C.R.S. Section 6-1-1305
Responsibility according to role


(1)

Controllers and processors shall meet their respective obligations established under this part 13.

(2)

Processors shall adhere to the instructions of the controller and assist the controller to meet its obligations under this part 13. Taking into account the nature of processing and the information available to the processor, the processor shall assist the controller by:

(a)

Taking appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the controller’s obligation to respond to consumer requests to exercise their rights pursuant to section 6-1-1306;

(b)

Helping to meet the controller’s obligations in relation to the security of processing the personal data and in relation to the notification of a breach of the security of the system pursuant to section 6-1-716; and

(c)

Providing information to the controller necessary to enable the controller to conduct and document any data protection assessments required by section 6-1-1309. The controller and processor are each responsible for only the measures allocated to them.

(3)

Notwithstanding the instructions of the controller, a processor shall:

(a)

Ensure that each person processing the personal data is subject to a duty of confidentiality with respect to the data; and

(b)

Engage a subcontractor only after providing the controller with an opportunity to object and pursuant to a written contract in accordance with subsection (5) of this section that requires the subcontractor to meet the obligations of the processor with respect to the personal data.

(4)

Taking into account the context of processing, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk and establish a clear allocation of the responsibilities between them to implement the measures.

(5)

Processing by a processor must be governed by a contract between the controller and the processor that is binding on both parties and that sets out:

(a)

The processing instructions to which the processor is bound, including the nature and purpose of the processing;

(b)

The type of personal data subject to the processing, and the duration of the processing;

(c)

The requirements imposed by this subsection (5) and subsections (3) and (4) of this section; and

(d)

The following requirements:

(I)

At the choice of the controller, the processor shall delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law;

(II)

Intentionally left blank —Ed.

(A)

The processor shall make available to the controller all information necessary to demonstrate compliance with the obligations in this part 13; and

(B)

The processor shall allow for, and contribute to, reasonable audits and inspections by the controller or the controller’s designated auditor. Alternatively, the processor may, with the controller’s consent, arrange for a qualified and independent auditor to conduct, at least annually and at the processor’s expense, an audit of the processor’s policies and technical and organizational measures in support of the obligations under this part 13 using an appropriate and accepted control standard or framework and audit procedure for the audits as applicable. The processor shall provide a report of the audit to the controller upon request.

(6)

In no event may a contract relieve a controller or a processor from the liabilities imposed on them by virtue of its role in the processing relationship as defined by this part 13.

(7)

Determining whether a person is acting as a controller or processor with respect to a specific processing of data is a fact-based determination that depends upon the context in which personal data are to be processed. A person that is not limited in its processing of personal data pursuant to a controller’s instructions, or that fails to adhere to the instructions, is a controller and not a processor with respect to a specific processing of data. A processor that continues to adhere to a controller’s instructions with respect to a specific processing of personal data remains a processor. If a processor begins, alone or jointly with others, determining the purposes and means of the processing of personal data, it is a controller with respect to the processing.

(8)

Intentionally left blank —Ed.

(a)

A controller or processor that discloses personal data to another controller or processor in compliance with this part 13 does not violate this part 13 if the recipient processes the personal data in violation of this part 13, and, at the time of disclosing the personal data, the disclosing controller or processor did not have actual knowledge that the recipient intended to commit a violation.

(b)

A controller or processor receiving personal data from a controller or processor in compliance with this part 13 as specified in subsection (8)(a) of this section does not violate this part 13 if the controller or processor from which it receives the personal data fails to comply with applicable obligations under this part 13.

Source: Section 6-1-1305 — Responsibility according to role, https://leg.­colorado.­gov/sites/default/files/images/olls/crs2023-title-06.­pdf (accessed Oct. 20, 2023).

