Data Processing Addendum - Comprehensive (Florida)

DATA PROCESSING ADDENDUM -- COMPREHENSIVE (FLORIDA)

DPA Effective Date: [__/__/____]

DPA Number: [________________________________]

PARTIES

Controller / Customer ("Controller"):

Processor / Provider ("Processor"):

RECITALS

WHEREAS, Controller and Processor have entered into the Master Agreement dated [__/__/____];

WHEREAS, the Services require Processor to process Personal Data on behalf of Controller;

WHEREAS, the Florida Digital Bill of Rights (FDBR, Fla. Stat. §§ 501.701-501.722), effective July 1, 2024, establishes controller-processor obligations for covered entities;

WHEREAS, the Florida Information Protection Act (FIPA, Fla. Stat. § 501.171) requires reasonable security measures and imposes a thirty (30) day breach notification deadline; and

NOW, THEREFORE, the Parties agree as follows:

TABLE OF CONTENTS

1. Reference to Master Agreement and Order of Precedence
2. Definitions
3. Scope of Processing
4. Processor Obligations
5. Controller Instructions
6. Sub-processor Management
7. Data Subject / Consumer Rights
8. International Data Transfers
9. Data Security Measures
10. Data Breach Notification
11. Data Protection Impact Assessment Assistance
12. Audit Rights
13. Return and Deletion of Data
14. Liability and Indemnification
15. Florida-Specific Provisions
16. General Provisions
17. Signatures
18. Annex I -- Processing Details
19. Annex II -- Technical and Organizational Security Measures
20. Annex III -- Approved Sub-processor List
21. Annex IV -- Standard Contractual Clauses Reference

1. REFERENCE TO MASTER AGREEMENT AND ORDER OF PRECEDENCE

1.1 This DPA supplements the Master Agreement dated [__/__/____].

1.2 On data protection matters, this DPA prevails. Otherwise, the Master Agreement controls.

1.3 In effect through the Master Agreement term and while Processor retains Personal Data.

2. DEFINITIONS

2.1 "Applicable Data Protection Law" means all laws relating to data protection applicable to the processing, including the FDBR, FIPA, GDPR (where applicable), CCPA/CPRA (where applicable), and other applicable laws.

2.2 "Consumer" means, under the FDBR (Fla. Stat. § 501.702(5)), a Florida resident acting in an individual or household context, excluding commercial or employment contexts.

2.3 "Controller" means, under the FDBR (Fla. Stat. § 501.702(7)), a person that, alone or jointly with others, determines the purpose and means of processing Personal Data. In this DPA, Controller refers to Customer.

2.4 "Data Subject" means a Consumer or other identifiable natural person whose Personal Data is processed.

2.5 "Personal Data" means information that is linked or reasonably linkable to an identified or identifiable individual, consistent with the FDBR (Fla. Stat. § 501.702(17)). Under FIPA, this also includes "Personal Information" as defined in Fla. Stat. § 501.171(1)(g).

2.6 "Personal Data Breach" means unauthorized access of data in electronic form containing Personal Information (FIPA definition), or a breach of security leading to unauthorized access or disclosure of Personal Data.

2.7 "Processing" means any operation performed on Personal Data, consistent with Fla. Stat. § 501.702(19).

2.8 "Processor" means, under the FDBR (Fla. Stat. § 501.702(20)), a person that processes Personal Data on behalf of a Controller. In this DPA, Processor refers to Provider.

2.9 "Sensitive Data" means, under the FDBR (Fla. Stat. § 501.702(24)), Personal Data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data, Personal Data of a known child, or precise geolocation data.

2.10 "Sub-processor" means any third party engaged by Processor to process Personal Data.

3. SCOPE OF PROCESSING

3.1 Processing Details.

3.2 Categories of Data Subjects.

☐ Employees and contractors of Controller
☐ Customers and clients (including Florida Consumers)
☐ End users
☐ Job applicants
☐ Business contacts
☐ Minors (under 18 / known children)
☐ Other: [________________________________]

3.3 Types of Personal Data.

☐ Name and contact information
☐ Government identifiers (SSN, driver's license)
☐ Financial information
☐ Employment information
☐ Device identifiers and IP addresses
☐ Geolocation data (including precise geolocation)
☐ Browsing history and online activity
☐ Biometric data
☐ Health or medical information
☐ User credentials
☐ Other: [________________________________]

3.4 Sensitive Data. Processing of Sensitive Data requires Controller's express consent pursuant to Fla. Stat. § 501.711(3), with enhanced safeguards including encryption, strict access controls, and enhanced logging.

