(1) A processor shall adhere to the instructions of a controller and shall assist the controller in meeting or complying with the controller’s duties under this section and the requirements of this part, including the following:

(a) Assisting the controller in responding to consumer rights requests submitted pursuant to ss. 501.705 and 501.709, by using appropriate technical and organizational measures, as reasonably practicable, taking into account the nature of processing and the information available to the processor.

Terms Used In Florida Statutes 501.712

  • Consumer: means an individual who is a resident of or is domiciled in this state acting only in an individual or household context. See Florida Statutes 501.702
  • Contract: A legal written agreement that becomes binding when signed.
  • control: means :
    1. See Florida Statutes 501.702
  • Controller: means :
    (a) A sole proprietorship, partnership, limited liability company, corporation, association, or legal entity that meets the following requirements:
    1. See Florida Statutes 501.702
  • Liabilities: The aggregate of all debts and other legal obligations of a particular person or legal entity.
  • Personal data: means any information, including sensitive data, which is linked or reasonably linkable to an identified or identifiable individual. See Florida Statutes 501.702
  • processing: means an operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data. See Florida Statutes 501.702
  • Processor: means a person who processes personal data on behalf of a controller. See Florida Statutes 501.702
(b) Assisting the controller with regard to complying with the requirement relating to the security of processing personal data and to the notification of a breach of security of the processor’s system under s. 501.171, taking into account the nature of processing and the information available to the processor.
(c) Providing necessary information to enable the controller to conduct and document data protection assessments under s. 501.713.
(2) A contract between a controller and a processor governs the processor’s data processing procedures with respect to processing performed on behalf of the controller. The contract must include all of the following information:

(a) Clear instructions for processing data.
(b) The nature and purpose of processing.
(c) The type of data subject to processing.
(d) The duration of processing.
(e) The rights and obligations of both parties.
(f) A requirement that the processor:

1. Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data;
2. At the controller’s direction, delete or return all personal data to the controller as requested after the provision of the service is completed, unless retention of the personal data is required by law;
3. Make available to the controller, upon reasonable request, all information in the processor’s possession necessary to demonstrate the processor’s compliance with this part;
4. Allow, and cooperate with, reasonable assessments by the controller or the controller’s designated assessor; and
5. Engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the requirements of the processor with respect to the personal data.
(3) Notwithstanding subparagraph (2)(f)4., a processor may arrange for a qualified and independent assessor to conduct an assessment of the processor’s policies and technical and organizational measures in support of the requirements under this part using an appropriate and accepted control standard or framework and assessment procedure. The processor shall provide a report of the assessment to the controller upon request.
(4) This section may not be construed to relieve a controller or a processor from the liabilities imposed on the controller or processor by virtue of its role in the processing relationship as described by this part.
(5) A determination as to whether a person is acting as a controller or processor with respect to a specific processing of data is a fact-based determination that depends on the context in which personal data is to be processed. A processor that continues to adhere to a controller’s instructions with respect to a specific processing of personal data remains in the role of a processor.
  Previous section
Next section  
 Part V Contents