Code of Alabama

Ala. Code § 8-44-8 (2026)

Section 8-44-8

✓ official Alabama Legislature (ALISON) text, current July 2026
Find cases: SyfertCases citing this section JustiaAla. Code CornellLII Search CasesGoogle Scholar

(a) A processor shall adhere to the instructions of a controller and shall assist the controller in meeting the controller’s obligations under this chapter, considering the nature of processing and the information available to the processor, including, but not limited to, both of the following:

(1) Maintaining appropriate and reasonably practical technical and organizational measures to support the fulfillment of the controller’s obligation to respond to consumer rights requests.

(2) Assisting the controller in meeting the controller’s obligations in relation to the security of processing the personal data and in relation to the notification of a breach of security of the system of the processor to meet both the controller’s and the processor’s obligations.

(b)(1) A contract between a controller and a processor shall govern the processor’s data processing obligations with respect to processing performed on behalf of the controller.

(2) The contract shall:

a. Be binding;

b. Clearly set forth instructions for processing data;

c. Clearly set forth the nature and purpose of the processing;

d. Clearly set forth the type of data subject to processing;

e. Clearly set forth the duration of processing; and

f. Clearly set forth the rights and obligations of both parties.

(3) The contract, taking into account the nature of the processing, the relationship between the parties, and other factors, shall also require the processor to:

a. Ensure that each processor of personal data is subject to a duty of confidentiality with respect to the personal data;

b. Delete or return all personal data to the controller as requested at the end of the provision of services at the controller’s direction, unless retention of the personal data is required or permitted by law or the contract;

c. Make available to the controller all information in the processor’s possession necessary to demonstrate the processor’s compliance with the obligations of this chapter upon the reasonable request of the controller; and

d. Obligate any subcontractor processing personal data to meet the obligations of the processor with respect to the personal data.

(c) Nothing in this section may be construed to relieve a controller or processor from the liabilities imposed on the controller or processor by virtue of the controller’s or processor’s role in the processing relationship as described in this chapter.

(d) Determining whether a person is acting as a controller or processor with respect to a specific processing of data is a fact-based determination that depends on the following context in which personal data is to be processed:

(1) A person who is not limited in the processing of personal data pursuant to a controller’s instructions or who fails to adhere to a controller’s instructions is a controller and not a processor with respect to a specific processing of data.

(2) A processor that continues to adhere to a controller’s instructions with respect to a specific processing of personal data remains a processor.

(3) If a processor begins, alone or jointly with others, determining the purposes and means of the processing of personal data, the processor is a controller with respect to the processing and may be subject to an enforcement action under this chapter.

(Act 2026-552, §8.)