This is the preview version of the Wisconsin State Legislature site.
Please see http://docs.legis.wisconsin.gov for the production version.
AB872,8,75 (d) A controller is not required to restrict processing of a consumer's personal
6data under this subsection if the controller is unable to verify, using commercially
7reasonable efforts, the identity of the consumer making the request.
AB872,8,10 8(5) Records of processing activities. (a) A controller shall maintain records
9of processing of personal data conducted by the controller that contain all of the
10following information:
AB872,8,1111 1. The controller's name and contact information.
AB872,8,1212 2. The purpose of the processing.
AB872,8,1413 3. An identification of the categories of personal data involved in the
14processing.
AB872,8,1615 4. An identification of the categories of consumers whose personal data is
16involved in the processing.
AB872,8,1817 5. If consent is provided for the processing, documentation of consent from
18consumers for the consumers' personal data to be processed.
AB872,8,2019 6. The name and contact information of a person to whom the controller
20discloses personal data, and the purpose for the disclosure.
AB872,8,2221 (b) A processor shall maintain records of processing of personal data conducted
22by the processor that contain all of the following:
AB872,8,2423 1. The processor's name and contact information, and the name and contact
24information of the controller on behalf of which the processor is acting.
AB872,8,2525 2. The categories of processing conducted on behalf of each controller.
AB872,9,2
1(c) A controller or processor shall make records required under this subsection
2available to the department upon request.
AB872,9,4 3(6) Applicability. (a) A controller or processor is not prohibited under this
4section from processing any of the following types of information:
AB872,9,65 1. Health information protected by the federal Health Insurance Portability
6and Accountability Act of 1996.
AB872,9,772. Information identifying a patient covered by 42 USC 290dd-2.
AB872,9,98 3. Information collected as part of research subject to the Federal Policy for the
9Protection of Human Subjects, 45 CFR part 46, or subject to 21 CFR parts 50 and 56.
AB872,9,1110 4. Information and documents created specifically for and collected and
11maintained by a hospital.
AB872,9,1312 5. Information and documents created for purposes of the federal Health Care
13Quality Improvement Act of 1986, 42 USC 11101 et seq.
AB872,9,15146. Patient safety work product information for purposes of 42 USC 299b-21 to
15299b-26.
AB872,9,1816 7. Information maintained by a health care provider, a health care facility, or
17an entity covered by the federal Health Insurance Portability and Accountability Act
18of 1996.
AB872,9,2119 8. Personal information provided to or from or held by a consumer reporting
20agency, as defined in s. 422.501 (1m), if the use of the information complies with the
21federal Fair Credit Reporting Act, 15 USC 1681 et seq.
AB872,9,2322 9. Personal information collected, processed, sold, or disclosed pursuant to the
23federal Gramm-Leach-Bliley Act, P.L. 106-102.
AB872,9,2524 10. Personal information collected, processed, sold, or disclosed pursuant to the
25federal Driver's Privacy Protection Act, 18 USC 2721 et seq.
AB872,10,1
111. Information maintained for employment records.
AB872,10,32 (b) This section does not apply to a consumer processing personal data in
3connection with a purely personal or household activity.
AB872,10,54 (c) This section does not apply to a controller that processes a consumer's
5personal data for literary or artistic purposes.
AB872,10,86 (d) This section does not apply to a controller that processes a consumer's
7personal data, that intends to publish the personal data, and that believes that
8publication of the personal data is in the public interest.
AB872,10,10 9(7) Enforcement; penalties. (a) The attorney general may investigate
10violations of this section and may bring actions for enforcement of this section.
AB872,10,1311 (b) 1. A controller or processor who violates sub. (5) shall be fined not more than
12$10,000,000 or not more than 2 percent of the controller's total annual revenue
13during the preceding financial year, whichever is greater.
AB872,10,1614 2. A controller or processor who violates sub. (2), (3), or (4) shall be fined not
15more than $20,000,000 or not more than 4 percent of the controller's total annual
16revenue during the preceding financial year, whichever is greater.
AB872,10,2017 3. A court may not impose in the same action more than one fine on a controller
18or processor under this paragraph unless the additional fine is imposed for a
19violation that does not involve the same or linked processing activities by the
20controller or processor.
AB872,2 21Section 2. Effective date.
AB872,10,2222 (1) This act takes effect on July 31, 2022.
AB872,10,2323 (End)
Loading...
Loading...