Minnesota Consumer Data Privacy Act (“MCDPA”)
Information for Businesses •
Controller Responsibilities •
Processor Responsibilities •
Exemptions •
Criteria
Processors
A processor is an entity that processes personal data on behalf of a controller. Practically speaking, a processor is generally going to be a third-party that a controller has hired to collect and process data for that controller. Processors don’t get to determine the purpose and means of processing by themselves—that’s dictated by the controller—but numerous controller responsibilities may be delegated to a processor.
The Act recognizes that the line between controller and processor can be highly contextual. The Act specifically notes that a person that is not limited in their processing of personal data pursuant to a controller’s instructions, or a person that fails to adhere to a controller’s instructions, may be considered a controller. Similarly, if a person is in the position to determine (alone or jointly) the purpose and means of processing, that person may be considered a controller.
Accordingly, processors should be aware of the responsibilities and requirements the Act places on controllers. You can read about the responsibilities and requirements on controllers here, and more about the required contents of a contract between a processor and a controller here. The Act also contains several requirements specific to processors, mostly dealing with how processors must be responsive to their affiliated controllers.
Duties of Processors
- Adhere to the instructions of the controller;
- Assist the controller in meeting the controller’s obligations under the Act including, among other things, the security of processing personal data and providing notifications upon breach of the security of the system used to protect personal data;
- Work with the controller to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk posed by the processing to be carried out;
- Provide information to the controller necessary to enable the controller to conduct and document any data privacy and protection assessments;
- Establish a clear allocation of the responsibilities between the controller and the processor to implement technical and organizational measures;
- At controller’s behest, delete or return all personal data as requested at the end of the provisioning of the processor’s services, unless retention is required by law;
- Upon reasonable request from the controller, make available to the controller all information necessary to demonstrate compliance with the Act; and
- Allow for and contribute to reasonable assessments and inspections by the controller, the controller’s assessor, or an assessor further described in the Act.
Disclaimer: The Attorney General’s Office (“AGO”) is providing this page as a rough guide to explore rights and obligations pursuant to the Act. In many instances, this website simplifies or rewords the provisions of the Act for comprehension and readability. The website is not intended to provide guidance as to how the AGO would enforce the Act. It is not the AGO’s intention to provide any information on this website that would conflict with the Act. The AGO offers this website as a tool for exploring the Act, but nothing on this site should be construed as legal advice for interpreting the Act or how the Act might be enforced.