4. PROCESSOR OBLIGATIONS

4.1 Process Personal Data only on documented instructions from Controller.

4.2 FDBR Processor Obligations (Fla. Stat. § 501.714). Processor shall:

• (a) Ensure each person processing Personal Data is subject to a duty of confidentiality;
• (b) At Controller's direction, delete or return all Personal Data to the Controller;
• (c) Make available to Controller all information necessary to demonstrate compliance with FDBR obligations;
• (d) Allow for and contribute to reasonable assessments by Controller or Controller's designated assessor; and
• (e) Engage any Sub-processor pursuant to a written contract requiring the Sub-processor to meet Processor's obligations with respect to the Personal Data.

4.3 Maintain records of processing as required by law.

4.4 Not sell, share, or use Personal Data outside the scope of the Services.

4.5 Not combine Personal Data with other sources except as necessary for the Services.

5. CONTROLLER INSTRUCTIONS

5.1 Processor shall process only on documented instructions. Processor shall notify Controller if an instruction infringes Applicable Data Protection Law.

5.2 Additional instructions must be consistent with the Master Agreement and this DPA.

6. SUB-PROCESSOR MANAGEMENT

6.1 Controller provides [general / specific] authorization.

6.2 Current list in Annex III.

6.3 At least [____] days (30 recommended) prior notice for new Sub-processors.

6.4 Objection rights within the notice period. If unresolved in [____] days, Controller may terminate affected Services.

6.5 Written Sub-processor agreements with equivalent obligations (Fla. Stat. § 501.714(2)(e)).

6.6 Processor fully liable for Sub-processors.

7. DATA SUBJECT / CONSUMER RIGHTS

7.1 FDBR Consumer Rights (Fla. Stat. § 501.708). Processor shall assist Controller in responding to authenticated consumer requests, including:

☐ Right to Confirm Processing and Access Personal Data (Fla. Stat. § 501.708(1)(a))
☐ Right to Correct Inaccuracies (Fla. Stat. § 501.708(1)(b))
☐ Right to Delete Personal Data (Fla. Stat. § 501.708(1)(c))
☐ Right to Data Portability (Fla. Stat. § 501.708(1)(d))
☐ Right to Opt Out of Targeted Advertising (Fla. Stat. § 501.708(1)(e)(1))
☐ Right to Opt Out of Sale of Personal Data (Fla. Stat. § 501.708(1)(e)(2))
☐ Right to Opt Out of Profiling (Fla. Stat. § 501.708(1)(e)(3))
☐ Right of Access (GDPR Art. 15, where applicable)
☐ Right to Rectification (GDPR Art. 16, where applicable)
☐ Right to Erasure (GDPR Art. 17, where applicable)
☐ Right to Data Portability (GDPR Art. 20, where applicable)

7.2 Response Timeline. Controller must respond to consumer requests within forty-five (45) days (Fla. Stat. § 501.709(1)), extendable by forty-five (45) additional days when reasonably necessary. Processor shall assist within timeframes enabling Controller's compliance.

7.3 If Processor receives a request directly, it shall notify Controller and not respond without authorization unless required by law.

8. INTERNATIONAL DATA TRANSFERS

8.1 If GDPR applies, transfers outside the EEA/UK require appropriate safeguards.

8.2 Standard Contractual Clauses.

☐ Module 2: Controller to Processor
☐ Module 3: Processor to Processor

Completed per Annex IV.

8.3 UK Transfers.

☐ UK Addendum to EU SCCs
☐ UK IDTA

8.4 Transfer Impact Assessments where required.

9. DATA SECURITY MEASURES

9.1 FIPA Security Obligation. Pursuant to Fla. Stat. § 501.171(2), Processor shall take reasonable measures to protect and secure data in electronic form containing Personal Information.

9.2 Minimum Measures. As detailed in Annex II:

• (a) Encryption in transit (TLS 1.2+) and at rest (AES-256);
• (b) Multi-factor authentication for administrative access;
• (c) Role-based access controls and least privilege;
• (d) Network security (firewalls, IDS/IPS, segmentation);
• (e) Vulnerability management and penetration testing;
• (f) Security awareness training;
• (g) Physical security controls;
• (h) Business continuity and disaster recovery;
• (i) Logging and monitoring (SIEM); and
• (j) Documented incident response plan.

9.3 Updates permitted without materially diminishing security.

10. DATA BREACH NOTIFICATION

10.1 Notification to Controller. Processor shall notify Controller without undue delay and no later than [____] hours (48 recommended) after becoming aware of a breach.

10.2 FIPA Breach Notification (Fla. Stat. § 501.171).

(a) Third-Party Agent (Fla. Stat. § 501.171(3)). When Processor maintains, stores, or processes Personal Information on behalf of Controller, Processor shall notify Controller within ten (10) days of discovering a breach.