6‑1‑101
Short title
6‑1‑102
Definitions
6‑1‑103
Attorney general and district attorneys concurrently responsible for enforcement
6‑1‑104
Cooperative reporting
6‑1‑105
Unfair or deceptive trade practices
6‑1‑106
Exclusions
6‑1‑107
Powers of attorney general and district attorneys
6‑1‑108
Subpoenas - hearings - rules
6‑1‑109
Remedies
6‑1‑110
Restraining orders - injunctions - assurances of discontinuance
6‑1‑111
Information and evidence confidential and inadmissible - when
6‑1‑112
Civil penalties
6‑1‑113
Civil actions - damages - other relief - class actions
6‑1‑114
Criminal penalties
6‑1‑115
Limitations
6‑1‑116
Investigation of unfair business practices by regulated persons - district attorney requests for records from licensing authorities - interagency agreements with attorney general - legislative declaration - definitions
6‑1‑201
Definitions
6‑1‑202
Prohibited act
6‑1‑203
Collision damage waiver form - requirements - failure to comply
6‑1‑204
Prohibited exclusion
6‑1‑205
Information to be disclosed in advertisements for rental agreements for rental motor vehicles
6‑1‑206
Additional mandatory charges - required disclosures - definitions
6‑1‑207
Adaptive equipment in rental motor vehicles - requirements - failure to comply - legislative declaration - definitions
6‑1‑301
Legislative declaration
6‑1‑302
Definitions
6‑1‑303
Registration of commercial telephone sellers
6‑1‑304
Unlawful telemarketing practices
6‑1‑305
Penalties
6‑1‑401
Legislative intent
6‑1‑402
Definitions
6‑1‑403
Express warranty required - authorized servicers
6‑1‑404
Remedies
6‑1‑405
Remedies for consumers of purchased wheelchairs - conditions
6‑1‑406
Remedies for consumers of leased wheelchairs - conditions
6‑1‑407
Resale of a returned wheelchair - disclosure required
6‑1‑408
Other remedies - waiver of rights void
6‑1‑409
Fraudulent acts
6‑1‑410
Arbitration
6‑1‑411
Defect notification
6‑1‑412
Disclosures
6‑1‑501
Definitions
6‑1‑502
Express warranty required - authorized servicers
6‑1‑503
Remedies
6‑1‑504
Remedies for consumers of purchased facilitative devices - conditions
6‑1‑505
Remedies for consumers of leased facilitative devices - conditions
6‑1‑506
Resale of a returned facilitative device - disclosure required
6‑1‑507
Other remedies - waiver of rights void - limitation of coverage
6‑1‑508
Fraudulent acts
6‑1‑509
Arbitration
6‑1‑510
Defect notification
6‑1‑511
Disclosures
6‑1‑701
Dispensing hearing aids - deceptive trade practices - definitions
6‑1‑702
Unsolicited facsimiles - deceptive trade practice - definitions
6‑1‑702.5
Commercial electronic mail messages - deceptive trade practice - remedies - definitions - short title - legislative declaration
6‑1‑703
Time shares and resale time shares - deceptive trade practices
6‑1‑703.5
Time share resale transfer agreements - deceptive trade practices
6‑1‑704
Health clubs - deceptive trade practices
6‑1‑705
Dance studios - deceptive trade practices
6‑1‑706
Buyers’ clubs - deceptive trade practices
6‑1‑707
Use of title or degree - deceptive trade practice
6‑1‑708
Vehicle sales and leases - deceptive trade practice - definition
6‑1‑709
Sales of manufactured and tiny homes - deceptive trade practices
6‑1‑710
Trafficking of false airbag - deceptive trade practices - criminal liability - definitions
6‑1‑711
Restrictions on credit card receipts - legislative declaration - application - definitions
6‑1‑712
Discount health plan and cards - deceptive trade practices - definitions
6‑1‑713
Disposal of personal identifying information - policy - definitions
6‑1‑713.5
Protection of personal identifying information - definition
6‑1‑714
Unfair drug pricing practice - deceptive trade practice - definitions
6‑1‑715
Confidentiality of social security numbers
6‑1‑716
Notification of security breach
6‑1‑717
Influencing a real estate appraisal - deceptive trade practice
6‑1‑718
Ticket sales and resales - prohibitions - unlawful conditions - definitions
6‑1‑719
Truth in music advertising
6‑1‑720
Online event ticket sales - deceptive trade practice - definitions
6‑1‑721
Like-kind exchanges by exchange facilitators - deceptive trade practice - definitions
6‑1‑722
