Florida Data Processing Agreement Template
This Data Processing Agreement (“DPA”) forms part of the Contract for Services (“Principal Agreement”) between [Supplier.FirstName][Supplier.LastName][Supplier.Company] (the “Supplier") and [Customer.FirstName][Customer.LastName][Customer.Company] (the “Customer”); collectively, the “Parties.”
1.1 Data Controller
“Data Controller” has the meaning set out in the Data Protection Laws.
1.2 Data Processor, Processing and Process
“Data Processor, Processing and Process” have the meaning set out in the Data Protection Laws.
1.3 Data Protection Agreement
“Data Protection Agreement” or “DPA” or “Agreement” means this Data Processing Agreement, including any and all subsequent amendments thereto, comprising the terms and conditions in the main body of this document, together with the schedules, the annexes and any attachments, and any documents expressly incorporated by reference;
1.4 Data Protection Laws
“Data Protection Laws” any data protection laws applicable to processing of Personal Data contemplated by the Principal Agreement including, without limitation, in particular the European Union General Data Protection Regulation (“GDPR”) and any related decisions or guidelines and subsequent legislation of a similar nature, and all privacy, security, and data protection laws, rules, and regulations of any applicable jurisdiction including any jurisdiction in which the Services are being provided or the Personal Data is being processed and any jurisdiction from which Supplier or any Sub processor provides any of the Services or from which the Customer provides its products or services.
1.5 Data Subject
“Data Subject” an individual about whom the Personal Data relates.
“EEA” the European Economic Area.
Sub processor: a natural or legal person subcontracted to provide any part of the Services from a location outside the EEA.
Agreement: the standard contractual clauses for the transfer of Personal Data from the European Union to processors established in third countries (controller-to- processor transfers), as set out in the Annex to Commission Decision 2016/679/EU.
“Sub-processor” any third party, but excluding an employee or consultant of Supplier or any of its sub-contractors) appointed by or on behalf of Supplier to Process Personal Data on behalf of Customer in connection with the Agreement.
2. 1 Terms used in this DPA shall have the same meaning as deﬁned in the Principal Agreement, unless deﬁned diﬀerently herein.
3.1 If Supplier processes any Personal Data on the Customer's behalf when performing its obligations under the Principal Agreement, the parties record their intention that the Customer shall be the Data Controller and Supplier shall be the Data Processor.
4.1 Through the Customer’s use of the Services, the Customer decides what data to collect and how to use the information processed via the Services.
4.2 The Data Controller shall ensure that it is entitled to transfer the relevant Personal Data to Supplier and Supplier is entitled to transfer relevant Personal Data to its Sub- processors and third-party providers so that Supplier may lawfully use, process and transfer the Personal Data in accordance with the Principal Agreement on the Data Controller’s behalf.
4.3 The Data Controller shall, in its use of the Services, process Personal Data in accordance with the requirements of Data Protection Laws. The Data Controller shall ensure that Data Subjects and any relevant third parties have been informed of, and have given their consent to, such use, processing, and transfer contemplated under the Principal Agreement and as required by all Data Protection laws including the GDPR (where applicable) and other applicable laws and the Data Controller must provide appropriate and suﬃciently prominent notice to Data Subjects, and ensure that the processing is lawful with regard to the collection, use and disclosure of such Data Subject’s Personal Data, including, at a minimum, through the Data Controller’s privacy policies. For the avoidance of doubt, Customer’s instructions for the Processing of Personal Data shall comply with Data Protection Laws.
4.4 Categories of data must not be uploaded to the Supplier Services unless required and the Data Controller is entirely responsible for ensuring that the data uploaded to the Supplier Services is adequate, relevant and not excessive.
Details of the processing contemplated under this DPA
5.1 The subject matter of the processing is: (Enter text here)
5.2 The duration of the processing is: (Enter text here)
5.3 Nature and purpose of the processing is: (Enter text here)
5.4 The type of Personal Data is: (Enter text here)
The categories of Data Subjects are:
5.5 The obligations and rights of the Data Controller are as detailed in the GDPR.
5.6 Supplier may provide notice of change to these provisions where an update is required due to changes to the Services or changes required due to applicable Data Protection Laws, including the interpretation thereof.
Permitted Processing and Disclosure of Personal Data
6.1 Supplier must, and shall procure that its Sub-processors shall, process any Personal Data held in connection with the Principal Agreement only for the purposes of fulﬁlling its obligations under the Principal Agreement and in accordance with relevant documented instructions of the Customer (unless required to do so by a Union or member state law to which Supplier is subject; in such a case Supplier shall inform the Data Controller of that legal requirement before Processing, unless the law prohibits such information on important grounds of public interest). The Customer agrees to provide Supplier with clear documented instructions relating to Personal Data under this Agreement.
