30-14-2813. (Effective October 1, 2024) Data processor — allowances — limitations. (1) A processor shall adhere to the instructions of a controller and shall assist the controller in meeting the controller’s obligations under this part to include:

contract signature

Ask a consumer protection question, get an answer ASAP!
Thousands of highly rated, verified consumer protection lawyers.
Help with credit card debt, collections, defective products
Get help with bankruptcy, filing complaints, extended warranties & more
Click here to chat with a lawyer about your rights.

Terms Used In Montana Code 30-14-2813

  • Consumer: means an individual who is a resident of this state. See Montana Code 30-14-2802
  • Contract: A legal written agreement that becomes binding when signed.
  • Controller: means an individual who or legal entity that, alone or jointly with others, determines the purpose and means of processing personal data. See Montana Code 30-14-2802
  • Liabilities: The aggregate of all debts and other legal obligations of a particular person or legal entity.
  • Obligation: An order placed, contract awarded, service received, or similar transaction during a given period that will require payments during the same or a future period.
  • Person: includes a corporation or other entity as well as a natural person. See Montana Code 1-1-201
  • Personal data: means any information that is linked or reasonably linkable to an identified or identifiable individual. See Montana Code 30-14-2802
  • processing: means any operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data. See Montana Code 30-14-2802
  • Processor: means an individual who or legal entity that processes personal data on behalf of a controller. See Montana Code 30-14-2802

(a)considering the nature of processing and the information available to the processor by appropriate technical and organizational measures as much as reasonably practicable to fulfill the controller’s obligation to respond to consumer rights requests;

(b)considering the nature of processing and the information available to the processor by assisting the controller in meeting the controller’s obligations in relation to the security of processing the personal data and in relation to the notification of a breach of security, as provided for in 30-14-1704, of the system of the processor to meet the controller’s obligations; and

(c)providing necessary information to enable the controller to conduct and document data protection assessments.

(2)A contract between a controller and a processor must govern the processor’s data processing procedures with respect to processing performed on behalf of the controller. The contract must be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract must also require that the processor:

(a)ensure that each person processing personal data is subject to a duty of confidentiality with respect to the personal data;

(b)at the controller’s direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law;

(c)on the reasonable request of the controller, make available to the controller all information in the processor’s possession necessary to demonstrate the processor’s compliance with the obligations in this part;

(d)engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the obligations of the processor with respect to the personal data; and

(e)allow and cooperate with reasonable assessments by the controller or the controller’s designated assessor, or the processor may arrange for a qualified and independent assessor to assess the processor’s policies and technical and organizational measures in support of the obligations under this part using an appropriate and accepted control standard or framework and assessment procedure for the assessments. The processor shall provide a report of the assessment to the controller on request.

(3)Nothing in this section may be construed to relieve a controller or processor from the liabilities imposed on the controller or processor by virtue of the controller’s or processor’s role in the processing relationship, as described in this part.

(4)Determining whether a person is acting as a controller or processor with respect to a specific processing of data is a fact-based determination that depends on the following context in which personal data is to be processed:

(a)A person who is not limited in the processing of personal data pursuant to a controller’s instructions or who fails to adhere to a controller’s instructions is a controller and not a processor with respect to a specific processing of data.

(b)A processor that continues to adhere to a controller’s instructions with respect to a specific processing of personal data remains a processor.

(c)If a processor begins, alone or jointly with others, determining the purposes and means of the processing of personal data, the processor is a controller with respect to the processing and may be subject to an enforcement action under 30-14-2817.

  Previous
Next  
 Part 28 Contents