                                 CODE OF VIRGINIA

RESPONSIBILITY ACCORDING TO ROLE; CONTROLLER AND PROCESSOR (§ 59.1-579)

A. A processor shall adhere to the instructions of a controller and shall assist
the controller in meeting its obligations under this chapter. Such assistance
shall include:

   1. Taking into account the nature of processing and the information available
   to the processor, by appropriate technical and organizational measures,
   insofar as this is reasonably practicable, to fulfill the controller&#8217;s
   obligation to respond to consumer rights requests pursuant to &#xA7; 59.1-577.

   2. Taking into account the nature of processing and the information available
   to the processor, by assisting the controller in meeting the
   controller&#8217;s obligations in relation to the security of processing the
   personal data and in relation to the notification of a breach of security of
   the system of the processor pursuant to &#xA7; 18.2-186.6 in order to meet the
   controller&#8217;s obligations.

   3. Providing necessary information to enable the controller to conduct and
   document data protection assessments pursuant to &#xA7; 59.1-580.

B. A contract between a controller and a processor shall govern the
processor&#8217;s data processing procedures with respect to processing
performed on behalf of the controller. The contract shall be binding and clearly
set forth instructions for processing data, the nature and purpose of
processing, the type of data subject to processing, the duration of processing,
and the rights and obligations of both parties. The contract shall also include
requirements that the processor shall:

   1. Ensure that each person processing personal data is subject to a duty of
   confidentiality with respect to the data;

   2. At the controller&#8217;s direction, delete or return all personal data to
   the controller as requested at the end of the provision of services, unless
   retention of the personal data is required by law;

   3. Upon the reasonable request of the controller, make available to the
   controller all information in its possession necessary to demonstrate the
   processor&#8217;s compliance with the obligations in this chapter;

   4. Allow, and cooperate with, reasonable assessments by the controller or the
   controller&#8217;s designated assessor; alternatively, the processor may
   arrange for a qualified and independent assessor to conduct an assessment of
   the processor&#8217;s policies and technical and organizational measures in
   support of the obligations under this chapter using an appropriate and
   accepted control standard or framework and assessment procedure for such
   assessments. The processor shall provide a report of such assessment to the
   controller upon request; and

   5. Engage any subcontractor pursuant to a written contract in accordance with
   subsection C that requires the subcontractor to meet the obligations of the
   processor with respect to the personal data.

C. Nothing in this section shall be construed to relieve a controller or a
processor from the liabilities imposed on it by virtue of its role in the
processing relationship as defined by this chapter.

D. Determining whether a person is acting as a controller or processor with
respect to a specific processing of data is a fact-based determination that
depends upon the context in which personal data is to be processed. A processor
that continues to adhere to a controller&#8217;s instructions with respect to a
specific processing of personal data remains a processor.

HISTORY: 2021, Sp. Sess. I, cc. 35, 36.