(a) Nothing in this subtitle may be construed to restrict a controller's or processor's ability to: (1) Comply with federal, State, or local laws or regulations; (2) Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by a federal, State, local, or other governmental authority; (3) Cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, State, or local laws or regulations; (4) Investigate, establish, exercise, prepare for, or defend a legal claim; (5) Provide a product or service specifically requested by a consumer; (6) Perform under a contract to which a consumer is a party, including fulfilling the terms of a written warranty; (7) Take steps at the request of a consumer before entering into a contract; (8) Take immediate steps to protect an interest that is essential for the life or physical safety of a consumer or another individual and when the processing cannot be manifestly based on another legal basis; (9) Prevent, detect, protect against, investigate, prosecute those responsible, or otherwise respond to a security incident, identity theft, fraud, harassment, malicious or deceptive activity, or any other type of illegal activity; (10) Preserve the integrity or security of systems; or (11) Assist another controller, processor, or third party with an obligation under this subtitle. (b) (1) This subsection does not apply to an obligation required under § 14-4711 of this subtitle. (2) An obligation imposed on a controller or processor under this subtitle may not restrict a controller's or processor's ability to collect, use, or retain personal data for internal use to: (i) Effectuate a product recall; (ii) Identify and repair technical errors that impair existing or intended functionality; or (iii) Perform internal operations that are: 1. Reasonably aligned with the expectations of the consumer or can be reasonably anticipated based on the consumer's existing relationship with the controller; or 2. Otherwise compatible with processing data in furtherance of: A. The provision of a product or service specifically requested by a consumer; or B. The performance of a contract to which the consumer is a party. (c) (1) An obligation imposed on a controller or a processor under this subtitle does not apply when compliance by the controller or processor with the subtitle would violate an evidentiary privilege under State law. (2) Nothing in this subtitle may be construed to prevent a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under State law as part of a privileged communication. (d) (1) A controller or processor that discloses personal data to a processor or a third-party controller in compliance with this subtitle is not in violation of this subtitle if the processor or third-party controller that receives the personal data violates this subtitle and: (i) at the time the disclosing controller or processor disclosed the personal data, the disclosing controller or processor did not have actual knowledge that the receiving processor or third-party controller would violate this subtitle; and (ii) the disclosing controller was, and remained, in compliance with its obligations as the discloser of the personal data. (2) A third-party controller or processor that receives personal data from a controller or processor in compliance with this subtitle is not in violation of this subtitle for the independent misconduct of the controller or processor from which the third-party controller or processor received the personal data. (e) Nothing in this subtitle may be construed to: (1) Impose an obligation on a controller or a processor that adversely affects the rights or freedoms of any person, including the rights of a person to freedom of speech or freedom of the press as guaranteed in the First Amendment to the U.S. Constitution; or (2) Apply to a person's processing of personal data during the person's personal or household activities. (f) If a controller or processor processes personal data in accordance with an exemption under this section, the controller or processor shall demonstrate that the processing: (1) Qualifies for an exemption; and (2) Complies with the requirements of subsection (g) of this section. (g) Personal data processed by a controller or processor in accordance with this section: (1) Shall be subject to reasonable administrative, technical, and physical measures to: (i) Protect the confidentiality, integrity, and accessibility of the personal data; and (ii) Reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data; and (2) May be processed to the extent that the processing is: (i) Reasonably necessary and proportionate to the purposes listed in this section; and (ii) Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section. (h) A person that processes personal data for a purpose expressly identified in this section may not be considered a controller solely based on the processing of personal data.
‹ Prev All Maryland sections Next ›
Lexace provides legal information, not legal advice, and no attorney–client relationship is created. Statute text is provided for general information and may not reflect the most recent amendments; verify against the official state code.