Effective Date: July 2, 2026
This Data Processing Addendum (“DPA”) forms part of any agreement between the Manatee Chamber of Commerce (“Chamber,” “Controller,” “we,” “our,” or “us”) and any vendor, service provider, contractor, or other organization (“Processor”) that processes Personal Data on behalf of the Chamber.
The purpose of this DPA is to establish the responsibilities and obligations of each party regarding the processing of Personal Data in accordance with applicable privacy and data protection laws.
- Definitions
For purposes of this DPA:
- Personal Data means any information relating to an identified or identifiable individual.
- Processing means any operation performed on Personal Data, including collecting, storing, using, transmitting, modifying, deleting, or otherwise handling such data.
- Controller means the entity that determines the purposes and means of processing Personal Data.
- Processor means the entity that processes Personal Data on behalf of the Controller.
- Applicable Privacy Laws include all laws governing the processing of Personal Data that apply to the parties, including applicable U.S. state privacy laws and, where applicable, the General Data Protection Regulation (GDPR), the UK GDPR, and other relevant data protection laws.
- Scope
This DPA applies whenever the Processor receives, stores, accesses, transmits, or otherwise processes Personal Data on behalf of the Manatee Chamber of Commerce in connection with providing services.
Examples of Personal Data may include:
- Member information
- Business contact information
- Event registrations
- Newsletter subscriptions
- Donation records
- Employment applications
- Volunteer information
- Payment-related information (excluding full payment card data processed directly by PCI-compliant payment processors)
- Processing Instructions
The Processor shall process Personal Data only:
- On documented instructions from the Chamber;
- For the purposes described in the applicable service agreement;
- In accordance with applicable law; and
- Using appropriate safeguards to protect Personal Data.
The Processor shall not sell, rent, disclose, or use Personal Data for its own marketing or commercial purposes unless expressly authorized in writing.
- Confidentiality
The Processor shall ensure that all personnel authorized to process Personal Data:
- Are subject to appropriate confidentiality obligations;
- Receive appropriate privacy and security training; and
- Access Personal Data only as necessary to perform their duties.
- Information Security
The Processor shall maintain reasonable administrative, technical, and physical safeguards appropriate to the nature of the Personal Data processed, including:
- Access controls
- Strong authentication measures
- Encryption of Personal Data during transmission where appropriate
- Secure storage practices
- Malware protection
- System monitoring
- Backup and disaster recovery procedures
- Regular security updates and patch management
- Subprocessors
The Processor shall not engage a subprocessor that will process Personal Data without maintaining appropriate contractual protections.
The Processor remains responsible for the acts and omissions of its subprocessors with respect to Personal Data processed under this DPA.
- Assistance with Data Subject Requests
Where applicable, the Processor shall reasonably assist the Chamber in responding to requests relating to:
- Access to Personal Data
- Correction of inaccurate information
- Deletion requests
- Data portability requests
- Processing objections
- Other rights available under applicable privacy laws
- Security Incidents
The Processor shall notify the Chamber without undue delay after becoming aware of a confirmed Security Incident involving Personal Data processed under this DPA.
Such notification should include, where reasonably available:
- Nature of the incident
- Categories of affected data
- Estimated number of affected individuals
- Likely consequences
- Mitigation measures taken
- Recommended actions, if any
- International Data Transfers
If Personal Data is transferred across national borders, the Processor shall implement appropriate safeguards required under applicable law, including approved contractual mechanisms where applicable.
- Data Retention and Deletion
Upon termination of services or upon written request, the Processor shall, unless otherwise required by law:
- Return Personal Data to the Chamber; or
- Securely delete or destroy Personal Data and certify such deletion upon request.
Reasonable backup retention periods may apply where required for disaster recovery or legal compliance.
- Audit Rights
Upon reasonable written notice, the Chamber may request information demonstrating the Processor’s compliance with this DPA, including relevant security certifications, audit reports, or other appropriate documentation, subject to confidentiality obligations.
- Compliance with Law
The Processor shall comply with all applicable privacy, security, and data protection laws governing the processing of Personal Data under this DPA.
- Limitation
Nothing in this DPA shall require either party to violate applicable law or disclose confidential security information that would materially increase security risks.
- Order of Precedence
If there is any conflict between this DPA and the applicable services agreement regarding the processing of Personal Data, the terms of this DPA shall govern to the extent of that conflict.
- Amendments
The Chamber may update this DPA from time to time to reflect changes in applicable law, regulatory guidance, or operational practices. Updated versions will become effective upon publication or as otherwise agreed by the parties.
- Contact Information
Questions regarding this Data Processing Addendum may be directed to:
Manatee Chamber of Commerce
222 10th Street West
Bradenton, FL 34205
Phone: (941) 748-3411
Website: https://www.manateechamber.com/