6.2 Supplier agrees to make reasonable eﬀorts to assist the Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of the Processing and the information available to Supplier.
Data subject rights
7.1 Taking into account the nature of the Processing, Supplier shall assist Customer, by implementing appropriate technical and organisational measures, insofar as this is possible, to respond to requests to exercise Data Subjects rights under the Data Protection Laws.
7.2 Supplier shall (i) notify Customer without undue delay if Supplier receives a request from a Data Subject under any Data Protection Laws in respect of the Customer Personal Data ; (ii) ensure that neither it nor a Sub-processor responds to that request except on the documented instructions of Customer or as required by applicable laws to which Supplier or Sub-processor is subject, in which case Supplier shall to the extent permitted by applicable laws inform Customer of that legal requirement before there is any response to the Data Subject request. To the extent legally permitted, Customer shall be responsible for any costs arising from Supplier’s provision of such assistance.
Security and Integrity of Personal Data
8.1 Supplier agrees to take appropriate technical and organisational measures (as described in the Principal Agreement) to ensure that the Personal Data Processed in connection with the Principal Agreement on behalf of the Customer will meet the requirements of Data Protection Laws and ensure the protection of the rights of the Data Subject.
8.2 Supplier shall, and shall procure that its Sub-processors shall, take all reasonable steps to ensure that Personal Data processed in connection with the Principal Agreement is processed in compliance with the obligations under Article 32 of the GDPR relating to security of processing.
Security Incident Notiﬁcation
9.1 If Supplier becomes aware of any unauthorized or unlawful access to, or acquisition, alteration, use, disclosure, or destruction of Personal Data (“Security Incident”), Supplier will notify the Customer without undue delay. Supplier will also reasonably cooperate with Customer with respect to any investigations and with preparing potentially required notices, and provide any information reasonably requested by Customer in relation to the Security Incident.
10.1 Supplier will make available to the Customer all information necessary to demonstrate compliance with the data processing obligations laid down in these Revised Personal Data Terms including by allowing for and contributing to reasonable audits to determine Supplier’s compliance with its obligations under these Revised Personal Data Terms. These audits (of frequency of no more than once per year, except where there is reason to suspect a Security Incident may have occurred) may be conducted by the Customer, auditors mandated by the Customer, or public authorities in competent jurisdictions, subject to the Customer and its auditors (if relevant) undertaking reasonable and appropriate conﬁdentiality obligations.
10.2 The scope of an audit will be limited to Supplier systems, processes and documentation relevant to the Processing and protection of Personal Data that is Customer Data.
Supplier shall, and shall procure that its Sub-processors shall, ensure that any persons to whom Supplier discloses Personal Data have committed themselves to conﬁdentiality or are under an appropriate statutory obligation of conﬁdentiality with respect to the Personal Data.
Appointment of sub processors
12.1 Supplier uses Salesforce as Supplier Sub-processors to provide this Service. These Supplier Sub-processors will not have access to the data processed via the Services, including relevant Personal Data unless speciﬁcally consented to on a case by case basis by the customer. These Sub processors are only permitted to Process this data for the purposes of providing their speciﬁcally contracted services to Supplier.
12.2 With respect to each Sub processor, Supplier shall ensure that it has entered into a written agreement with each such Sub processor and such written agreements contain data protection terms with respect to Processing of the Customer Data that meet the requirements of Article 28 (3) of the GDPR, to the extent those requirements are applicable to the nature of the Services provided by such Sub processor. For the avoidance of doubt, Supplier shall be liable for the acts and omissions of its Sub processors to the same extent Supplier would be liable if performing the services of each Sub processor directly under the terms of this DPA, except as otherwise set forth in the Agreement.
12.3 The Customer provides a general authorisation to Supplier to engage the Sub processors as are appointed on the date these Revised Personal Data Terms came into force.
12.4 Supplier will with thirty (30) days’ notice inform the Customer of any intended change in the Sub processors that will process Personal Data under the Principal Agreement and the Customer shall be entitled to make any objections hereto. If no objections have been received within ten (10) days, the proposed Sub processor shall be deemed accepted. If the Customer does not agree to the Sub processor, the parties shall attempt to settle the disagreement and if the parties cannot agree on the use of a Sub processor, Supplier may terminate the Service Level Agreement by providing written notice, such termination to take eﬀect on the later of (i) the date on which Supplier will commence using the services of the relevant Sub processor in relation to the Services provided to the Customer or (ii) one (1) month after the date of the Customer’s written notice.
12.5 Supplier will:
make available to Customer a list of all Sub processors who are involved in processing or sub processing Personal Data in connection with the provision of the Services, (“Sub processor List”);
provide Customer with additional information about any Sub processor on the Sub processor List that Customer may reasonably request;
No transfer of Personal Data outside European Economic Area
13.1 Supplier will only transfer Personal Data processed through the Services outside the EEA on the Customer’s speciﬁc request. Customer Data processed outside the Services (e.g. where the Customer contacts Supplier by phone or email) may be transferred outside the EEA. Where the Customer does not wish to transfer Personal Data outside the EEA, the Customer must not include Personal Data in communications to Supplier made outside the Services.