Gift certificates - validity - exemptions - definitions
6‑1‑723
Cathinone bath salts - deceptive trade practice
6‑1‑724
Unlicensed alternative health-care practitioners - deceptive trade practices - short title - legislative declaration - definitions
6‑1‑725
Synthetic cannabinoids - incense - deceptive trade practice
6‑1‑726
Sale of public services - deceptive trade practice - definition
6‑1‑727
Immigration-related services provided by nonattorneys - deceptive trade practice - definitions
6‑1‑728
Solicitation of fee for a deed or deed of trust - definitions
6‑1‑729
Assisted living residence referral - disclosures - penalty - fine - definitions
6‑1‑730
Price gouging during declared disaster prohibited - deceptive trade practice - legislative declaration - definitions
6‑1‑731
Contracts for dating services and online dating services - right of cancellation - remedy for violations - required notice regarding fraud bans - definitions
6‑1‑732
Automatic renewal contracts - unlawful acts - required disclosures - right to cancel - trial period offers - exemptions - definitions
6‑1‑733
Solicitations to file a secretary of state document or retrieve a copy of a public record for a fee - requirements - definition
6‑1‑734
Access to abortion services and emergency contraception - deceptive trade practice - definitions
6‑1‑801
Legislative finding, declaration, and intent
6‑1‑802
Definitions
6‑1‑803
Prohibited practices and required disclosures
6‑1‑804
Exemptions
6‑1‑901
Short title
6‑1‑902
Legislative declaration
6‑1‑903
Definitions
6‑1‑904
Unlawful to make telephone solicitations to subscribers on the Colorado no-call list - requirements for telephone solicitations generally
6‑1‑905
Establishment and operation of a Colorado no-call list
6‑1‑906
Enforcement - penalties - defenses
6‑1‑907
Acceptance of gifts, grants, and donations
6‑1‑908
Severability
6‑1‑1001
Restrictions on use of loan information for solicitations - definition
6‑1‑1101
Short title
6‑1‑1102
Legislative declaration
6‑1‑1103
Definitions
6‑1‑1104
Foreclosure consulting contract
6‑1‑1105
Right of cancellation
6‑1‑1106
Waiver of rights - void
6‑1‑1107
Prohibited acts
6‑1‑1108
Criminal penalties
6‑1‑1109
Unconscionability
6‑1‑1110
Language
6‑1‑1111
Written contract required
6‑1‑1112
Written contract - contents - notice
6‑1‑1113
Cancellation
6‑1‑1114
Notice of cancellation
6‑1‑1115
Options through reconveyances
6‑1‑1116
Waiver of rights - void
6‑1‑1117
Prohibited conduct
6‑1‑1118
Criminal penalties
6‑1‑1119
Unconscionability
6‑1‑1120
Language
6‑1‑1121
Short sales - subsequent purchaser - definition
6‑1‑1201
Short title
6‑1‑1202
Definitions
6‑1‑1203
Insurance coverage during car sharing period
6‑1‑1204
Notification of implications of lien
6‑1‑1205
Liability - exclusions for personal automobile liability insurance policy - indemnification
6‑1‑1206
Prohibition on exclusion of coverage for car sharing
6‑1‑1207
Record keeping
6‑1‑1208
Federal law - vicarious liability
6‑1‑1209
Insurable interest
6‑1‑1210
Required disclosures and notices
6‑1‑1211
Driver’s license verification and data retention
6‑1‑1212
Shared car equipment
6‑1‑1213
Safety recalls
6‑1‑1214
Enabling operation at airport
6‑1‑1301
Short title
6‑1‑1302
Legislative declaration
6‑1‑1303
Definitions
6‑1‑1304
Applicability of part
6‑1‑1305
Responsibility according to role
6‑1‑1306
Consumer personal data rights - repeal
6‑1‑1307
Processing de-identified data
6‑1‑1308
Duties of controllers
6‑1‑1309
Data protection assessments - attorney general access and evaluation - definition
6‑1‑1310
Liability
6‑1‑1311
Enforcement - penalties - repeal
6‑1‑1312
Preemption - local governments
6‑1‑1313
Rules - opt-out mechanism
6‑1‑1401
Definitions
6‑1‑1402
Disclosure of information by online marketplaces to inform consumers
6‑1‑1403
Enforcement
6‑1‑1404
Preemption
6‑1‑1501
Short title
6‑1‑1502
Definitions
6‑1‑1503
Powered wheelchair manufacturer obligations regarding services - exemptions
6‑1‑1504
Limitations
6‑1‑1505
Federal legislation on right to repair agricultural equipment - repeal - notice to revisor
Green check means up to date. Up to date

Current through Fall 2024

§ 6-1-1305’s source at colorado​.gov