30-14-2818. Responsibility according to role -- processing data of minors. (1) A processor shall adhere to the instructions of a controller and shall assist the controller to meet the controller's obligations under 30-14-2811 and 30-14-2819, taking into account the nature of the processing and the information available to the processor. The processor shall assist the controller by:

(a) taking appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the controller's obligations under 30-14-2811; and

(b) providing information to enable the controller to conduct and document data protection assessments pursuant to 30-14-2819.

(2) A contract between a controller and a processor must satisfy the requirements of 30-14-2813(2).

(3) Nothing in this section may be construed to relieve a controller or processor from the liabilities imposed on the controller or processor by virtue of the controller's or processor's role in the processing relationship as described in 30-14-2811 and 30-14-2819.

(4) Determining whether a person is acting as a controller or processor with respect to a specific processing of personal data is a fact-based determination that depends on the context in which personal data is to be processed. A person that is not limited in the person's processing of personal data pursuant to a controller's instructions or that fails to adhere to the instructions is a controller and not a processor with respect to a specific processing of personal data. A processor that continues to adhere to a controller's instructions with respect to a specific processing of personal data remains a processor. If a processor begins, alone or jointly with others, determining the purposes and means of the processing of personal data, the processor is a controller with respect to the processing and may be subject to an enforcement action under 30-14-2817.