Legislation
SECTION 899-GG
Processors
General Business (GBS) CHAPTER 20, ARTICLE 39-FF
* § 899-gg. Processors. 1. Except as provided for in section eight
hundred ninety-nine-jj of this article, no operator or processor shall
disclose the personal data of a covered user to a third party, or allow
the processing of the personal data of a covered user by a third party,
without a written, binding agreement governing such disclosure or
processing. Such agreement shall clearly set forth instructions for the
nature and purpose of the processor's processing of the personal data,
instructions for using or further disclosing the personal data, and the
rights and obligations of both parties.
2. Processors shall process the personal data of covered users only
when permitted by the terms of the agreement pursuant to subdivision one
of this section, unless otherwise required by federal, state, or local
laws, rules, or regulations.
3. A processor shall, at the direction of the operator, dispose of,
destroy, or delete personal data, and notify any other processor to
which it disclosed the personal data of the operator's direction, unless
retention of the personal data is required by federal, state, or local
laws, rules, or regulations. The processor shall provide evidence of
such deletion to the operator within thirty days of the deletion
request.
4. A processor shall delete or return to the operator all personal
data of covered users at the end of its provision of services, unless
retention of the personal data is required by federal, state, or local
laws, rules, or regulations. The processor shall provide evidence of
such deletion to the operator within thirty days of the deletion
request.
5. An agreement pursuant to subdivision one of this section shall
require that the processor:
(a) process the personal data of covered users only pursuant to the
instructions of the operator, unless otherwise required by federal,
state, or local laws, rules, or regulations;
(b) assist the operator in meeting the operator's obligations under
this article. The processor shall, taking into account the nature of
processing and the information available to them, assist the operator by
taking appropriate technical and organizational measures, to the extent
practicable, for the fulfillment of the operator's obligation to delete
personal data pursuant to section eight hundred ninety-nine-ff of this
article;
(c) upon reasonable request of the operator, make available to the
operator all information in its possession necessary to demonstrate the
processor's compliance with the obligations in this section;
(d) allow, and cooperate with, reasonable assessments by the operator
or the operator's designated assessor for purposes of evaluating
compliance with the obligations of this article. Alternatively, the
processor may arrange for a qualified and independent assessor to
conduct an assessment of the processor's policies and technical and
organizational measures in support of the obligations under this article
using an appropriate and accepted control standard or framework and
assessment procedure for such assessments. The processor shall provide a
report of such assessment to the operator upon request; and
(e) notify the operator a reasonable time in advance before disclosing
or transferring the personal data of covered users to any further
processors, which may be in the form of a regularly updated list of
further processors that may access personal data of covered users.
* NB Effective June 20, 2025
hundred ninety-nine-jj of this article, no operator or processor shall
disclose the personal data of a covered user to a third party, or allow
the processing of the personal data of a covered user by a third party,
without a written, binding agreement governing such disclosure or
processing. Such agreement shall clearly set forth instructions for the
nature and purpose of the processor's processing of the personal data,
instructions for using or further disclosing the personal data, and the
rights and obligations of both parties.
2. Processors shall process the personal data of covered users only
when permitted by the terms of the agreement pursuant to subdivision one
of this section, unless otherwise required by federal, state, or local
laws, rules, or regulations.
3. A processor shall, at the direction of the operator, dispose of,
destroy, or delete personal data, and notify any other processor to
which it disclosed the personal data of the operator's direction, unless
retention of the personal data is required by federal, state, or local
laws, rules, or regulations. The processor shall provide evidence of
such deletion to the operator within thirty days of the deletion
request.
4. A processor shall delete or return to the operator all personal
data of covered users at the end of its provision of services, unless
retention of the personal data is required by federal, state, or local
laws, rules, or regulations. The processor shall provide evidence of
such deletion to the operator within thirty days of the deletion
request.
5. An agreement pursuant to subdivision one of this section shall
require that the processor:
(a) process the personal data of covered users only pursuant to the
instructions of the operator, unless otherwise required by federal,
state, or local laws, rules, or regulations;
(b) assist the operator in meeting the operator's obligations under
this article. The processor shall, taking into account the nature of
processing and the information available to them, assist the operator by
taking appropriate technical and organizational measures, to the extent
practicable, for the fulfillment of the operator's obligation to delete
personal data pursuant to section eight hundred ninety-nine-ff of this
article;
(c) upon reasonable request of the operator, make available to the
operator all information in its possession necessary to demonstrate the
processor's compliance with the obligations in this section;
(d) allow, and cooperate with, reasonable assessments by the operator
or the operator's designated assessor for purposes of evaluating
compliance with the obligations of this article. Alternatively, the
processor may arrange for a qualified and independent assessor to
conduct an assessment of the processor's policies and technical and
organizational measures in support of the obligations under this article
using an appropriate and accepted control standard or framework and
assessment procedure for such assessments. The processor shall provide a
report of such assessment to the operator upon request; and
(e) notify the operator a reasonable time in advance before disclosing
or transferring the personal data of covered users to any further
processors, which may be in the form of a regularly updated list of
further processors that may access personal data of covered users.
* NB Effective June 20, 2025