processors in addition to those obligations of controllers. Processors are also required to process personal data in accordance with the controller’s instructions. As a result, controllers will likely require processors to comply with many of the requirements that apply to controllers.
Any transfer of personal data intended for processing after transfer to a third country is subject to specific restrictions in Chapter V of the GDPR. A controller or processor may transfer personal data to a third country only if the controller or processor has provided appropriate safeguards, and on the condition that enforceable data subject rights and effective legal remedies for data subjects are available following the transfer.
Source: Law Technology Today