(b) Individual Notification (Fla. Stat. § 501.171(4)). Controller must notify affected Florida residents as expeditiously as practicable but no later than thirty (30) days after determination of the breach. Provider shall enable Customer to meet this timeline.

(c) Attorney General (Fla. Stat. § 501.171(3)). If five hundred (500) or more Florida individuals are affected, Controller must notify the Florida Department of Legal Affairs within thirty (30) days.

(d) Consumer Reporting Agencies. If one thousand (1,000) or more individuals are affected, notice to nationwide consumer credit reporting agencies.

(e) Notification Content. The notice must include the date or estimated date range, description of Personal Information involved, and contact information.

(f) Law Enforcement Delay. Notification may be delayed at law enforcement request.

(g) Civil Penalties (Fla. Stat. § 501.171(9)-(10)). FIPA violations are FDUTPA violations. Penalties: $1,000/day for first 30 days; $50,000 per subsequent 30-day period; up to $500,000 total.

(h) Data Disposal (Fla. Stat. § 501.171(8)). Processor shall securely dispose of records containing Personal Information when no longer needed.

10.3 Post-Incident Report. Written report within [____] business days (15 recommended).

11. DATA PROTECTION IMPACT ASSESSMENT ASSISTANCE

11.1 Processor shall assist Controller in conducting DPIAs and data protection assessments under FDBR (Fla. Stat. § 501.715) and other applicable laws.

11.2 FDBR Assessment Requirements. Controller must conduct data protection assessments for processing that presents a heightened risk of harm, including: (a) targeted advertising; (b) sale of Personal Data; (c) profiling presenting reasonably foreseeable risk; (d) processing Sensitive Data; and (e) processing Personal Data of known children. Processor shall cooperate with such assessments.

12. AUDIT RIGHTS

12.1 Processor shall make information available and allow audits (Fla. Stat. § 501.714(2)(d)).

12.2 Up to [____] time(s) per year with [____] business days' notice.

12.3 Third-party reports (SOC 2, ISO 27001) may be accepted.

12.4 Costs per Party unless material non-compliance found.

12.5 Cooperation with regulatory audits (Florida Attorney General / Department of Legal Affairs).

13. RETURN AND DELETION OF DATA

13.1 At Controller's election: return within [____] days (30 recommended) or deletion (Fla. Stat. § 501.714(2)(b)).

13.2 Deletion per NIST SP 800-88 and Fla. Stat. § 501.171(8); backups within [____] days (90 recommended).

13.3 Written certification of deletion.

13.4 Legal retention exception with notice.

14. LIABILITY AND INDEMNIFICATION

14.1 Subject to Master Agreement limitations.

14.2 Processor indemnifies Controller against claims from Processor's breach, law violations, or data breaches caused by Processor.

14.3 Potential carve-outs: breach of security/confidentiality, processing restrictions, regulatory penalties.

15. FLORIDA-SPECIFIC PROVISIONS

15.1 FDBR Applicability. The FDBR applies to controllers that: (a) conduct business in Florida or produce products or services consumed by Florida residents; (b) process Personal Data (or have it processed on their behalf); and (c) have annual global revenues exceeding $1 billion AND meet specified criteria (50%+ revenue from digital ads, operate app store with 250,000+ apps, or operate smart-speaker/voice-command service). The Parties shall indicate applicability:

☐ Controller meets FDBR applicability thresholds
☐ Controller does not meet FDBR applicability thresholds (FDBR provisions included as best practices)

15.2 Controller FDBR Obligations. Where FDBR applies, Controller shall:

• (a) Limit processing to what is adequate, relevant, and reasonably necessary (Fla. Stat. § 501.710(1));
• (b) Provide a clear and accessible privacy notice (Fla. Stat. § 501.710(2));
• (c) Maintain technical and physical measures to protect data integrity and confidentiality; and
• (d) Obtain consent before processing Sensitive Data (Fla. Stat. § 501.711(3)).

15.3 Processor FDBR Contract Requirements (Fla. Stat. § 501.714). This DPA satisfies the written contract requirement between Controller and Processor under the FDBR by establishing: (a) processing instructions; (b) confidentiality obligations; (c) deletion/return obligations; (d) compliance demonstration; (e) assessment cooperation; and (f) Sub-processor flow-down.

15.4 Children's Data. If Personal Data of known children (under 18) is processed, Provider shall implement additional safeguards consistent with Fla. Stat. § 501.711(4) and applicable federal law (COPPA, 15 U.S.C. § 6501 et seq.).

