N.Y.
General Business Law Section 899-GG
Processors
1.
Except as provided for in § 899-JJ (Protections for third-party operators)section eight hundred ninety-nine-jj of this article, no operator or processor shall disclose the personal data of a covered user to a third party, or allow the processing of the personal data of a covered user by a third party, without a written, binding agreement governing such disclosure or processing. Such agreement shall clearly set forth instructions for the nature and purpose of the processor’s processing of the personal data, instructions for using or further disclosing the personal data, and the rights and obligations of both parties.2.
Processors shall process the personal data of covered users only when permitted by the terms of the agreement pursuant to subdivision one of this section, unless otherwise required by federal, state, or local laws, rules, or regulations.3.
A processor shall, at the direction of the operator, dispose of, destroy, or delete personal data, and notify any other processor to which it disclosed the personal data of the operator’s direction, unless retention of the personal data is required by federal, state, or local laws, rules, or regulations. The processor shall provide evidence of such deletion to the operator within thirty days of the deletion request.4.
A processor shall delete or return to the operator all personal data of covered users at the end of its provision of services, unless retention of the personal data is required by federal, state, or local laws, rules, or regulations. The processor shall provide evidence of such deletion to the operator within thirty days of the deletion request.5.
An agreement pursuant to subdivision one of this section shall require that the processor:(a)
process the personal data of covered users only pursuant to the instructions of the operator, unless otherwise required by federal, state, or local laws, rules, or regulations;(b)
assist the operator in meeting the operator’s obligations under this article. The processor shall, taking into account the nature of processing and the information available to them, assist the operator by taking appropriate technical and organizational measures, to the extent practicable, for the fulfillment of the operator’s obligation to delete personal data pursuant to § 899-FF (Privacy protection by default)section eight hundred ninety-nine-ff of this article;(c)
upon reasonable request of the operator, make available to the operator all information in its possession necessary to demonstrate the processor’s compliance with the obligations in this section;(d)
allow, and cooperate with, reasonable assessments by the operator or the operator’s designated assessor for purposes of evaluating compliance with the obligations of this article. Alternatively, the processor may arrange for a qualified and independent assessor to conduct an assessment of the processor’s policies and technical and organizational measures in support of the obligations under this article using an appropriate and accepted control standard or framework and assessment procedure for such assessments. The processor shall provide a report of such assessment to the operator upon request; and(e)
notify the operator a reasonable time in advance before disclosing or transferring the personal data of covered users to any further processors, which may be in the form of a regularly updated list of further processors that may access personal data of covered users. * NB Effective June 20, 2025
Source:
Section 899-GG — Processors, https://www.nysenate.gov/legislation/laws/GBS/899-GG
(updated Jun. 28, 2024; accessed Dec. 21, 2024).