13.2 All requests to transfer Personal Data outside the EEA must be made to us by email. In making the request the Customer conﬁrms that an ‘adequate level of protection’ or the provision of “appropriate safeguards” (as such respective terms are understood under directive 95/46/EC or the GDPR or any subsequent legislation) is in place for the transfer to be eﬀected in compliance with Data Protection Laws.
13.3 The Customer also conﬁrms that the Customer will indemnify and hold harmless Supplier (and its respective employees, directors, oﬃcers, shareholders, attorneys, agents and representatives) from and against any and all claims, costs, losses, damages, judgments, penalties, interest and expenses (including reasonable legal fees and costs) arising out of any claim, action, audit, investigation, regulatory action, inquiry or other proceeding that arises out of or relates to the Customer’s failure to comply with any applicable laws and regulations in connection with the transfer of the Personal Data outside the EEA, including any applicable data protection legislation and its obligations as Data Controller. This indemniﬁcation obligation set forth herein shall survive the termination of this Agreement.
13.4 Supplier agrees to enter into a SCC Agreement with Customer where reasonably required to ensure an “adequate level of protection” or the provision of “appropriate safeguards” is in place for the transfer of any Personal Data outside the EEA.
13.5 The parties agree to cooperate where, due to changes in law or practice, an alternate data transfer mechanism is required to be put into operation to ensure an “adequate level of protection”.
Return of Personal Data
14.1 Immediately on termination or expiry of this Agreement, or otherwise on request by the Customer, Supplier must and shall procure that its Sub processors shall:
return all the Personal Data to the Customer; or
destroy all the Personal Data, in a manner agreed to by the Customer;
Unless a law binding on Supplier or its Sub processors prevents it from doing as requested.
14.2 The return or deletion shall be carried out in accordance with the procedures and timeframes speciﬁed in the Service Level Agreement. For the purposes of this clause 14, to eﬀectively delete shall mean that the data is deleted in accordance with good industry practice so that Personal Data cannot be reconstructed using any known technology.
14.3 Supplier and its Sub processors may retain Personal Data to the extent required by applicable laws and only to the extent and for such period as required by applicable laws and always provided that Supplier shall ensure the conﬁdentiality of all such Personal Data and shall ensure that such Personal Data is only Processed as necessary for the purpose(s) speciﬁed in the applicable laws requiring its storage and for no other purpose.
Obligations independent of other provisions
15.1 The obligations contained in these Revised Personal Data Terms are without prejudice to Supplier's and/or Sub processors other obligations under the Principal Agreement and apply notwithstanding any permitted use or disclosure of conﬁdential information in this Agreement.
16.1 The costs of Supplier and its Sub processors to comply with their respective obligations as data processors under Data Protection Laws applicable in a speciﬁc jurisdiction shall be borne by Supplier and its Sub processors to the extent compliance with such obligations is necessary for Supplier and/or its Sub processors’ compliance with applicable Data Protection Laws in their role as data processors in the jurisdiction in question.
16.2 Notwithstanding Clause 16.1 if Supplier is requested by the Customer to take on compliance activities which go beyond the activities that Supplier is required to do as a Data Processor under applicable Data Protection Laws, Supplier shall be entitled to its reasonable costs and the above shall be notiﬁed via the change control process set out in this Agreement.
16.3 Should changes to applicable Data Protection Laws, including the interpretation thereof, entail increased costs for Supplier or its Sub processors, Supplier may, subject to providing written notice to the Customer, increase the rates charged to the customer to reﬂect the increased costs. The increase to the Customer should be fair and reasonable and should be proportional to what other similar Customers are being asked to pay.
17.1 Supplier reserves the right to transfer information (including Customer Data) to a third party in the event of a sale, merger, liquidation, receivership or transfer of all or substantially all of the assets of Supplier’s business provided that the third party agrees to adhere to Supplier’s terms relating to Personal Data and provided that the third party only uses Personal Data for the purposes that it has been provided it to Supplier. The Customer will be notiﬁed in the event of any such transfer
Order of precedence
18.1 With regard to the subject matter of this DPA, in the event of inconsistencies between the provisions of this DPA and any other agreements between the parties, including the Principal Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties) agreements entered into or purported to be entered into after the date of this DPA, the provisions of this Agreement shall prevail.
19.1 Should any provision of this Agreement be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
20.1 The parties to (i) this DPA hereby submit to the law of the State of Florida with respect to any disputes or claims howsoever arising under this Agreement, including disputes regarding its existence, validity or termination or the consequences of its nullity; and (ii) this DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of Florida.