Report Fraud

Processors Responsibilities

What is a Processor?

A processor is any person or entity, that processes personal data on behalf of a controller. 

Processor’s Responsibility to Respond to Consumer Requests:

As of January 1st, 2025, processors are required to take certain steps to help consumers maintain control over their personal data. Processors have the responsibility of assisting controllers in meeting or complying with the controller’s duties under the Data Privacy Act. Controllers are required to:

  • Assist the controller in responding to consumer rights requests 
  • Assist the controller in complying with the security requirements of processing personal data 
  • Assist the controller in complying with the notification requirements of a breach of security of the processor's system
  • Provide necessary information to enable the controller to conduct and document statutory data protection assessments

Processors and controllers shall have a contract that governs the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall include:

  • Clear instructions on how the processor is to process data
  • Define the nature and purpose of the data being processed
  • Define the type of data that is subject to processing
  • Define the duration of processing
  • Define the rights and obligations of both parties with regards to the protection of the data being processed

Processors are also required to:

  • Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data
  • At the controller's direction, delete or return all personal data to the controller, unless retention of the personal data is required by applicable law
  • Make available to the controller all information in the processor's possession necessary to demonstrate the processor's compliance with the requirements of the Data Privacy Act
  • Allow, and cooperate with, reasonable assessments to determine if the processor's policies and technical and organizational measures are in compliance with the requirements under the Data Privacy Act
  • Ensure that subcontractor entities, engaged pursuant to a written contract, meet the requirements of the processor with respect to the processing of personal data

Processors and controllers share the liability imposed on each role based on the processing relationship as described under the Data Privacy Act

grayscale version of the Nebraska Office of the Attorney General seal

Nebraska Attorney General

2115 State Capitol
Lincoln, NE 68509
(402) 471-2682