15.5 No Private Right of Action. The FDBR does not create a private right of action. Enforcement authority rests exclusively with the Florida Attorney General acting through the Department of Legal Affairs (Fla. Stat. § 501.720).

15.6 Cure Period. Under Fla. Stat. § 501.720(2), before bringing an enforcement action, the Department of Legal Affairs must provide written notice of the alleged violation and allow forty-five (45) days to cure.

15.7 Governing Law. This DPA is governed by Florida law without conflict-of-laws principles.

15.8 Forum. Disputes in state or federal courts in [________________________________] County, Florida.

15.9 Jury Waiver. THE PARTIES WAIVE TRIAL BY JURY TO THE FULLEST EXTENT PERMITTED BY FLORIDA LAW.

16. GENERAL PROVISIONS

16.1 Entire agreement with Master Agreement on data processing.

16.2 Amendments by written instrument.

16.3 Severability.

16.4 Survival of Sections 2, 10, 12, 13, 14, and 15.

17. SIGNATURES

CONTROLLER / CUSTOMER:

Signature: [________________________________]

Printed Name: [________________________________]

Title: [________________________________]

Date: [__/__/____]

PROCESSOR / PROVIDER:

Signature: [________________________________]

Printed Name: [________________________________]

Title: [________________________________]

Date: [__/__/____]

ANNEX I -- PROCESSING DETAILS

ANNEX II -- TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

A. Access Control

• Multi-factor authentication: ☐ Yes ☐ No
• Role-based access control: ☐ Yes ☐ No
• Least-privilege: ☐ Yes ☐ No
• Access reviews: ☐ Yes ☐ No (Frequency: [________________________________])

B. Encryption

• In transit (TLS): [________________________________]
• At rest (algorithm): [________________________________]
• Key management: ☐ KMS ☐ HSM ☐ Other: [________________________________]

C. Network Security

• Firewall: ☐ Yes ☐ No
• IDS/IPS: ☐ Yes ☐ No
• Segmentation: ☐ Yes ☐ No
• DDoS protection: ☐ Yes ☐ No

D. Vulnerability Management

• Scanning frequency: [________________________________]
• Penetration testing: [________________________________]
• Patch management: ☐ Yes ☐ No

E. Logging and Monitoring

• SIEM: ☐ Yes ☐ No
• Retention: [________________________________]
• 24/7 monitoring: ☐ Yes ☐ No

F. Physical Security

• Access: ☐ Badge ☐ Biometric ☐ Both
• Video: ☐ Yes ☐ No
• Environmental controls: ☐ Yes ☐ No

G. Business Continuity

• RPO: [________________________________] | RTO: [________________________________]
• Backup encryption: ☐ Yes ☐ No
• DR testing: [________________________________]

H. Personnel

• Background checks: ☐ Yes ☐ No
• Confidentiality: ☐ Yes ☐ No
• Training: [________________________________]

ANNEX III -- APPROVED SUB-PROCESSOR LIST

ANNEX IV -- STANDARD CONTRACTUAL CLAUSES REFERENCE

SCC Module: ☐ Module 2 ☐ Module 3

UK Transfer: ☐ UK Addendum ☐ UK IDTA

Completed SCCs attached separately.

IMPLEMENTATION CHECKLIST

☐ Master Agreement referenced
☐ FDBR applicability assessed (Section 15.1)
☐ Processing details completed (Annex I)
☐ Data Subject types and data categories selected
☐ Consumer rights identified (Section 7.1)
☐ Sub-processor list completed (Annex III)
☐ Security measures documented (Annex II)
☐ FIPA 10-day third-party agent deadline reviewed (Section 10.2(a))
☐ FIPA 30-day individual notice deadline reviewed (Section 10.2(b))
☐ FIPA civil penalties reviewed (Section 10.2(g))
☐ FDBR processor obligations confirmed (Section 4.2)
☐ Data return/deletion timelines agreed (Section 13)
☐ Children's data provisions reviewed if applicable (Section 15.4)
☐ All bracketed fields completed
☐ Reviewed by attorney licensed in Florida
☐ Signed by authorized representatives

SOURCES AND REFERENCES

• Florida Digital Bill of Rights, Fla. Stat. §§ 501.701-501.722 -- https://www.flsenate.gov/
• Florida Information Protection Act, Fla. Stat. § 501.171 -- https://www.leg.state.fl.us/statutes/index.cfm?App_mode=Display_Statute&URL=0500-0599/0501/Sections/0501.171.html
• GDPR Article 28 -- https://gdpr-info.eu/art-28-gdpr/
• EU SCCs (Decision 2021/914) -- https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj
• NIST SP 800-88 -- https://csrc.nist.gov/pubs/sp/800/88/r1/final