Article 6 Organisational requirements regarding outsourcing
1. Where a data reporting services provider arranges for activities to be performed on its behalf by third parties, including undertakings with which it has close links, it shall ensure that the third party service provider has the ability and the capacity, to perform the activities reliably and professionally.
2. A data reporting services provider shall specify which of the activities are to be outsourced, including a specification of the level of human and technical resources needed to carry out each of those activities.
3. A data reporting services provider that outsources activities shall ensure that the outsourcing does not reduce its ability or power to perform senior management or management body functions.
4. A data reporting services provider shall remain responsible for any outsourced activity and shall adopt organisational measures to ensure:
(a) that it assesses whether the third party service provider is carrying out outsourced activities effectively and in compliance with applicable laws and regulatory requirements and adequately addresses identified failures;
(b) the identification of the risks in relation to outsourced activities and adequate periodic monitoring;
(c) adequate control procedures with respect to outsourced activities, including effectively supervising the activities and their risks within the data reporting services provider;
(d) adequate business continuity of outsourced activities;