Live Free or Die Legal
This website is not an official source of law. This website does not provide legal advice. For official legal materials, verify against the relevant court, legislature, agency, or other official source. Legal information may be incomplete, outdated, or incorrectly processed. Consult a qualified attorney for advice about a specific legal matter.

This RSA section is an unofficial mirror, is not legal advice, and may be incomplete, outdated, or incorrectly processed.

RSA 507-H:7 · Processor Responsibilities

Title
LII: ACTIONS, PROCESS, AND SERVICE OF PROCESS
Chapter
507-H · EXPECTATION OF PRIVACY
Status
current
Official source linked
Yes
Official source Copy section link

507-H:7 Processor Responsibilities. –

Copy link
I.

A processor shall adhere to the instructions of a controller and shall assist the controller in meeting the controller's obligations under this chapter. Such assistance shall include:

Copy link
(a)

Taking into account the nature of processing and the information available to the processor, by appropriate technical and organizational measures, insofar as is reasonably practicable, to fulfill the controller's obligation to respond to consumer rights requests;

Copy link
(b)

Taking into account the nature of processing and the information available to the processor, by assisting the controller in meeting the controller's obligations in relation to the security of processing the personal data and in relation to the notification of a breach of security or of the system of the processor, in order to meet the controller's obligations; and

Copy link
(c)

Providing necessary information to enable the controller to conduct and document data protection assessments.

Copy link
II.

A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor:

Copy link
(a)

Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data;

Copy link
(b)

At the controller's direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law;

Copy link
(c)

Upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor's compliance with the obligations in this chapter;

Copy link
(d)

After providing the controller an opportunity to object, engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the obligations of the processor with respect to the personal data; and

Copy link
(e)

Allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor, or the processor may arrange for a qualified and independent assessor to conduct an assessment of the processor's policies and technical and organizational measures in support of the obligations under this chapter, using an appropriate and accepted control standard or framework and assessment procedure for such assessments. The processor shall provide a report of such assessment to the controller upon request.

Copy link
III.

Nothing in this section shall be construed to relieve a controller or processor from the liabilities imposed on the controller or processor by virtue of such controller's or processor's role in the processing relationship, as described in this chapter.

Copy link
IV.

Determining whether a person is acting as a controller or processor with respect to a specific processing of data is a fact-based determination that depends upon the context in which personal data is to be processed. A person who is not limited in such person's processing of personal data pursuant to a controller's instructions, or who fails to adhere to such instructions, is a controller and not a processor with respect to a specific processing of data. A processor that continues to adhere to a controller's instructions with respect to a specific processing of personal data remains a processor. If a processor begins, alone or jointly with others, determining the purposes and means of the processing of personal data, the processor is a controller with respect to such processing and may be subject to an enforcement action under RSA 507-H:11. Source. 2024, 5:1, eff. Jan. 1, 2025.

Copy link

Source note

Source. 2024, 5:1, eff. Jan. 1, 2025.

Source history

  • 2024, 5:1, eff. Jan. 1, 2025

Related materials

Bill relationships

  • 2026 HB1436 amend

    information they share subject to appropriate controls, so that it is legally and constitutionally their information. 3 New Subdivision; Privacy and Consumer Protection. Amend RSA 507-H by inserting after section 12 the following new subdivision: Privacy and Consumer Protection 507-H:13 Property Treatment of Personal Information. I. One who takes possession of and places the unpublished personal

  • 2026 HB1436-FN amend

    information they share subject to appropriate controls, so that it is legally and constitutionally their information. 3 New Subdivision; Privacy and Consumer Protection. Amend RSA 507-H by inserting after section 12 the following new subdivision: Privacy and Consumer Protection 507-H:13 Property Treatment of Personal Information. I. One who takes possession of and places the unpublished personal

  • 2026 HB1460 reference

    0 $0 Funding Source(s) None *Expenditure = Cost of bill *Appropriation = Authorized funding to cover cost of bill METHODOLOGY: This bill amends RSA 507-H (New Hampshire’s Data Privacy Law) to prohibit covered entities from selling the location or other sensitive data regarding children. The Department of Justice (DOJ) states this bill will result in an indeterminable

  • 2026 HB1460-FN reference · effective 2027-01-01

    0 $0 Funding Source(s) None *Expenditure = Cost of bill *Appropriation = Authorized funding to cover cost of bill METHODOLOGY: This bill amends RSA 507-H (New Hampshire’s Data Privacy Law) to prohibit covered entities from selling the location or other sensitive data regarding children. The Department of Justice (DOJ) states this bill will result in an indeterminable

  • 2026 HB1694 amend · effective 2027-01-01

    such personal data has been deleted and/or that the consumer has been opted out of any future collection or processing. 3 New Subdivision; Registration of Data Brokers. Amend RSA 507-H by inserting after section 12 the following new subdivision: Registration of Data Brokers 507-H:13 Definitions. In this subdivision: I. "Data broker" means a controller or processor that knowingly collects, agg

  • 2026 HB1694-FN amend · effective 2027-01-01

    such personal data has been deleted and/or that the consumer has been opted out of any future collection or processing. 3 New Subdivision; Registration of Data Brokers. Amend RSA 507-H by inserting after section 12 the following new subdivision: Registration of Data Brokers 507-H:13 Definitions. In this subdivision: I. "Data broker" means a controller or processor that knowingly collects, agg

  • 2025 HB2 reference

    deral laws, and shall not track or compile information without the credential holder’s actual consent. The division shall only compile and/or disclose information regarding use of the credential as required by RSA 507-H and other applicable state or federal laws. 263-A:6 Rulemaking. The commissioner of the department of safety shall adopt administrative rules under 541-A that are necessary for the management and operation of