§ 899-GG — Processors

New York § 899-GG

• Jurisdiction: New York
• Law GBS: General Business
• Art. 39-FF: New York Child Data Protection Act

Text

§ 899-gg. Processors. 1. Except as provided for in section eight\nhundred ninety-nine-jj of this article, no operator or processor shall\ndisclose the personal data of a covered user to a third party, or allow\nthe processing of the personal data of a covered user by a third party,\nwithout a written, binding agreement governing such disclosure or\nprocessing. Such agreement shall clearly set forth instructions for the\nnature and purpose of the processor's processing of the personal data,\ninstructions for using or further disclosing the personal data, and the\nrights and obligations of both parties.\n 2. Processors shall process the personal data of covered users only\nwhen permitted by the terms of the agreement pursuant to subdivision one\nof this section, unless otherwise required by federal, state, or local\nlaws, rules, or regulations.\n 3. A processor shall, at the direction of the operator, dispose of,\ndestroy, or delete personal data, and notify any other processor to\nwhich it disclosed the personal data of the operator's direction, unless\nretention of the personal data is required by federal, state, or local\nlaws, rules, or regulations. The processor shall provide evidence of\nsuch deletion to the operator within thirty days of the deletion\nrequest.\n 4. A processor shall delete or return to the operator all personal\ndata of covered users at the end of its provision of services, unless\nretention of the personal data is required by federal, state, or local\nlaws, rules, or regulations. The processor shall provide evidence of\nsuch deletion to the operator within thirty days of the deletion\nrequest.\n 5. An agreement pursuant to subdivision one of this section shall\nrequire that the processor:\n (a) process the personal data of covered users only pursuant to the\ninstructions of the operator, unless otherwise required by federal,\nstate, or local laws, rules, or regulations;\n (b) assist the operator in meeting the operator's obligations under\nthis article. The processor shall, taking into account the nature of\nprocessing and the information available to them, assist the operator by\ntaking appropriate technical and organizational measures, to the extent\npracticable, for the fulfillment of the operator's obligation to delete\npersonal data pursuant to section eight hundred ninety-nine-ff of this\narticle;\n (c) upon reasonable request of the operator, make available to the\noperator all information in its possession necessary to demonstrate the\nprocessor's compliance with the obligations in this section;\n (d) allow, and cooperate with, reasonable assessments by the operator\nor the operator's designated assessor for purposes of evaluating\ncompliance with the obligations of this article. Alternatively, the\nprocessor may arrange for a qualified and independent assessor to\nconduct an assessment of the processor's policies and technical and\norganizational measures in support of the obligations under this article\nusing an appropriate and accepted control standard or framework and\nassessment procedure for such assessments. The processor shall provide a\nreport of such assessment to the operator upon request; and\n (e) notify the operator a reasonable time in advance before disclosing\nor transferring the personal data of covered users to any further\nprocessors, which may be in the form of a regularly updated list of\nfurther processors that may access personal data of covered users.\n