This text of Iowa § 715D.5 (Processor duties) is published on Counsel Stack Legal Research, covering Iowa primary law. Counsel Stack provides free access to over 12 million legal documents including statutes, case law, regulations, and constitutions.
1.A processor shall assist a controller in duties required under this chapter, taking
into account the nature of processing and the information available to the processor by
appropriate technical and organizational measures, insofar as is reasonably practicable, as
follows:
a.To fulfill the controller’s obligation to respond to consumer rights requests pursuant to
section 715D.3.
b.Tomeetthecontroller’sobligationsinrelationtothesecurityofprocessingthepersonal
dataandinrelationtothenotificationofasecuritybreachoftheprocessorpursuanttosection
715C.2.
2.A contract between a controller and a processor shall govern the processor’s data
processing procedures with respect to processing performed on behalf of the controller.
The contract shall clearly set forth instructions for processing pers
Free access — add to your briefcase to read the full text and ask questions with AI
1. A processor shall assist a controller in duties required under this chapter, taking
into account the nature of processing and the information available to the processor by
appropriate technical and organizational measures, insofar as is reasonably practicable, as
follows:
a. To fulfill the controller’s obligation to respond to consumer rights requests pursuant to
section 715D.3.
b. Tomeetthecontroller’sobligationsinrelationtothesecurityofprocessingthepersonal
dataandinrelationtothenotificationofasecuritybreachoftheprocessorpursuanttosection
715C.2.
2. A contract between a controller and a processor shall govern the processor’s data
processing procedures with respect to processing performed on behalf of the controller.
The contract shall clearly set forth instructions for processing personal data, the nature and
purpose of processing, the type of data subject to processing, the duration of processing,
and the rights and duties of both parties. The contract shall also include requirements that
the processor shall do all of the following:
a. Ensure that each person processing personal data is subject to a duty of confidentiality
with respect to the data.
b. At the controller’s direction, delete or return all personal data to the controller as
requested at the end of the provision of services, unless retention of the personal data is
required by law.
c. Upon the reasonable request of the controller, make available to the controller
7 CONSUMER DATA PROTECTIONS, §715D.7
all information in the processor’s possession necessary to demonstrate the processor’s
compliance with the obligations in this chapter.
d. Engage any subcontractor or agent pursuant to a written contract in accordance with
this section that requires the subcontractor to meet the duties of the processor with respect
to the personal data.
3. Nothing in this section shall be construed to relieve a controller or a processor from
imposedliabilitiesbyvirtueofthecontrollerorprocessor’sroleintheprocessingrelationship
as defined by this chapter.
4. Determining whether a person is acting as a controller or processor with respect to a
specific processing of data is a fact-based determination that depends upon the context in
which personal data is to be processed. A processor that continues to adhere to a controller’s
instructions with respect to a specific processing of personal data remains a processor.