(1) This section applies to the use by a controller of a processor to carry out processing of personal data on behalf of the controller.
(2) The controller may use only a processor who undertakes -
(a) to implement appropriate measures that are sufficient to secure that the processing complies with this Part;
(b) to provide to the controller such information as is necessary for demonstrating that the processing complies with this Part.
(3) If a processor determines, in breach of this Part, the purposes and means of processing, the processor is to be treated for the purposes of this Part as a controller in respect of that processing.