1. Governing Texts

1.1. Legislation

The Consumer Data Protection Act ('CDPA'), which is due to enter into force on 1 January 2023.

1.2. Regulatory authority guidance

The Attorney General of Virginia ('AG') has not yet issued any guidance.

1.3. Regulatory authority templates

Not applicable.

2. Definitions

Data controller: The natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data (§59.1-571 of the CDPA).

Data processor: A natural or legal entity that processes personal data on behalf of a controller (§59.1-571 of the CDPA).

In relation to the concepts of data controller and data processor, the CDPA provides that determining whether a person is acting as a controller or processor with respect to a specific processing of data is a fact-based determination that depends upon the context in which personal data is to be processed. In this regard, a processor that continues to adhere to a controller's instructions with respect to a specific processing of personal data remains a processor (§59.1-575(D) of the CDPA).

3. Contractual Requirements

3.1. Are there requirements for a contract to be in place between a controller and processor?

Yes, in accordance with §59.1-575(B) of the CDPA, a contract between a controller and a processor must be in place to govern the processor's data processing procedures with respect to processing performed on behalf of the controller.

3.2. What content should be included?

In accordance with §59.1-575(B) of the CDPA, the contract between the controller and processor will be binding and must clearly set forth:

• instructions for processing data;
• the nature and purpose of processing;
• the type of data subject to processing;
• the duration of processing; and 
• the rights and obligations of both parties. 

The contract must also include requirements that the processor must (§59.1-575(B) of the CDPA): 

• ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data; 
• at the controller's direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law; 
• upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor's compliance with the obligations in the CDPA; 
• allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor; alternatively, the processor may arrange for a qualified and independent assessor to conduct an assessment of the processor's policies and technical and organisational measures in support of the obligations under the CDPA using an appropriate and accepted control standard or framework and assessment procedure for such assessments;
• provide a report of such assessment to the controller upon request; and 
• engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the obligations of the processor with respect to the personal data.

4. Data Subject Rights Handling & Assistance

4.1. Are processors required to assist controllers with handling of data subject requests?

Under §59.1-575(A)(1) of the CDPA, data processors must adhere to the instructions of a controller and assist the controller in meeting its obligations under the CDPA, where such assistance includes responding to consumer rights requests.

For more information, see Virginia – Data Subject Rights.

5. Processor Recordkeeping

5.1. Are processors required to keep records of their processing activities?

The CDPA does not expressly provide for record keeping requirements. However, under §59.1-575(B)(3) of the CDPA, processors must, upon the reasonable request of the controller, make available to the controller all information in their possession necessary to demonstrate the processor's compliance with the obligations under the CDPA.

6. Security Measures

6.1. Are processors required to implement specific security measures? If so, what measures must be implemented?

Under §59.1-575(A)(2) of the CDPA, data processors must adhere to the instructions of a controller and assist the controller in meeting its obligations under the CDPA, where such assistance includes helping the controller meet its obligations in relation to the security of processing the personal data.

However, the CDPA does not provide for specific security measures to be implemented by processors.

7. Breach Notification

7.1. Are processors under an obligation to notify controllers in the event of a data breach? If so, are there timeframe and content requirements?

The CDPA does not provide for data breach notification requirements. Instead, §59.1-575(A)(2) of the CDPA notes that a data processor must assist the controller, which includes meeting the controller's obligations in relation to the notification of a breach of security of the system of the processor pursuant to Virginia's breach notification statute under §18.2-186.6 of Article 5 of Chapter 6 of Title 18.2 of the Code of Virginia.

For more information, see Virginia – Data Breach.

8. Subprocessor

8.1. Are subprocessors regulated? If so, what obligations are imposed?

Under §59.1-575(B)(5) of the CDPA, and with respect to the requirements of a contract between a controller and processor, the contract must also include requirements that the processor must engage any subcontractor pursuant to a written contract in accordance with §59.1-575(C) of the CDPA which requires the subcontractor to meet the obligations of the processor with respect to the personal data.

9. Cross-Border Transfers

9.1. Do transfer restrictions apply to processors? If so, what restrictions and what exemptions apply?

The CDPA does not expressly provide for requirements around data transfers.

10. Regulatory Assistance

10.1. Are processors required to assist controllers with regulatory investigations?

Under §59.1-575(B)(4) of the CDPA, processors must allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor. Alternatively, the processor may arrange for a qualified and independent assessor to conduct an assessment of the processor's policies and technical and organisational measures in support of the obligations under the CDPA using an appropriate and accepted control standard or framework and assessment procedure for such assessments, and to provide a report of such assessment to the controller upon request.

In addition, and more generally, nothing in the CDPA must be construed to restrict a controller's or processor's ability to comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities (§59.1-578(A)(2) of the CDPA).

11. Processor DPO / Representative

11.1. Are processors required to appoint a DPO / representative?

The CDPA does not expressly provide for requirements regarding the appointment of a data protection officer.

12. Supervision & Monitoring

12.1. Are controllers obliged to supervise or monitor processors' compliance with the law and contract?

As provided above, processors must allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor, or may otherwise arrange for a qualified and independent assessor to conduct an assessment of the processor's policies and technical and organisational measures (§59.1-575(B)(4) of the CDPA) (see section 10.1. above).

Authored by OneTrust DataGuidance.

DataGuidance's Privacy Analysts carry out research regarding global privacy developments, and liaise with a network of lawyers, authorities and professionals to gain insight into current trends. The Analyst Team work closely with clients to direct their research for the production of topic-specific Charts.