Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · BILL · 117th Congress · S. 1494 (Introduced in Senate) — To protect the privacy of consumers. · Sec. 8

Sec. 8. Rules relating to service providers

1,092 words·~5 min read·/bill/117/s/1494/is/section-8

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

A covered entity shall only disclose personal data to a service provider pursuant to a contract that is binding on both parties and meets the requirements of subsection (b). Any covered entity that discloses personal data to a service provider shall— take reasonable steps to identify whether the service provider has established appropriate procedures and controls for ensuring the privacy and security of the personal data in a manner that complies with the requirements of this Act, including through reasonable representations made to the covered entity by the service provider in the contract governing the disclosure of personal data to the service provider; and investigate any circumstances for which a reasonable person would determine that there is a high probability that the service provider is not in compliance with a requirement of this Act, and, if necessary based on the findings of such investigation, take reasonable steps to protect the privacy and security of any personal data disclosed by the covered entity to the service provider that is at risk as a result of the service provider's noncompliance with a requirement of this Act.
In determining whether a covered entity has acted reasonably in complying with clause
(i)or
(ii)of subparagraph (A), the Commission shall take into account— the size, complexity, and resources of the covered entity and whether the covered entity is a small business; and the risk of harm reasonably expected to occur as a result of the covered entity disclosing personal data to a service provider without complying with such clause. A contract between a covered entity and a service provider governing the disclosure of personal data by the covered entity to the service provider shall— require the service provider to only collect or process the personal data as directed by the covered entity; establish the purposes for, and means of, the collecting or processing of the personal data by the service provider, including instructions, policies, and practices, as applicable, with which the service provider is required to comply; and include a reasonable representation by the service provider indicating that the service provider has established appropriate procedures and controls to comply with the requirements of this Act. No contract governing the disclosure of personal data by a covered entity to a service provider shall relieve a covered entity or service provider of any requirement or obligation with respect to such personal data that is imposed on the covered entity or service provider, as applicable, by this Act. In the event that a service provider is required to process personal data in order to comply with a legal requirement, including a subpoena, summons, or other properly executed compulsory process, the service provider shall inform the covered entity from which it received the personal data involved of such legal requirement before such processing, unless the service provider is otherwise prohibited by law from providing such notification. If a service provider amends its policies or practices relating to personal data in a manner that is relevant to compliance with any provision of this Act, the service provider shall provide reasonable notice in advance of such change to any covered entity on whose behalf the service provider collects or processes personal data. A service provider that collects or processes personal data on behalf of a covered entity shall, to the extent possible, either— provide the covered entity with appropriate technical and organizational measures to enable the covered entity to comply with requests to exercise rights described in section 5 with respect to any such personal data that is held by, and reasonably accessible to, the service provider; or respond to any request made by the covered entity for assistance in complying with a request to exercise such a right with respect to such personal data that the covered entity has verified as described in section 5(f) and has determined must be complied with under this Act by, as appropriate— in the case of a request described in subsection
(b)of section 5, providing the covered entity with access to any relevant personal data held by, and reasonably available to, the service provider; in the case of a request described in subsection
(c)of such section, by correcting any relevant personal data held by, and reasonably accessible to, the service provider, and providing the covered entity with notice of such correction; in the case of a request described in subsection
(d)of such section, by deleting, de-identifying, or returning to the covered entity any relevant personal data held by, and reasonably accessible to, the service provider, and providing the covered entity with notice of such action; or informing the covered entity that— the service provider does not hold any personal data related to the request; the service provider cannot reasonably access any personal data related to the request; or complying with the request would be inconsistent with a legal requirement to which the service provider is subject. Except as otherwise required by law, as soon as practicable after the completion of the service or function for which a service provider collected or processed personal data on behalf of a covered entity, the service provider shall delete, de-identify, or return to the covered entity all such personal data. Subject to clause (ii), a service provider shall make available to a covered entity on whose behalf the service provider collects or processes personal data information necessary to demonstrate the service provider's compliance with subparagraph (A). If the information described in clause
(i)is not technically available to a service provider, the service provider may comply with clause
(i)by providing the covered entity with a written representation stating that the service provider is in compliance with subparagraph (A). A service provider that is collecting or processing personal data on behalf of a covered entity shall not employ a subcontractor to carry out or assist in such collection or processing unless— the service provider has provided the covered entity with an opportunity to object to the use of such subcontractor; and the subcontractor is subject (pursuant to an agreement between the service provider and the subcontractor) to the same requirements and obligations as the service provider with respect to the collection and processing of the personal data. In determining whether a service provider has acted reasonably in complying with this subsection, the Commission shall take into account— the size, complexity, and resources of the service provider and whether the service provider is a small business; and the risk of harm reasonably expected to occur as a result of the service provider not complying with this subsection.
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.