Page 328 - GDPR and US States General Privacy Laws Deskbook
P. 328
(g) Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or
deceptive activities, or any illegal activity;
(h) Preserve the integrity or security of systems or investigate, report, or prosecute those responsible for breaches of
system security;
(i) Engage in public or peer-reviewed scientific or statistical research in the public interest that adheres to all other
applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board or similar
independent oversight entity that determines:
(i) If the deletion of the information is likely to provide substantial benefits that do not exclusively accrue to the controller;
(ii) Whether the expected benefits of the research outweigh the privacy risks; and
(iii) If the controller has implemented reasonable safeguards to mitigate privacy risks associated with research, including
any risks associated with reidentification; or
(j) Assist another controller, processor, or third party with any of the requirements under subdivision (1) of this section;
(2) Prevent a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary
privilege under the laws of this state as part of a privileged communication;
(3) Impose a requirement on any controller or processor that adversely affects any right or freedom of any person, including
the right of free speech pursuant to the First Amendment to the Constitution of the United States;
(4) Require a controller, processor, third party, or consumer to disclose a trade secret;
(5) Apply to the processing of personal data by any individual in the course of a purely personal or household activity; or
(6) Prevent a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary
privilege as part of a privileged communication.
Sec. 27.
(1) The requirements imposed on any controller or processor under the Data Privacy Act shall not restrict a controller’s or
processor’s ability to collect, use, or retain data to:
(a) Conduct internal research to develop, improve, or repair products, services, or technology;
(b) Effect a product recall;
(c) Identify and repair technical errors that impair existing or intended functionality; or
(d) Perform internal operations that:
(i) Are reasonably aligned with the expectations of the consumer;
(ii) Are reasonably anticipated based on the consumer’s existing relationship with the controller; or
(iii) Are otherwise compatible with processing data in furtherance of the provision of a product or service specifically
requested by a consumer or the performance of a contract to which the consumer is a party.
(2) A requirement imposed on a controller or processor under the Data Privacy Act shall not apply if compliance with the
requirement by the controller or processor, as applicable, would violate an evidentiary privilege under any law of this state.
328 | Nebraska Data Privacy Act