(1) A controller or processor that discloses personal data to a third-party controller or processor in compliance with the requirements of this part does not violate this part if the third-party controller or processor that receives and processes that personal data violates this part, provided that, at the time of the data’s disclosure, the disclosing controller or processor could not have reasonably known that the recipient intended to commit a violation.
(2) A third-party controller or processor receiving personal data from a controller or processor in compliance with the requirements of this part may not be held liable for violations of this part committed by the controller or processor from which the third-party controller or processor receives the personal data.
