Minnesota Consumer Data Privacy Act (“MCDPA”)
Information for Businesses •
Controller Responsibilities •
Processor Responsibilities •
Exemptions •
Criteria
Processor – Controller Contracts
Controllers may (and often do) hire processors, third parties who process personal data on behalf of controllers. You can read more about controllers and their responsibilities here, or about processors and their responsibilities here.
The Act mandates certain provisions in contracts between controllers and processors with which you must comply if you enter into such an arrangement. Specifically, those contracts must:
- Govern the processor’s data processing procedures with respect to processing performed on behalf of the controller;
- Be binding on both parties;
- Clearly set forth instructions for processing data;
- Clearly set forth the nature and purpose of processing;
- Clearly set forth the type of data subject to processing;
- Clearly set forth the duration of processing;
- Clearly set for the rights and obligations of both parties;
- Require that the processor ensure that each person processing the personal data is subject to a duty of confidentiality with respect to the data;
- Require that the processor engage a subcontractor only after providing the controller with an opportunity to object, and only pursuant to a written contract that requires the subcontractor to meet the obligations of the processor with respect to the personal data (i.e., the obligations of the subcontractor mirror those of the processor to the controller);
- Include provisions sufficient to ensure that, at the choice of the controller, the processor shall delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law;
- Include provisions sufficient to ensure that, upon a reasonable request from the controller, the processor shall make available to the controller all information necessary to demonstrate compliance with the obligations in the Act; and
- Include provisions sufficient to ensure that the processor may be assessed. For more detail on this last requirement, see Minnesota Statutes section 325M.13(e)(3).
Disclaimer: The Attorney General’s Office (“AGO”) is providing this page as a rough guide to explore rights and obligations pursuant to the Act. In many instances, this website simplifies or rewords the provisions of the Act for comprehension and readability. The website is not intended to provide guidance as to how the AGO would enforce the Act. It is not the AGO’s intention to provide any information on this website that would conflict with the Act. The AGO offers this website as a tool for exploring the Act, but nothing on this site should be construed as legal advice for interpreting the Act or how the Act might be enforced.
