DPA Short Form Transfer Addendum - Texas (Operational Compliance)

DPA SHORT FORM TRANSFER ADDENDUM -- TEXAS

Operational Compliance Format -- Article Numbering

Addendum Effective Date: [__/__/____]

Reference Agreement: [________________________________] dated [__/__/____] (the "Agreement")

Transferor (Controller): [________________________________] ("Transferor")

Transferee (Processor): [________________________________] ("Transferee")

This Addendum establishes the operational compliance framework for transfers of Personal Data involving Texas consumers under the TDPSA (effective July 1, 2024) and the Texas Identity Theft Enforcement and Protection Act.

ARTICLE I: DEFINITIONS

1.1 "Personal Data" -- Tex. Bus. & Com. Code 541.001(23); information linked or reasonably linkable to an identified or identifiable individual.

1.2 "Sensitive Data" -- Tex. Bus. & Com. Code 541.001(29); racial/ethnic origin, religious beliefs, health diagnosis, sexual orientation, citizenship/immigration status, genetic data, biometric data, children's data (under 13), precise geolocation.

1.3 "Controller" -- Tex. Bus. & Com. Code 541.001(7).

1.4 "Processor" -- Tex. Bus. & Com. Code 541.001(24).

1.5 "Sale" -- Tex. Bus. & Com. Code 541.001(28); exchange for monetary consideration.

1.6 "Targeted Advertising" -- Tex. Bus. & Com. Code 541.001(31).

1.7 "Profiling" -- Tex. Bus. & Com. Code 541.001(26).

1.8 "De-Identified Data" -- Tex. Bus. & Com. Code 541.001(10).

1.9 "Consent" -- Tex. Bus. & Com. Code 541.001(6); clear affirmative act.

1.10 "Data Breach" -- Unauthorized acquisition of sensitive personal information per Tex. Bus. & Com. Code 521.002.

ARTICLE II: OPERATIONAL SCOPE

2.1 Transfer Type: ☐ Controller-to-Processor ☐ Controller-to-Controller ☐ Processor-to-Sub-Processor

2.2 Pre-Transfer Compliance Checklist:

☐ Written contract executed (this Addendum; Tex. Bus. & Com. Code 541.054)
☐ Processing instructions documented
☐ Privacy notice published per 541.051
☐ Sensitive Data consent obtained (if applicable)
☐ Data protection assessment completed (where required; 541.058)
☐ Universal opt-out mechanism enabled (effective Jan. 1, 2025)
☐ Data inventory completed (Exhibit C)
☐ Technical measures verified (Exhibit B)
☐ Subprocessor list reviewed
☐ Consumer rights response workflow established
☐ Breach notification plan documented

2.3 Purpose: [________________________________]

2.4 Personal Data Categories Checklist:

☐ Names and identifiers ☐ Email addresses ☐ Phone numbers
☐ Physical addresses ☐ Online identifiers (IP, device IDs, cookies)
☐ Commercial records ☐ Financial data ☐ Employment data
☐ Geolocation ☐ Internet activity ☐ Biometric data
☐ Health information ☐ Education records ☐ Inferences/profiles
☐ Sensitive Data (complete Article IV checklist)

2.5 Consumer Categories: ☐ Customers ☐ Employees ☐ Applicants ☐ End Users ☐ Business Contacts ☐ Children under 13 ☐ Other: [________________________________]

2.6 Duration: Agreement term plus [____] day wind-down.

ARTICLE III: COMPLIANCE FRAMEWORK

3.1 TDPSA Statutory Contract Matrix (Tex. Bus. & Com. Code 541.054):

3.2 Legal Basis:

☐ Consent ☐ Contractual necessity ☐ Legal obligation ☐ Vital interests ☐ Legitimate interests

3.3 Sensitive Data Consent: ☐ Required and obtained ☐ Not applicable

3.4 International Transfer: ☐ DPF ☐ SCCs Module [____] ☐ UK Addendum ☐ N/A

ARTICLE IV: DATA CLASSIFICATION

4.1 Standard Data Inventory:

4.2 Sensitive Data Checklist (541.001(29)):

4.3 Identity Theft Act Data (521.002):

ARTICLE V: TRANSFEROR OPERATIONAL OBLIGATIONS

5.1 Privacy Notice Checklist (541.051):

☐ Categories of Personal Data disclosed
☐ Processing purposes disclosed
☐ Consumer rights and exercise methods disclosed
☐ Categories of third-party recipients disclosed
☐ Sale and Targeted Advertising opt-out described
☐ Contact information provided

5.2 Data Minimization. Only data adequate, relevant, and reasonably necessary (541.052(a)).

5.3 Purpose Limitation. No Processing for incompatible purposes (541.052(b)).

5.4 Opt-Out Forwarding. Notify Transferee within [____] business days of any opt-out, deletion, or correction request.

5.5 DPA Tracking:

5.6 Monitoring Schedule:

ARTICLE VI: TRANSFEREE OPERATIONAL OBLIGATIONS

6.1 Required Actions Checklist:

☐ Process only per Transferor's documented instructions
☐ Maintain confidentiality of Personal Data
☐ Implement appropriate technical and organizational measures
☐ Assist with Consumer rights requests
☐ Cooperate with data protection assessments
☐ Comply with breach notification requirements
☐ Delete or return data upon termination
☐ Make compliance information available
☐ Allow and cooperate with assessments

6.2 Prohibited Actions Checklist:

☐ The Transferee shall NOT Sell Personal Data
☐ The Transferee shall NOT Process for Targeted Advertising without authorization
☐ The Transferee shall NOT Profile Consumers without authorization
☐ The Transferee shall NOT Process for unauthorized purposes
☐ The Transferee shall NOT combine data from other sources without direction

6.3 Confidentiality. All personnel with data access bound by confidentiality obligations (541.054(b)(1)).

6.4 De-Identification. Where de-identifying, Transferee shall: take reasonable measures to ensure data cannot be associated with an individual; publicly commit to maintaining de-identified form; not attempt re-identification.

