Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · BILL · 117th Congress · H.R. 8152 (Introduced in House) — To provide consumers with foundational data privacy rights, create strong oversight mechanisms, and establish meaning... · Sec. 302

Sec. 302. Service providers and third parties

1,037 words·~5 min read·/bill/117/hr/8152/ih/section-302

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

A service provider— shall only collect, process, and transfer service provider data to the extent strictly necessary and proportionate to provide a service requested by the covered entity. This paragraph shall not require a service provider to collect or process covered data if the service provider would not otherwise do so; shall not collect, process, or transfer service provider data if the service provider has actual knowledge that the covered entity violated this Act with respect to such data; shall assist a covered entity in fulfilling the covered entity’s obligation to respond to individual rights requests pursuant to section 203, by appropriate technical and organizational measures, taking into account the nature of the processing and the information reasonably available to the service provider; may engage another service provider for purposes of processing service provider data on behalf of a covered entity only after providing the covered entity that is directing the services or functions of the service provider with respect to such service provider data with notice, and pursuant to a written contract that requires such other service provider to satisfy the obligations of the service provider with respect to such service provider data; shall upon the reasonable request of the covered entity, make available to the covered entity information necessary to demonstrate the service provider’s compliance with the obligations in this Act, which may include making available a report of an independent assessment arranged by the service provider on terms agreed to by the parties and making the report required under section 207(c)(2) as applicable; shall, at the covered entity’s direction, delete or return all covered data to the covered entity as requested at the end of the provision of services, unless retention of the covered data is required by law; shall not transfer service provider data to any person with the exception of another service provider without the affirmative express consent, obtained by the covered entity with the direct relationship to the individual that is directing the services or functions of the service provider with respect to the service provider data, of the individual to whom the service provider data is linked or reasonably linkable; shall develop, implement, and maintain reasonable administrative, technical, and physical safeguards that are designed to protect the security and confidentiality of covered data it processes consistent with section 208; and shall be exempt from the requirements of section 202(d) with respect to service provider data but shall provide direct notification regarding material changes to its privacy policy to each covered entity with which it provides services or functions as a service provider, in each language that the privacy policy is made available.
Compliance with this provision does not alleviate any obligations the service provider has to the covered entity to which it provides services or functions as a service provider. A person or entity may act as a service provider pursuant to a written contract between the covered entity and the service provider, or a written contract between one service provider and a second service provider as permitted in section 302(a)(4), provided that the contract— governs the service provider’s data processing procedures with respect to processing or transfer performed on behalf of the covered entity or service provider; clearly sets forth— instructions for processing data; the nature and purpose of processing; the type of data subject to processing; the duration of processing; and the rights and obligations of both parties; does not relieve a covered entity or a service provider of an obligation under this Act; and prohibits— collecting, processing, or transferring covered data in contravention to subsection (a); and combining service provider data with covered data which the service provider receives from or on behalf of another person or persons or collects from its own interaction with an individual.
The contract may, subject to agreement with the service provider, permit a covered entity to monitor the service provider’s compliance with the contract through measures including, but not limited to, ongoing manual reviews and automated scans, and regular assessments, audits, or other technical and operational testing at least once every 12 months. Determining whether a person is acting as a covered entity or service provider with respect to a specific processing of data is a fact-based determination that depends upon the context in which such data is processed.
A covered entity or service provider that transfers covered data to a service provider, in compliance with the requirements of this Act, is not liable for a violation of this Act by the service provider to whom such covered data was transferred, this Act provided that, at the time of transferring such covered data, the covered entity or service provider did not know or have reason to know that the service provider would likely commit a violation of this Act. A covered entity or service provider that receives covered data in compliance with the requirements of this Act is not in violation of this Act as a result of a violation by a covered entity or service provider from which it receives such covered data.
A third party— shall not process third-party data for a processing purpose other than, in the case of sensitive covered data, the processing purpose for which the individual gave affirmative express consent and, in the case of non-sensitive data, the processing purpose for which the covered entity made a disclosure pursuant to section 204(b)(4); for purposes of paragraph (1), may reasonably rely on representations made by the covered entity that transferred the third-party data, provided that the third party conducts reasonable due diligence on the representations of the covered entity and finds those representations to be credible; and shall be exempt from the requirements of section 204 with respect to third-party data, but shall otherwise have the same responsibilities and obligations as a covered entity with respect to such data under all other provisions of this Act.
A covered entity or service provider shall exercise reasonable due diligence in— selecting a service provider; and deciding to transfer covered data to a third party. Not later than 2 years after the date of enactment of this Act, the Commission shall publish guidance regarding compliance with this subsection, taking into consideration the burdens on small- and medium-sized covered entities.
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.