To the extent personal data are processed by ICT third-party service providersmeans an undertaking providing ICT services;, this policy and any contractual arrangements are without prejudice to and should complement the obligations under Regulation (EU) 2016/679 of the European Parliament and of the Council (2)Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1, ELI: http://data.europa.eu/eli/reg/2016/679/oj)., such as to have a written contract in place describing the personal data processing, requirement to ensure security of personal data processing and setting out all other elements required under that regulation.