6.5 Inability to Comply. Promptly notify Transferor. Transferor may suspend Transfer and/or terminate.

ARTICLE VII: TECHNICAL MEASURES

7.1 Security Controls Status:

7.2 Enhanced Sensitive Data Measures. If Sensitive Data processed: field-level encryption; tokenization in non-prod; real-time alerts; segregated storage; annual PIA.

7.3 Data Disposal (521.052). Sensitive personal information disposed of using shredding, erasing, or other methods rendering data unreadable or undecipherable.

ARTICLE VIII: CONSUMER RIGHTS OPERATIONS

8.1 Rights Response Workflow:

8.2 Rights Coverage Matrix:

8.3 Universal Opt-Out. GPC and equivalent signals honored (541.055(e), effective Jan. 1, 2025).

8.4 Non-Discrimination. No adverse treatment for exercising rights (541.056).

ARTICLE IX: SUBPROCESSOR MANAGEMENT

9.1 Authorization: ☐ Specific ☐ General (with [____] days' notice)

9.2 Subprocessor Tracker:

9.3 Flow-Down Checklist:

☐ Processing limited to documented instructions
☐ Confidentiality obligations
☐ Technical/organizational measures
☐ Consumer rights cooperation
☐ Breach notification
☐ Audit rights
☐ Deletion/return on termination
☐ No Sale/Targeted Advertising without authorization

9.4 Liability. Transferee fully liable (541.054(d)).

ARTICLE X: DATA BREACH RESPONSE

10.1 Response Timeline:

10.2 Breach Response Checklist:

☐ Breach contained
☐ Transferor notified within required timeframe
☐ Scope identified (number of Consumers, data categories)
☐ Sensitive personal information involvement assessed
☐ Law enforcement notification evaluated
☐ Consumer notification drafted (per 521.053)
☐ AG notification prepared (if 250+ TX residents, within 30 days)
☐ Credit monitoring arranged (if applicable)
☐ Root cause analysis initiated
☐ Remediation plan developed

10.3 Penalties. Late notification: up to $100/day/individual (521.151). TDPSA violations: up to $7,500/violation (541.155). AG 30-day cure opportunity before enforcement (541.154).

10.4 Indemnification. Transferee indemnifies for breach-related costs attributable to its security failures.

ARTICLE XI: DATA RETENTION AND DELETION

11.1 Retention Schedule:

11.2 Deletion Checklist:

☐ Return/deletion election received
☐ Primary data purged
☐ Backup deletion scheduled (within [____] months)
☐ Subprocessors notified
☐ Certification prepared and delivered (within [____] days)
☐ 521.052 disposal methods applied

11.3 Legal Hold. Permitted if required by law; Transferor notified; minimum data; protections continue.

ARTICLE XII: AUDIT AND MONITORING

12.1 Information Availability (541.054(b)(3)). All compliance information available upon request.

12.2 Assessment Cooperation (541.054(b)(4)). Reasonable assessments by Transferor or designated assessor.

12.3 Monitoring Schedule:

12.4 Evidence. SOC 2 Type II; ISO 27001; pen test summary; SIG/CAIQ; PIA docs; training records.

12.5 On-Site. [____] per year; [____] days' notice; NDA; Transferor bears cost unless non-compliance.

12.6 AG Cooperation. Transferee cooperates with Texas AG investigations.

12.7 Remediation. [____] days to remediate; evidence provided.

ARTICLE XIII: CROSS-BORDER PROVISIONS

13.1 Interstate. TDPSA applies to TX Consumer data regardless of Processing location.

13.2 International. Transfer mechanisms per Article III, Section 3.4.

13.3 Location: ☐ US only ☐ US + EEA/UK ☐ Specific: [________________________________] ☐ No restriction

13.4 Relocation Notice. [____] days prior.

ARTICLE XIV: LIABILITY

14.1 Mutual indemnification for Addendum breaches.

14.2 Transferee Indemnification: AG fines (up to $7,500/violation); notification penalties ($100/day/individual); breach costs; investigation costs.

14.3 Enforcement. AG only; no private right of action under TDPSA. DTPA may provide indirect claims. AG 30-day cure period (541.154).

14.4 Cap. Agreement cap applies except for unauthorized Sale, willful misconduct, notification failures.

ARTICLE XV: TERM AND TERMINATION

15.1 Term. Coterminous with Agreement.
15.2 Cure Period. [____] days.
15.3 Survival. Articles I, VI, VII, VIII, X, XI, XII, XIV survive.

ARTICLE XVI: EXECUTION

TRANSFEROR (CONTROLLER):

Signature: [________________________________]
Printed Name: [________________________________]
Title: [________________________________]
Organization: [________________________________]
Date: [__/__/____]

TRANSFEREE (PROCESSOR):

Signature: [________________________________]
Printed Name: [________________________________]
Title: [________________________________]
Organization: [________________________________]
Date: [__/__/____]

EXHIBIT A: RISK ASSESSMENT

Overall: ☐ Proceed ☐ Proceed with measures ☐ Do not proceed

EXHIBIT B: TECHNICAL MEASURES

EXHIBIT C: DATA INVENTORY AND SUBPROCESSORS

SOURCES AND REFERENCES

• TDPSA -- Texas Attorney General
• Texas State Law Library
• Tex. Bus. & Com. Code Ch. 521 -- Identity Theft Act
• TDPSA.org -- 2025 Opt-Out Requirements
• Osano TDPSA Guide