Controllers decide what personal information is collected and how it is used. Accordingly, Controllers have the most extensive obligations to help protect individuals’ personal data. These obligations can be divided into four broad categories.

Transparency

Business must provide a reasonably accessible, clear, and meaningful Privacy Policy

The Privacy Policy must include:

• • Categories of personal data collected and processed
  • Purpose for collecting personal data
  • Information how consumers can access their rights
  • Categories of data shared with third parties
  • Categories of third parties information is provided to
  • If and what types of personal data sold to third parties
  • Contact information

Policies must also:

• Conspicuously disclose the sale of personal information or use for targeted advertising
• Disclose and get consent for the collection of sensitive personal information
• Tell consumers how to opt out of:
  • Sale of personal information
  • Target advertising
  • Profiling using automated decision making

Data Minimization

Delaware’s Personal Data Privacy Protection Act provides businesses the flexibility to identify business purposes to collect personal data. Those purposes must be identified in a Privacy Policy and businesses are limited to processing personal data for those purposes.

Additionally, once a purpose is identified, personal data may only be processed when it is reasonably necessary, proportionate, and relevant to the purpose.

In practical terms, businesses should inventory the personal data they collect, identify where it should be located, decide who has access to the information, and document how it may be used. This includes information business control located with third party processors like cloud storage providers. For more information about documenting the relationship between ‘controllers’ and ‘processors’.

The Delaware Personal Data Privacy Protection Act provides specific exceptions where businesses may also use personal data and in many cases these data minimization principles continue to apply.

Security

Businesses must ensure reasonable data security measures are in place to prevent external and unauthorized internal individuals from accessing the information.

Accountability

• Businesses must provide a clear and easy means of contact.
• Businesses must follow an individual’s request to access, correct, or delete their personal data when required.
• Businesses must honor individual’s requests to opt out of the sale of personal data, targeted advertising, or profiling using automated decision making.
• Businesses must request consent to collect and process sensitive data and must allow individuals to just as easily revoke consent.
• When a Delaware resident contacts you about personal data, businesses must respond promptly and in no case later than 45 days after the request.
• Businesses must have an appropriate appeal process in place.
• Businesses must inform Delawareans they can contact privacy@delaware.gov with any complaints or fill out this questionnaire.

Controller – Determines how to collect and use personal data

Processor – Processes or stores personal data on behalf of a Controller

Requirements for Controllers and Processors

• The processor must strictly follow the directions by the controller entity
• Processor cannot use personal data for its own reasons
• Relationship between controller and processor must be documented in a Data Processing Agreement
• Processor must have adequate data protection systems
• Processor must maintain confidentiality of personal data
• Processor must permit controller to assess their systems
• Delete or return data when the relationship terminates