Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · BILL · 118th Congress · H.R. 8818 (Introduced in House) — To provide Americans with foundational data privacy rights, create strong oversight mechanisms, and establish meaning... · Sec. 111

Sec. 111. Service providers and third parties

1,345 words·~6 min read·/bill/118/hr/8818/ih/section-111·

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

A service provider that collects, processes, retains, or transfers covered data on behalf of or at the direction of a covered entity or another service provider— shall adhere to the instructions of the covered entity or other service provider and collect, process, retain, or transfer covered data only to the extent necessary, proportionate, and limited to provide a service requested by the covered entity or other service provider, as set out in the contract described in paragraph (2); may not collect, process, retain, or transfer covered data if the service provider has actual knowledge that the covered entity or other service provider violated this title with respect to such data; shall assist the covered entity or other service provider in fulfilling the obligations of the covered entity or other service provider to respond to consumer rights requests pursuant to this title by— providing appropriate technical and organizational support, taking into account the nature of the processing and the information reasonably available to the service provider; or fulfilling a request by the covered entity or other service provider to execute a consumer rights request that the covered entity or other service provider has determined should be compiled with, by either— complying with the request pursuant to the instructions of the covered entity or other service provider; or providing written verification to the covered entity or other service provider that the service provider does not hold data related to the request, that complying with the request would be inconsistent with the legal obligations of the service provider, or that the request falls within an exception pursuant to this title; shall, upon the reasonable request of the covered entity or other service provider, make available to the covered entity or other service provider all information necessary to demonstrate the compliance of the service provider with the requirements of this title; shall delete or return, as directed by the covered entity or other service provider, all covered data as soon as practicable after the contractually agreed upon end of the provision of services, unless the retention by the service provider of covered data is required by law; may engage another service provider for purposes of processing or retaining covered data on behalf of the covered entity or other service provider only after exercising reasonable care in selecting another service provider as required by subsection (d), providing the covered entity or other service provider with written notice of the engagement, and entering into a written contract that requires the other service provider to satisfy the requirements of this title with respect to covered data; and shall— allow and cooperate with reasonable assessments by the covered entity or other service provider at least annually; or arrange for a qualified and independent assessor to conduct an assessment of the policies and technical and organizational measures of the service provider in support of the obligations of the service provider under this title at least annually, using an appropriate and accepted control standard or framework and assessment procedure for such assessments, and report the results of such assessment to the covered entity or other service provider.
An entity may only operate as a service provider pursuant to a contract between a covered entity and a service provider. Such contract— shall govern the data processing procedures of the service provider with respect to any collection, processing, retention, or transfer performed on behalf of the covered entity; shall clearly set forth— instructions for collecting, processing, retaining, or transferring data; the nature and purpose of the collection, processing, retention, or transfer; the type of data subject to collection, processing, retention, or transfer; the duration of the processing or retention; and the rights and obligations of both parties; may not relieve the covered entity or service provider of any obligation under this title; and shall prohibit— the collection, processing, retention, or transfer of covered data in a manner that does not comply with the requirements of paragraph (1); and combining covered data that the service provider receives from or on behalf of a covered entity with covered data that the service provider receives from or on behalf of another entity or collects from the interaction of the service provider with an individual, unless such combining is necessary for a purpose described in section 102(d), other than a purpose described in paragraph (7), (14), (15), or
(16)of such section, and is otherwise permitted under the contract. A third party may not process, retain, or transfer third-party data for a purpose other than— in the case of sensitive covered data— except as provided in clause (ii), a purpose for which an individual gave affirmative express consent pursuant to subsection
(b)or
(c)of section 102; or in the case of sensitive covered data with respect to which affirmative express consent is not required pursuant to subsection
(b)of section 102, a purpose for which the covered entity or service provider made a disclosure pursuant to section 104; or in the case of covered data that is not sensitive covered data, a purpose for which the covered entity or service provider made a disclosure pursuant to section 104. Before transferring covered data to a third party, a covered entity or service provider shall enter into a contract with the third party that— identifies the purposes for which covered data is being transferred; specifies that the third party may only use the covered data for such purposes; with respect to the covered data transferred, requires the third party to comply with all applicable provisions of, and regulations promulgated under, this title; requires the third party to notify the covered entity or service provider if the third party makes a determination that the third party can no longer meet the obligations of the third party under this title; and grants the covered entity or service provider the right, upon notice (including under subparagraph (D)), to take reasonable and appropriate steps to stop and remediate unauthorized use of covered data by the third party. With respect to a violation of this title by a service provider or third party regarding covered data received by the service provider or third party from a covered entity or another service provider, the covered entity or service provider that transferred such covered data may not be considered to be in violation of this title if the covered entity or service provider transferred the covered data in compliance with the requirements of this title and, at the time of transferring such covered data, did not have actual knowledge, or reason to believe, that the service provider or third party to which the covered data was transferred intended to violate this title. A covered entity or service provider that transfers covered data to a service provider or third party and has actual knowledge, or reason to believe, that such service provider or third party is violating, or is about to violate, the requirements of this title shall immediately cease the transfer of covered data to such service provider or third party. An entity that collects, processes, retains, or transfers covered data in compliance with the requirements of this title may not be considered to be in violation of this title as a result of a violation by an entity from which it receives, or on whose behalf it collects, processes, retains, or transfers, covered data. A covered entity or service provider shall exercise reasonable care in selecting a service provider. A covered entity or service provider shall exercise reasonable care in deciding to transfer covered data to a third party. Not later than 2 years after the date of the enactment of this Act, the Commission shall publish guidance regarding compliance with this subsection. Solely for purposes of this section, the requirements under this section for service providers to contract with, assist, and follow the instructions of covered entities shall also apply to any entity that collects, processes, retains, or transfers covered data for the purpose of performing services on behalf of, or at the direction of, a government entity, as though such government entity were a covered entity.
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.