(1) A controller or processor that discloses personal data to a third-party controller or processor, in compliance with any requirement of the Data Privacy Act, does not violate the Data Privacy Act if the third-party controller or processor that receives and processes that personal data is in violation of the Data Privacy Act, if at the time of the data's disclosure the disclosing controller or processor did not have actual knowledge that the recipient intended to commit a violation.

(2) A third-party controller or processor that receives personal data from a controller or processor in compliance with the requirements of the Data Privacy Act does not violate the Data Privacy Act for the transgressions of the controller or processor from which the third-party controller or processor received the personal data.