Statutes, codes, and regulations
Colorado Administrative Code
Department 900 - Department of LawDivision 904 - Attorney General-Consumer Protection SectionRule 4 CCR 904-3 - Colorado Privacy Act Rules
Part 4 CCR 904-3-6 - DUTIES OF CONTROLLERS
Section 4 CCR 904-3-6.11 - DOCUMENTATION CONCERNING DUTIES OF CONTROLLERS

4 Colo. Code Regs. § 904-3-6.11

Download
PDF
Current through Register Vol. 47, No. 20, October 25, 2024
Section 4 CCR 904-3-6.11 - DOCUMENTATION CONCERNING DUTIES OF CONTROLLERS
A. Controllers shall maintain records of all Consumer Data Rights requests made pursuant to C.R.S. § 6-1-1306 for at least twenty-four (24) months. Such records shall include, at a minimum, each of the following:
1. The date of request;
2. The Consumer Data Rights request type;
3. The date of the Controller's response;
4. The nature of the Controller's response;
5. The basis for the denial of the request if the request is denied in whole or in part; and
6. The existence and resolution of any Consumer appeal to a denied request.
B. Controllers shall maintain a record of all Data Rights requests made pursuant to C.R.S. § 6-1-1306 with which the Controller has previously complied. Such records shall be retained for at least twenty-four (24) months and shall be made available at the completion of a merger, acquisition, bankruptcy, or other transaction in which a Third Party assumes control of Personal Data to ensure any new Controller continues to recognize the Consumer's previously exercised Data Rights.
C. Controllers shall maintain documents sufficient to demonstrate compliance with 4 CCR 904-3, Rules 6.07 , 6.08 , and 7.06 for as long as the Processing activity continues, and for at least twenty-four (24) months after the conclusion of Processing activity.
D. Required records shall be maintained in a readable format, appropriate to the sophistication and size of the Controller's business.
E. The Controller shall implement and maintain reasonable security procedures and practices, consistent with 4 CCR 904-3, Rule 6.09 , in maintaining all required records.
F. Personal Data maintained pursuant to this 4 CCR 904-3, Rule 6.11 , where that information is not used for any other purpose, shall not be subject to Data Rights requests.
G. Personal Data maintained for required documentation shall not be used for any other purpose except as reasonably necessary for the business to review and modify its processes for compliance with the Colorado Privacy Act, C.R.S. § 6-1-1301, et seq., and these rules. Personal Data maintained for required documentation shall not be shared with any Third Party except as necessary to comply with a legal obligation or as part of a merger, acquisition, bankruptcy, or other transaction in which a Third Party assumes control of Personal Data.
H. Other than as required by this subsection and 4 CCR 904-3, Rule 4.06 , a Controller is not required to retain Personal Data solely for the purpose of fulfilling a Data Rights request made under the Colorado Privacy Act, C.R.S. § 6-1-1301, et seq.

4 CCR 904-3-6.11

46 CR 06, March 25, 2023, effective 7/1/2023