Current through bills signed by governor as of 5/17/2024
Section 715D.5 - [Effective 1/1/2025] [Multiple versions] Processor duties1. A processor shall assist a controller in duties required under this chapter, taking into account the nature of processing and the information available to the processor by appropriate technical and organizational measures, insofar as is reasonably practicable, as follows: a. To fulfill the controller's obligation to respond to consumer rights requests pursuant to section 715D.3.b. To meet the controller's obligations in relation to the security of processing the personal data and in relation to the notification of a security breach of the processor pursuant to section 715C.2.2. A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and duties of both parties. The contract shall also include requirements that the processor shall do all of the following:a. Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data.b. At the controller's direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law.c. Upon the reasonable request of the controller, make available to the controller all information in the processor's possession necessary to demonstrate the processor's compliance with the obligations in this chapter.d. Engage any subcontractor or agent pursuant to a written contract in accordance with this section that requires the subcontractor to meet the duties of the processor with respect to the personal data.3. Nothing in this section shall be construed to relieve a controller or a processor from imposed liabilities by virtue of the controller or processor's role in the processing relationship as defined by this chapter.4. Determining whether a person is acting as a controller or processor with respect to a specific processing of data is a fact-based determination that depends upon the context in which personal data is to be processed. A processor that continues to adhere to a controller's instructions with respect to a specific processing of personal data remains a processor.Added by 2023 Iowa, ch 17, s 5, eff. 1/1/2025.This section is set out more than once due to postponed, multiple, or conflicting amendments.