(a) A processor shall adhere to the instructions of a controller, and shall: (1) Assist the controller in meeting the controller’s obligations under sections 42-529 to 42-529e, inclusive, taking into account (A) the nature of the processing, (B) the information available to the processor by appropriate technical and organizational measures, and (C) whether such assistance is reasonably practicable and necessary to assist the controller in meeting such obligations; and (2) provide any information that is necessary to enable the controller to conduct and document data protection assessments.

Ask a business law question, get an answer ASAP!
Thousands of highly rated, verified business lawyers.
Click here to chat with a lawyer about your rights.

(b) A contract between a controller and a processor shall satisfy the requirements established in subsection (b) of section 42-521.

(c) Nothing in this section shall be construed to relieve a controller or processor from the liabilities imposed on the controller or processor by virtue of such controller’s or processor’s role in the processing relationship, as described in sections 42-529 to 42-529e, inclusive.

(d) Determining whether a person is acting as a controller or processor with respect to a specific processing of data is a fact-based determination that depends upon the context in which personal data is to be processed. A person who is not limited in such person’s processing of personal data pursuant to a controller’s instructions, or who fails to adhere to such instructions, is a controller and not a processor with respect to a specific processing of data. A processor that continues to adhere to a controller’s instructions with respect to a specific processing of personal data remains a processor. If a processor begins, alone or jointly with others, determining the purposes and means of the processing of personal data, the processor is a controller with respect to such processing and may be subject to an enforcement action under section 42-529e.