Oregon Statutes 646A.581 – Duties of processor of personal data; contract between controller and processor; liabilities of controller and processor
(1) A processor shall adhere to a controller’s instructions and shall assist the controller in meeting the controller’s obligations under ORS § 646A.570 to 646A.589. In assisting the controller, the processor must:
Terms Used In Oregon Statutes 646A.581
- Contract: A legal written agreement that becomes binding when signed.
- Person: includes individuals, corporations, associations, firms, partnerships, limited liability companies and joint stock companies. See Oregon Statutes 174.100
(a) Enable the controller to respond to requests from consumers under ORS § 646A.576 by means that take into account how the processor processes personal data and the information available to the processor and that use appropriate technical and organizational measures to the extent reasonably practicable;
(b) Adopt administrative, technical and physical safeguards that are reasonably designed to protect the security and confidentiality of the personal data the processor processes, taking into account how the processor processes the personal data and the information available to the processor; and
(c) Provide information reasonably necessary for the controller to conduct and document data protection assessments.
(2) The processor shall enter into a contract with the controller that governs how the processor processes personal data on the controller’s behalf. The contract must:
(a) Be valid and binding on both parties;
(b) Set forth clear instructions for processing data, the nature and purpose of the processing, the type of data that is subject to processing and the duration of the processing;
(c) Specify the rights and obligations of both parties with respect to the subject matter of the contract;
(d) Ensure that each person that processes personal data is subject to a duty of confidentiality with respect to the personal data;
(e) Require the processor to delete the personal data or return the personal data to the controller at the controller’s direction or at the end of the provision of services, unless a law requires the processor to retain the personal data;
(f) Require the processor to make available to the controller, at the controller’s request, all information the controller needs to verify that the processor has complied with all obligations the processor has under ORS § 646A.570 to 646A.589;
(g) Require the processor to enter into a subcontract with a person the processor engages to assist with processing personal data on the controller’s behalf and in the subcontract require the subcontractor to meet the processor’s obligations under the processor’s contract with the controller; and
(h) Allow the controller, the controller’s designee or a qualified and independent person the processor engages, in accordance with an appropriate and accepted control standard, framework or procedure, to assess the processor’s policies and technical and organizational measures for complying with the processor’s obligations under ORS § 646A.570 to 646A.589, and require the processor to cooperate with the assessment and, at the controller’s request, report the results of the assessment to the controller.
(3) This section does not relieve a controller or processor from any liability that accrues under ORS § 646A.570 to 646A.589 as a result of the controller’s or processor’s actions in processing personal data.
(4)(a) For purposes of determining obligations under ORS § 646A.570 to 646A.589, a person is a controller with respect to processing a set of personal data, and is subject to an action under ORS § 646A.589 to punish a violation of ORS § 646A.570 to 646A.589, if the person:
(A) Does not need to adhere to another person’s instructions to process the personal data;
(B) Does not adhere to another person’s instructions with respect to processing the personal data when the person is obligated to do so; or
(C) Begins at any point to determine the purposes and means for processing the personal data, alone or in concert with another person.
(b) A determination under this subsection is a fact-based determination that must take account of the context in which a set of personal data is processed.
(c) A processor that adheres to a controller’s instructions with respect to a specific processing of personal data remains a processor. [2023 c.369 § 6]
646A.581 becomes operative July 1, 2024. See section 15, chapter 369, Oregon Laws 2023.
[2011 c.393 § 4; renumbered 646A.829 in 2023]